The General Data Protection Regulation
The General Data Protection Regulation (GDPR) establishes rules on how companies, governments and other entities can process the personal data of EU citizens or residents. It also gives users the right to request access and deletion of the data a company has stored on them, unless other legal obligatory reasons allow the company to keep it (such as banking, loans, etc.)
Bidtellect is adhering to the technical guidance outlined by IAB: GDPR Transparency & Consent Framework: thorough technical guidance that is industry-standard.
Bidtellect will consider anyone in the European Economic Area (EEA) to be subject to GDPR rules.
The EEA is made up of the following countries:
Users from the EEA will need to provide consent to purposes and vendors in order for a vendor to be able to process and store identifiable information about the user unless there are other compelling reasons to do so. Publishers will need to integrate with a Consent Management Platform (CMP) in order to obtain this consent from their visitors. The consent form will list vendors that are used with their platform as well as downstream data processors. In addition, the form will contain information on how each vendor uses their data and purpose. Once a user has provided consent, it is stored in a cookie which is also referred to as their consent string. The consent string contains their consented purpose and vendor selections and is propagated to the supply side ad platform and then downstream to the demand side platforms such as Bidtellect.
While Bidtellect’s ad-serving platform does not collect sensitive personal information about a user such as their name, email address, etc., we do collect IP address, advertising ids (IFA/IFDA), cookie ids, and location data about a user in most scenarios, which makes us subject to the GDPR. Hence we and other companies like us would definitely be required to be compliant with all GDPR guidelines, which can be done by integrating a privacy platform similar to Terratrue into the existing workflows.
Bidtellect sets a tracking cookie which, while not personally identifiable, allows us to track behaviors of the individual such as ads that they have viewed, clicked, converted, and other engagement metrics and associations. We can use this cookie id to retarget the individual with ads or place them into an audience in which other advertising campaigns can target them or make a determination about the likelihood of them interacting with a particular advertisement. If the user deletes Bidtellect’s tracking cookie, the user and their data are essentially forgotten and will be deleted in accordance with our data retention policy.
OpenRTB and GDPR
OpenRTB is the protocol that Supply Side Platforms (SSP) use to talk with their Demand Side Platforms (DSP). Bidtellect is a native DSP that works with many different SSPs to deliver their native campaigns at scale. Bidtellect is responsible for the logistics of delivering and optimizing advertiser’s campaigns against SSP inventory. This now includes ensuring that how we store and process a user’s data adhere’s to their consent. The IAB has updated the OpenRTB spec to include two new fields in the OpenRTB protocol for GDPR. The first is a flag (regs.ext.gdpr) that denotes if the user is subject to GDPR rules. The second is a consent string (user.ext.consent) that will denote the purposes for data use as well as vendors to whom the user has given consent.
The publisher and/or supply-side platform is responsible for integrating with a Consent Management Platform (CMP) or creating their own consent management system. The CMP will provide a framework that will present a consent form to an EEA user upon their first visit to a publisher’s site. The form will include selections for purpose of data usage and vendors that are used by the publisher and downstream that will process and use their data. This includes Bidtellect as well as other third-party vendors needed to service campaigns, for example, behavioral data providers like Lotame and BlueKai or tag managers like DoubleClick or Adobe. For each vendor listed on the consent form, there will also be information on how that particular vendor will use their data so that the user can make an informed decision on whether they want to give consent to that vendor.
Once the user provides consent by selecting purposes and vendors, their selections are encoded and stored in a cookie set by the CMP. This encoded information is referred to as the consent string. This string is propagated from the user’s browser cookie to the supply side platform where it is then passed through the bid request to Bidtellect’s demand-side platform to be decoded.
Bidtellect will be integrating with a CMP so that we may identify consent for users that do come from the bid stream. These are tracking events that happen without the need for an auction to take place.
The consent string is an encoded object that contains the purposes for data use and vendors to which the user has given consent. It is passed downstream in the OpenRTB ecosystem so that vendors can evaluate if they themselves have consented in addition to any third party vendors that they may use to process collected data about the user.
The consent string is an optional parameter in the bid request. If a consent string is provided in the bid request, Bidtellect will decode the string and will use the consented purposes and vendors in its bidding strategy. If no consent string is provided and the user is subject to GDPR rules, it will limit campaigns that are able to participate in the bidding strategy.
There are five purposes in which data can be used and to which a user can consent. At a high level, these are storage of data, personalization, ad serving, content serving, and measurement. Please see this link for the complete list and description of each purpose.
