Value by Context: The Answer for Ad Placement Post-GDPR

by Arthur Hainline | May, 2018 | Content, Native Advertising, Product and Technology

Shifting Away from User Data

GDPR. Apple’s iOS 11 Intelligent Tracking Prevention. Server-side header bidding. Internet trends point to an uncertain future for data-driven digital ad placement. User data – often the primary (if not only) driver of ad placement – will take a back seat as tighter privacy regulations shift into place. Cookies and users are slipping through the cracks, and marketers, media buyers, and media sellers are now faced with lower match rates on the audience segments they worked so hard to cultivate.

The push to keep user information anonymous is coming from many fronts, and includes government regulation with GDPR (General Data Protection Regulation), large corporations utilizing Apple’s iOS 11 Intelligent Tracking Prevention, and increasing adoption of Server-side header bidding within the ad tech industry. These three major factors alone point to a 2018 (and 2019) with an increased number of auctions on the open market where the user cannot be identified.

How much is this ad placement worth?

In a perfect world, marketers and media buyers would be able to assign an accurate cost value to each impression on the web. Every marketer and media buyer wants to know what an ad placement is truly worth to them. When marketers have at least some information about the user, they can make that decision quite quickly and rationally. The historical success of audience-based targeting and optimization has largely based the crucial decision of determining the cost of an ad placement on who the buyer thinks the user is.

Now, however, we are confronted with a landscape of increasingly available ad placement for sale and increasingly unavailable information on the user. Without user information for an increasing number of impressions, marketers and media buyers must try to assign a value to this ad placement. Does that mean this ad placement is worthless? Absolutely not. We can still direct a user interested in the marketer’s product to see the ad, but we must use an alternative source of information to decide on the value of impressions. Context information becomes crucial to the digital marketer’s toolkit.

What’s the context?

Imagine an impression for sale on the open market with no user information available (which will be increasingly common). We can still make an informed decision on the ad’s worth. In fact, we can determine the location, the time of day, the day of the week, the size and location of the ad on the page, the site it’s on, the page of the site it’s on, even specifics about what content is on that page. For example, we could learn there is an impression available at the bottom of an article titled “Best Valentine’s Day Gifts for Her” dated February 12th. This page’s information tells us enough about the type of user visiting the page to assign a value to this impression and determine its worth to me as a marketer. Through its context, I can deduce enough about the user’s intentions to decide how much I’m willing to pay for an impression.

Contextual Optimization in a Post-GDPR Landscape

Understanding that we have enough information about ad space without user information means we can face the (more private) future of the industry with far less fear. Furthermore, because of the lingering dominance of user-based optimization, much of the unmatched ad space on the open market is effectively “on sale.” Buyers that have relied solely on user-based optimization will be bidding very little or not at all on these unmatched impressions. And now that you have this contextual information, it can of course work in concert with your user-based buying strategies when they are available to you, making your bidding decisions incredibly powerful and precise. In a post-GDPR landscape, contextual optimization within native advertising will be the superior strategy for digital advertisers.
Read more about Contextual Optimization from Bidtellect CEO Lon Otremba
Want more from the Bidtellectual? We have a monthly newsletter!

What It Means: Decoding GDPR & Its Implications for Leading Native DSP, Bidtellect

by Luke | May, 2018 | Native Advertising, Product and Technology

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) establishes rules on how companies, governments and other entities can process the personal data of EU citizens or residents. It also gives users the right to request access and deletion of the data a company has stored on them, unless other legal obligatory reasons allow the company to keep it (such as banking, loans, etc.)
Bidtellect is adhering to the technical guidance outlined by IAB: GDPR Transparency & Consent Framework: thorough technical guidance that is industry-standard.
Bidtellect will consider anyone in the European Economic Area (EEA) to be subject to GDPR rules.
The EEA is made up of the following countries:

Users from the EEA will need to provide consent to purposes and vendors in order for a vendor to be able to process and store identifiable information about the user unless there are other compelling reasons to do so. Publishers will need to integrate with a Consent Management Platform (CMP) in order to obtain this consent from their visitors. The consent form will list vendors that are used with their platform as well as downstream data processors. In addition, the form will contain information on how each vendor uses their data and purpose. Once a user has provided consent, it is stored in a cookie which is also referred to as their consent string. The consent string contains their consented purpose and vendor selections and is propagated to the supply side ad platform and then downstream to the demand side platforms such as Bidtellect.

