May 25th 2018
Part 3: Getting Ready for GDPR – Practical Considerations Copy
In this installment of our GDPR series, we discuss the highest priority issues for publishers and advertisers. And as a reminder, this is not legal advice; just Vungle’s analysis of what these new regulations mean for app developers and advertisers. As always, you should work with your legal team to determine what is appropriate for your specific situation.
Publishers: It’s All About Consent
The GDPR puts a premium on user consent for data collection and retention. Additionally, publishers should be mindful of how the new rules apply to two different types of entities:
- Controllers – determine how and why personal data should be processed. Typically, app publishers, mediators and ad networks will be considered data controllers.
- Processors – process data on behalf of controllers. Typically, service vendors (e.g. data storage, analytics) will be considered data processors.
From a user-experience perspective, having each data controller run their own opt-in process is far from ideal. For instance, if an app has integrated three ad networks and a mediation platform, the user could be presented with four separate opt-in dialogs, each of which would likely have slightly different wording and look and feel. Under guidance published by the European Commission working group on GDPR issues, publishers can gather consent for multiple controllers as long as each controller is named and the data collected is disclosed (Section 3.3.1).
Vungle has enabled user-level consent flags in the latest versions of its SDKs for iOS, Android and Windows. This will provide publishers collecting user consent a mechanism to pass that consent to Vungle via our SDK for each request. Vungle can then apply the appropriate data controls.
One of the ironies of these new regulations is that consumers have had the ability to control key elements of their mobile privacy for years – all of the major app platforms have user-level controls about whether their advertising IDs can be used for more personalized ads. The upside here is that mobile advertising providers have built their systems to accommodate this option, and will be able to handle the newly opted-out users without undue disruption.
It is also worth clarifying that opting out of data collection does not opt the user out of seeing ads completely. Instead, opting out means that Vungle (and other ad networks) won’t be able to use historical performance data to better customize what ads the user will see.
Advertisers & Publishers – Getting Your (Data) House in Order
The GDPR and ePrivacy Directive apply not only to a company’s workflow, but also extend to the company’s vendors and suppliers. In other words, developers should review current agreements and policies with third-party vendors so they’re aligned with the GDPR.
Additionally, companies are updating their privacy policies and amending their contracts and terms of use as a result of updated notice, transparency, and user rights requirements under GDPR. Many are also putting new Data Processing Agreements (DPAs) in place with their vendors who process user data. These steps aim to ensure that user data is being handled properly and that all companies in the data stream understand their roles and responsibilities are in compliance with the new regulatory environment.
Hopefully this series of posts has provided some useful information and helped to provide greater detail about how Vungle is supporting both advertisers and publishers to build GDPR-compliant systems. Thanks for reading, and we’ll come back in a few months to assess the impact of these new regulations.
Part 1: GDPR – What It Is and Why It Matters
Part 2: GDPR – Building a Compliant Network
Resources:
Vungle’s GDPR-compliant SDKs for iOS, Android and Windows
Guidelines on Consent from the European Commission Article 29 Working Party
Vungle’s GDPR Implementation FAQs
If you have GDPR-specific questions, please contact GDPR@vungle.com.
