The General Data Protection Regulation (GDPR) is the new European Union (EU) data protection law that becomes effective on May 25, 2018. GDPR streamlines and overhauls the existing EU privacy law (the Data Protection Directive), while giving individuals more control over their personal data.
One significant update (particularly for the ad-tech industry), is a heightened standard for consent to collect and process user data, which places more responsibility on organizations to demonstrate compliance (such as by maintaining auditable data processing records). Any organizations engaging third party services (like Liftoff) to collect and process data on their behalf will also need appropriate contracts in place to comply with the stricter requirements introduced by the GDPR.
Understand Liftoff Monetize
Liftoff Monetize is the leading mobile in-app video advertising platform. We serve both advertisers (who wish to distribute ad content through our platform) and publishers of mobile applications (who want to display relevant ads to end users). You can find out more here.
Liftoff and GDPR
GDPR applies to the collection, use and disclosure of all “personal data” in the European Economic Area, and ensures that any party who collects personal data does so pursuant to one of the law’s approved grounds. Personal data, as defined in the GDPR, includes all data relating to an identified or identifiable end user, which includes personally identifiable information like names, phone numbers, etc. (which we currently do notcollect or process in providing our services), in addition to “pseudonymous” forms of personal data such as device-related identifiers and IP addresses (which we do collect).
Liftoff is principally acting as an independent controller of most of the personal data it collects and processes. Liftoff is proactively working to ensure GDPR-readiness by the effective date.
The ePrivacy Directive
Another existing EU law – the e-Privacy Directive (colloquially referred to as the “Cookie Law”) – requires consent before using tracking technologies (such as cookies, pixels, web beacons, and SDKs) to access information stored on an end user’s device. Due to the heightened consent standard addressed by GDPR (discussed above), discussion of the Cookie Law in connection with GDPR arises frequently.
This also impacts Liftoff because, as an ad network, Liftoff's proprietary technology includes a mobile SDK which, when integrated with a publisher’s mobile application, enables Liftoff to gather device data so that Liftoff can deliver end users more relevant ads from Liftoff's network of advertisers. However, because ad networks like Liftoff have no direct relationship with the end users of the mobile applications displaying such ads, Liftoff is actively working with its network of publishers to achieve an appropriate consent mechanism so that Liftoff can collect and use the data it needs via its SDK.
Publishers should likewise revisit their cookie consent mechanisms to ensure that they will meet the GDPR standard of consent (both for themselves and any service providers who may be assisting them). We are actively monitoring the regulatory and industry developments in this area, including the progress of the new (but still draft) e-Privacy Regulation which, once finalized, will replace the existing Cookie Law. Despite whatever revisions affect the Cookie Law, the requirement for consent to use tracking technologies is likely to remain.
How Liftoff Complies With the GDPR
Liftoff has embarked on a compliance project with support from external advisors to become GDPR-ready by the May 25, 2018 deadline. Some of the measures Liftoff is taking include:
- Data Minimization – establishing mechanisms to collect only data that is needed, and pseudonymising such data wherever possible;
- Data Retention – implementing a maximum data retention schedule across all our systems so that we routinely delete or anonymise data we don’t need;
- Consent – working with publishers to obtain and record GDPR-level consent in connection with the Cookie Law;
- International Data Transfers – finalizing its EU-US Privacy Shield certification (see more below);
- Data Mapping – undertaking a data mapping exercise for the purpose of creating the necessary data processing records;
- Individual Rights – formalizing processes around data subject rights to ensure that Liftoff is able to respond comprehensively and within the timeframes pronounced by the GDPR;
- Transparency – updating its privacy notices and internal policies for GDPR compliance;
- Vendor Agreements – updating existing arrangements with third party subprocessors to ensure GDPR compliance as well as vetting new subprocessors; and
- Security – ensuring continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by Liftoff.
Liftoff is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.
Liftoff is headquartered in the United States, but has offices in the EU and its technology is incorporated in mobile applications that have users in the EEA. Therefore, Liftoff will process personal data that originates from the EEA on its servers and facilities in the United States.
The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EEA. Transfers are permitted only if certain safeguards are in place, such as by self-certifying to the EU-US Privacy Shield. Accordingly, Liftoff is in the process of certifying to the EU-US Privacy Shield to protect all transfers of non-HR European data to Liftoff in the US.