In this installment of our GDPR series, we discuss the highest priority issues for publishers and advertisers. And as a reminder, this is not legal advice; just Vungle’s analysis of what these new regulations mean for app developers and advertisers. As always, you should work with your legal team to determine what is appropriate for your specific situation.
Publishers: It’s All About Consent
The GDPR puts a premium on user consent for data collection and retention. Additionally, publishers should be mindful of how the new rules apply to two different types of entities:
- Controllers – determine how and why personal data should be processed. Typically, app publishers, mediators and ad networks will be considered data controllers.
- Processors – process data on behalf of controllers. Typically, service vendors (e.g. data storage, analytics) will be considered data processors.
From a user-experience perspective, having each data controller run their own opt-in process is far from ideal. For instance, if an app has integrated three ad networks and a mediation platform, the user could be presented with four separate opt-in dialogs, each of which would likely have slightly different wording and look and feel. Under guidance published by the European Commission working group on GDPR issues, publishers can gather consent for multiple controllers as long as each controller is named and the data collected is disclosed (Section 3.3.1).
Vungle has enabled user-level consent flags in the latest versions of its SDKs for iOS, Android and Windows. This will provide publishers collecting user consent a mechanism to pass that consent to Vungle via our SDK for each request. Vungle can then apply the appropriate data controls.
One of the ironies of these new regulations is that consumers have had the ability to control key elements of their mobile privacy for years – all of the major app platforms have user-level controls about whether their advertising IDs can be used for more personalized ads. The upside here is that mobile advertising providers have built their systems to accommodate this option, and will be able to handle the newly opted-out users without undue disruption.
It is also worth clarifying that opting out of data collection does not opt the user out of seeing ads completely. Instead, opting out means that Vungle (and other ad networks) won’t be able to use historical performance data to better customize what ads the user will see.
Advertisers & Publishers – Getting Your (Data) House in Order
The GDPR and ePrivacy Directive apply not only to a company’s workflow, but also extend to the company’s vendors and suppliers. In other words, developers should review current agreements and policies with third-party vendors so they’re aligned with the GDPR.
Hopefully this series of posts has provided some useful information and helped to provide greater detail about how Vungle is supporting both advertisers and publishers to build GDPR-compliant systems. Thanks for reading, and we’ll come back in a few months to assess the impact of these new regulations.
Guidelines on Consent from the European Commission Article 29 Working Party
If you have GDPR-specific questions, please contact GDPR@vungle.com.