GDPR – What It Is and Why It Matters To You (Part One)
On May 25, the EU General Data Protection Regulation (GDPR) will go into effect. Companies that collect or process data about individuals in European Union (EU) countries, even companies based outside of the EU, will need to comply with a new set of rules addressing data collection and privacy. Like many of you, Vungle has been preparing for this for quite some time. Complying with GDPR has led us to examine many of our core processes, and we’ve made changes to our data collection, storage, and usage systems accordingly.
In Part One of our GDPR series, we’ll take a closer look at GDPR and the high-level implications for app developers and the mobile advertising ecosystem. In future installments, we’ll discuss the steps we’ve taken to get our systems ready and the new tools and processes we’ve put in place to help publishers and advertisers fulfill their new obligations. Please note that this isn’t legal advice, and you should definitely consult with your legal advisors on your specific plans.
What exactly is GDPR?
GDPR is a comprehensive set of rules and regulations governing the collection, use, and retention of personal data. It was established after years of negotiation to replace the Data Protection Directive, which was enacted in 1995. According to the European Parliament, the reason for this change is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” Additionally, this new regulation aims to be consistent across all 28 EU member states. This means that companies will have one standard to follow – a significant improvement from the previous directive which fostered a bewildering tangle of inconsistent regulations throughout the region (although some local variances are still likely).
While GDPR outlines many regulations — some are brand new and some have been updated to include more specific language — companies are keeping a close eye on the following key changes:
- A broader definition of Personal Data: The GDPR expands the definition of personal data (PII) to include device IDs (including advertising IDs), IP addresses, or literally any other string or number that exists at the user-level. This type of data is integral to the entire app ecosystem, and this classification as ‘personal data’ triggers additional obligations for companies which collect, process and use this data, such as:
- Broader end-user data rights: End users (“Data Subjects” under GDPR) will have broader rights in relation to their data, including, for example:
- Access (i.e., the right to know whether their data is being processed and to receive a copy of that data upon request)
- Rectification (i.e., the right to correct any personal data that is inaccurate);
- Portability (i.e., the ability to have their data transferred from one service provider to another); and
- Erasure (i.e., the right to be forgotten and have all personal data deleted upon request).
- Data protection principles: The principles of minimization (i.e. only collecting the data you need), purpose limitation (i.e. only using data for a specific purpose) and storage limitation (i.e. only keeping data as long as is necessary), which can seem counterintuitive to some developers, are restated in the GDPR.
- Higher penalties: Businesses that do not comply with the GDPR face fines up to 4 percent of annual global revenue or €20 million ($24.5 million), whichever is greater.
So, what does this mean for app developers?
Under GDPR, app developers are directly responsible for their users’ data and must ensure visibility and real-time control over usage and activity. To improve security, companies must know the specifics of how they gather, store, transfer, and use data, including the various monetization and analytics providers relied upon to run their businesses. For apps, GDPR also means that all companies who interact with user data should enact explicit and easy-to-access processes for opting in and out of data collection and storage, and pass those permissions on to their vendors and partners.
App developers will need to comply with the GDPR and ePrivacy Directive rules to avoid costly fees and legal penalties. That means developers need to scrutinize the tools they use to build apps to make sure they don’t inadvertently violate data protection regulations.
Will GDPR impact performance marketing strategies?
For marketers, one of the main challenges posed by GDPR and ePrivacy is that the collection and processing of user data, which is critical when it comes to optimizing app performance and maximizing ad revenue, is subject to strict end-user permission and control. GDPR requires that consumers must give affirmative consent to this level of ad targeting. Even further, consumers will soon have the right to have their personal data which is stored by developers (and their vendors) deleted, as well as the ability to opt out of all future collection and processing of their personal information.
Data is one of the most important currencies in today’s digital-first world. So for performance marketing, in particular, there is a specific concern arising from these new regulations’ emphasis on clear, explicit consent for how data is collected and treated when such data includes cookies and IP addresses.
The good news is, unlike our counterparts on the web, app developers should be relatively well prepared for these types of user privacy controls. All of the major app platforms have provided consumers the ability to reset the identifiers used for advertising or to limit the use of these identifiers entirely or simply put, the ability to opt-out. Further, in-app advertisers have not relied on what has traditionally been considered personal information, and advertising providers have found ways to work within these constraints and still deliver a quality experience for consumers and solid revenue for developers.
Interested in learning more about GDPR? Look for our updates next week as we share parts two and three of our three-part GDPR series.
Part 2: GDPR – Building a Compliant Network
Part 3: Getting ready for GDPR – practical considerations
- Guidelines on Consent from the European Commission Article 29 Working Party
- Vungle’s GDPR Implementation FAQ
If you have GDPR-specific questions, please contact GDPR@vungle.com.