While Bidtellect’s ad-serving platform does not collect sensitive personal information about a user such as their name, email address, etc., we do collect IP address, advertising ids (IFA/IFDA), cookie ids, and location data about a user in most scenarios, which makes us subject to the GDPR. Hence we and other companies like us would definitely be required to be compliant with all GDPR guidelines, which can be done by integrating a privacy platform similar to Terratrue into the existing workflows.

Bidtellect sets a tracking cookie which, while not personally identifiable, allows us to track behaviors of the individual such as ads that they have viewed, clicked, converted, and other engagement metrics and associations. We can use this cookie id to retarget the individual with ads or place them into an audience in which other advertising campaigns can target them or make a determination about the likelihood of them interacting with a particular advertisement. If the user deletes Bidtellect’s tracking cookie, the user and their data are essentially forgotten and will be deleted in accordance with our data retention policy.

OpenRTB and GDPR

OpenRTB is the protocol that Supply Side Platforms (SSP) use to talk with their Demand Side Platforms (DSP). Bidtellect is a native DSP that works with many different SSPs to deliver their native campaigns at scale. Bidtellect is responsible for the logistics of delivering and optimizing advertiser’s campaigns against SSP inventory. This now includes ensuring that how we store and process a user’s data adhere’s to their consent. The IAB has updated the OpenRTB spec to include two new fields in the OpenRTB protocol for GDPR. The first is a flag (regs.ext.gdpr) that denotes if the user is subject to GDPR rules. The second is a consent string (user.ext.consent) that will denote the purposes for data use as well as vendors to whom the user has given consent.

Consent Management

The publisher and/or supply-side platform is responsible for integrating with a Consent Management Platform (CMP) or creating their own consent management system. The CMP will provide a framework that will present a consent form to an EEA user upon their first visit to a publisher’s site. The form will include selections for purpose of data usage and vendors that are used by the publisher and downstream that will process and use their data. This includes Bidtellect as well as other third-party vendors needed to service campaigns, for example, behavioral data providers like Lotame and BlueKai or tag managers like DoubleClick or Adobe. For each vendor listed on the consent form, there will also be information on how that particular vendor will use their data so that the user can make an informed decision on whether they want to give consent to that vendor.

Once the user provides consent by selecting purposes and vendors, their selections are encoded and stored in a cookie set by the CMP. This encoded information is referred to as the consent string. This string is propagated from the user’s browser cookie to the supply side platform where it is then passed through the bid request to Bidtellect’s demand-side platform to be decoded.

Bidtellect will be integrating with a CMP so that we may identify consent for users that do come from the bid stream. These are tracking events that happen without the need for an auction to take place.

Consent String

The consent string is an encoded object that contains the purposes for data use and vendors to which the user has given consent. It is passed downstream in the OpenRTB ecosystem so that vendors can evaluate if they themselves have consented in addition to any third party vendors that they may use to process collected data about the user.

The consent string is an optional parameter in the bid request. If a consent string is provided in the bid request, Bidtellect will decode the string and will use the consented purposes and vendors in its bidding strategy. If no consent string is provided and the user is subject to GDPR rules, it will limit campaigns that are able to participate in the bidding strategy.

Purposes

There are five purposes in which data can be used and to which a user can consent. At a high level, these are storage of data, personalization, ad serving, content serving, and measurement. Please see this link for the complete list and description of each purpose.

Users consent to purpose(s) are on a global level and not on a per vendor level. This means if a user consents to purpose 1 and 2, then any consented vendor may use their data for those two purposes only.

Vendors

Companies are referred to as Vendors. They will need to register themselves in the IAB’s global vendor list in order to be included in the CMP consent frameworks and obtain consent from users. Bidtellect will require any vendor or partner to also be registered in the Global Vendor List (GVL) before the use of their services, such as tags, may be used with the delivery of advertising campaigns. In addition to being registered in the GVL, they will also need to sign an agreement with Bidtellect stating their GDPR compliance.

Bidding Strategy

In order to adhere to the GDPR regulations, Bidtellect has updated its bidding strategy in order to respect the privacy and consent of anyone that is subject to GDPR. We have defined the different scenarios around GDPR below and Bidtellect’s strategy.

GDPR with No Consent

If a user is subject to GDPR and no consent has been provided, only campaigns that do not require the use of identifiable information will be eligible to bid. This essentially limits demand to campaigns that are optimizing against CTR and do not use any third party add-ons, tags (vendors) or features that require user tracking such as frequency capping or engagement. Campaigns that optimize against CTR do not require the processing or storage of user identifiable information. Supply inventory that is not passing consent will have limited demand from Bidtellect’s platform in the EEA.

