What is the GDPR?

The General Data Protection Regulation (GDPR) is the new European Union (EU) data protection law that becomes effective on May 25, 2018.  GDPR streamlines and overhauls the existing EU privacy law (the Data Protection Directive), while giving individuals more control over their personal data.

One significant update (particularly for the ad-tech industry), is a heightened standard for consent to collect and process user data, which places more responsibility on organizations to demonstrate compliance (such as by maintaining auditable data processing records).  Any organizations engaging third party services (like Vungle) to collect and process data on their behalf will also need appropriate contracts in place to comply with the stricter requirements introduced by the GDPR.

What does Vungle do?

Vungle is the leading mobile in-app video advertising platform.  We serve both advertisers (who wish to distribute ad content through our platform) and publishers of mobile application (who want to display relevant ads to end users).  You can find out more here.

Does GDPR affect Vungle?

GDPR applies to the collection, use and disclosure of all “personal data” in the European Economic Area, and ensures that any party who collects personal data does so pursuant to one of the law’s approved grounds.  Personal data, as defined in the GDPR, includes all data relating to an identified or identifiable end user, which includes personally identifiable information like names, phone numbers, etc. (which we currently do not collect or process in providing our services), in addition to “pseudonymous” forms of personal data such as device-related identifiers and IP addresses (which we do collect).

Vungle is principally acting as an independent controller of most of the personal data it collects and processes.  Vungle is proactively working to ensure GDPR-readiness by the effective date.

What is the ePrivacy Directive?

Another existing EU law – the e-Privacy Directive (colloquially referred to as the “Cookie Law”) – requires consent before using tracking technologies (such as cookies, pixels, web beacons, and SDKs) to access information stored on an end user’s device.  Due to the heightened consent standard addressed by GDPR (discussed above), discussion of the Cookie Law in connection with GDPR arises frequently.

This also impacts Vungle because, as an ad network, Vungle’s proprietary technology includes a mobile SDK which, when integrated with a publisher’s mobile application, enables Vungle to gather device data so that Vungle can deliver end users more relevant ads from Vungle’s network of advertisers. However, because ad networks like Vungle have no direct relationship with the end users of the mobile applications displaying such ads, Vungle is actively working with its network of publishers to achieve an appropriate consent mechanism so that Vungle can collect and use the data it needs via its SDK.

Publishers should likewise revisit their cookie consent mechanisms to ensure that they will meet the GDPR standard of consent (both for themselves and any service providers who may be assisting them). We are actively monitoring the regulatory and industry developments in this area, including the progress of the new (but still draft) e-Privacy Regulation which, once finalized, will replace the existing Cookie Law.  Despite whatever revisions affect the Cookie Law, the requirement for consent to use tracking technologies is likely to remain.

What is Vungle doing internally to comply with the GDPR?

Vungle has embarked on a compliance project with support from external advisors to become GDPR-ready by the May 25, 2018 deadline.  Some of the measures Vungle is taking include:

  • Data Minimization – establishing mechanisms to collect only data that is needed, and pseudonymising such data wherever possible;
  • Data Retention – implementing a maximum data retention schedule across all our systems so that we routinely delete or anonymise data we don’t need;
  • Consent – working with publishers to obtain and record GDPR-level consent in connection with the Cookie Law;
  • International Data Transfers – finalizing its EU-US Privacy Shield certification (see more below);
  • Data Mapping – undertaking a data mapping exercise for the purpose of creating the necessary data processing records;
  • Individual Rights – formalizing processes around data subject rights to ensure that Vungle is able to respond comprehensively and within the timeframes pronounced by the GDPR;
  • Transparency – updating its privacy notices and internal policies for GDPR compliance;
  • Vendor Agreements – updating existing arrangements with third party subprocessors to ensure GDPR compliance as well as vetting new subprocessors; and
  • Security – ensuring continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by Vungle.

Vungle is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.

Does Vungle transfer data internationally?

Vungle is headquartered in the United States, but has offices in the EU and its technology is incorporated in mobile applications that have users in the EEA. Therefore, Vungle will process personal data that originates from the EEA on its servers and facilities in the United States.

The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EEA.  Transfers are permitted only if certain safeguards are in place, such as by self-certifying to the EU-US Privacy Shield.  Accordingly, Vungle is in the process of certifying to the EU-US Privacy Shield to protect all transfers of non-HR European data to Vungle in the US.

Where can I get more information?

If you have any questions or require assistance please contact Vungle’s Privacy team.