Users consent to purpose(s) are on a global level and not on a per vendor level. This means if a user consents to purpose 1 and 2, then any consented vendor may use their data for those two purposes only.
Companies are referred to as Vendors. They will need to register themselves in the IAB’s global vendor list in order to be included in the CMP consent frameworks and obtain consent from users. Bidtellect will require any vendor or partner to also be registered in the Global Vendor List (GVL) before the use of their services, such as tags, may be used with the delivery of advertising campaigns. In addition to being registered in the GVL, they will also need to sign an agreement with Bidtellect stating their GDPR compliance.
In order to adhere to the GDPR regulations, Bidtellect has updated its bidding strategy in order to respect the privacy and consent of anyone that is subject to GDPR. We have defined the different scenarios around GDPR below and Bidtellect’s strategy.
GDPR with No Consent
If a user is subject to GDPR and no consent has been provided, only campaigns that do not require the use of identifiable information will be eligible to bid. This essentially limits demand to campaigns that are optimizing against CTR and do not use any third party add-ons, tags (vendors) or features that require user tracking such as frequency capping or engagement. Campaigns that optimize against CTR do not require the processing or storage of user identifiable information. Supply inventory that is not passing consent will have limited demand from Bidtellect’s platform in the EEA.
We will also remove any identifying ids such as IFA/IDFA, device ids, etc., from the bid request if no consent has been provided. By removing them from the bid request, they cannot be used to identify the user in any form and the ids will not be recorded on event data.
GDPR with Consent
If a user is subject to GDPR and has a consent string, we will evaluate their consented purposes and vendors to determine which campaigns are eligible to bid. Unless all vendors and purposes associated with a campaign have user consent, that campaign will be eliminated from bidding for the auction. This can affect the reach for campaigns that are targeting the EEA.
For users outside of the EEA, specifically in the United States and Canada, the consent logic does not apply to campaign eligibility as long as the GDPR flag is set to false. Campaigns targeting non-GDPR countries should remain mostly unaffected for delivery scale.
Data Collection and Retention
Bidtellect collects several pieces of identifying information on different events it receives from its advertising platform. This information includes IP address, cookie ids, and device or advertising ids.
Bidtellect will record and store full IP addresses and identifiers on event records if the user is not subject to GDPR but has given us consent. These events consist of impressions, clicks, and video events such as plays. If a user has not provided us consent, we will not use or record identifiers on event data and will drop the last octet of their IP address.
There are tracking events that take place without the need for an auction to take place. Examples of these type of events include conversion pixels and retargeting pixels. These are events that are fired upon visiting a particular advertiser page or site. If the visitor is subject to GDPR, Bidtellect will use its CMP integration to determine if we have the consent of the user. If it’s determined we have consent, we will record identifiable information. If we are unable to determine consent of the user or if the user has not provided consent, we will not record identifiable information such as cookie id and drop the last octet of their IP address.
Bidtellect has implemented a data retention policy for all event data to 28 days. This is for on-premise as well as cloud storage. If a user clears their cookies or opt-out, data previously associated with their cookie will be deleted after 28 days have passed.
Right to Access and Erasure
As part of the GDPR regulations, Bidtellect will provide users the ability to request access and/or deletion (a.k.a. – to be “forgotten”) of the data that Bidtellect has collected on them. Bidtellect’s request form will be located at https://gdpr.bttrack.com. Users will be required to provide their email address for each request. A validation link will be sent to their email upon request and the user will be required to follow the link to validate their request. This is to prevent abuse of the request system and to verify they’re using a valid email address as results will be emailed to them. Requests are batched and will be processed once every 24 hours and results emailed. Only one active request will be allowed per user at any given time. If a user requests access to their data, they will not be able to request deletion until their access request has been completed.
Right to Access
When users request access to their data, our system will summarize the different event data that we have collected for their tracking cookie into counts. This will be impressions, clicks, video plays, conversions, etc. In addition, it will include the different audience names that we have placed the user in. This summary will be emailed to the user and the request will be considered completed.
Right to Erasure
When a user requests deletion of their data, also known as to be “forgotten”, Bidtellect will set an opt-out cookie in the user’s browser. This cookie will replace the tracking cookie that we have set for them. As long as the user maintains this cookie in their browser, any events associated with the user will be anonymous. We will not have the ability to associate conversion events with clicks for example. We will also delete the last octet of their IP address in any event data.