We will also remove any identifying ids such as IFA/IDFA, device ids, etc., from the bid request if no consent has been provided. By removing them from the bid request, they cannot be used to identify the user in any form and the ids will not be recorded on event data.

GDPR with Consent

If a user is subject to GDPR and has a consent string, we will evaluate their consented purposes and vendors to determine which campaigns are eligible to bid. Unless all vendors and purposes associated with a campaign have user consent, that campaign will be eliminated from bidding for the auction. This can affect the reach for campaigns that are targeting the EEA.

Non-GDPR

For users outside of the EEA, specifically in the United States and Canada, the consent logic does not apply to campaign eligibility as long as the GDPR flag is set to false. Campaigns targeting non-GDPR countries should remain mostly unaffected for delivery scale.

Data Collection and Retention

Bidtellect collects several pieces of identifying information on different events it receives from its advertising platform. This information includes IP address, cookie ids, and device or advertising ids.

Tracking

Bidtellect will record and store full IP addresses and identifiers on event records if the user is not subject to GDPR but has given us consent. These events consist of impressions, clicks, and video events such as plays. If a user has not provided us consent, we will not use or record identifiers on event data and will drop the last octet of their IP address.

There are tracking events that take place without the need for an auction to take place. Examples of these type of events include conversion pixels and retargeting pixels. These are events that are fired upon visiting a particular advertiser page or site. If the visitor is subject to GDPR, Bidtellect will use its CMP integration to determine if we have the consent of the user. If it’s determined we have consent, we will record identifiable information. If we are unable to determine consent of the user or if the user has not provided consent, we will not record identifiable information such as cookie id and drop the last octet of their IP address.

Data Retention

Bidtellect has implemented a data retention policy for all event data to 28 days. This is for on-premise as well as cloud storage. If a user clears their cookies or opt-out, data previously associated with their cookie will be deleted after 28 days have passed.

Right to Access and Erasure

As part of the GDPR regulations, Bidtellect will provide users the ability to request access and/or deletion (a.k.a. – to be “forgotten”) of the data that Bidtellect has collected on them. Bidtellect’s request form will be located at https://gdpr.bttrack.com. Users will be required to provide their email address for each request. A validation link will be sent to their email upon request and the user will be required to follow the link to validate their request. This is to prevent abuse of the request system and to verify they’re using a valid email address as results will be emailed to them. Requests are batched and will be processed once every 24 hours and results emailed. Only one active request will be allowed per user at any given time. If a user requests access to their data, they will not be able to request deletion until their access request has been completed.

Right to Access

When users request access to their data, our system will summarize the different event data that we have collected for their tracking cookie into counts. This will be impressions, clicks, video plays, conversions, etc. In addition, it will include the different audience names that we have placed the user in. This summary will be emailed to the user and the request will be considered completed.

Right to Erasure

When a user requests deletion of their data, also known as to be “forgotten”, Bidtellect will set an opt-out cookie in the user’s browser. This cookie will replace the tracking cookie that we have set for them. As long as the user maintains this cookie in their browser, any events associated with the user will be anonymous. We will not have the ability to associate conversion events with clicks for example. We will also delete the last octet of their IP address in any event data.

For additional information, please reach out to GDPR@bidtellect.com.
Read More about the Shift in the Content Marketing Landscape from Bidtellect CEO Lon Otremba

Cookie	Duration	Description
_abck	1 year	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
AWSELB	session	Associated with Amazon Web Services and created by Elastic Load Balancing, AWSELB cookie is used to manage sticky sessions across production servers.
bm_sz	4 hours	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
SF_PHPSESSID	session	No description
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
AWSELBCORS	2 hours	This cookie is used by Elastic Load Balancing from Amazon Web Services to effectively balance load on the servers.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_W78HCZ6KJE	2 years	This cookie is installed by Google Analytics.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
bt-es-13398	session	No description
bt-es-15162	session	No description
bt-es-15264	session	No description
bt-es-15547	session	No description
bt-es-15900	session	No description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_cc_cc	session	The cookie is set by crwdcntrl.net to collect statistical data such as the number of visits, average time spent on site, and what pages have been loaded, for targeted advertising.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
GLOBALID	3 months	No description available.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Recent Posts

Recent Comments

Archives

Categories

Meta