With GDPR Deadline Looming, Ad Tech Community Races to Find Solutions


By: Richard S. Eisert, Gary A. Kibel and Justin Lee

With just days remaining before the European Union’s (EU) General Data Protection Regulation (GDPR) takes effect, ad tech companies are racing to find compliance solutions.

By way of background, the primary goal of the GDPR is to give individuals in the EU more control over how their “personal data” (including cookie IDs and device identifiers) is used, and by whom. One way the GDPR seeks to do that is by requiring individuals to affirmatively consent or “opt in” to the use of their personal data.

As we observed in last month’s post, the Interactive Advertising Bureau’s Technology Laboratory (IAB Tech Lab) has proposed a possible solution for the entire ad tech community. In particular, the IAB Tech Lab solution (which has not been officially endorsed by EU regulators) proposes the use of a signal transmitted between parties engaged in an ad call which conveys whether GDPR-compliant consent has been obtained.

Companies can also adopt other GDPR-compliant solutions on their own or by collaborating with others. For example, ad tech companies could consider excluding EU audiences altogether from targeted advertising campaigns. Another approach would be to utilize contextual advertising methods, which target ads based on the content of a webpage and not the personal data of consumers that may be interested in such content. Furthermore, there are other third-party cookie consent technologies which (like the proposed IAB Tech Lab solution) promise to help achieve compliance by offering user-centric consent controls.

Finally, ad tech companies should consider whether they can continue to engage in targeted advertising without directly using personal data. For example, certain advertising platforms may provide a “walled garden” environment that does not allow access to any personal data within that ecosystem. This “walled garden” environment permits ad tech companies to continue to target based on personal data without ever receiving or processing that data, giving such companies an argument that they have not subjected themselves to the GDPR by virtue of such targeted advertising.

The Bottom Line

With fines that can reach up to €20 million or 4% of worldwide annual revenue, the cost of getting a legal basis to process personal data wrong under the GDPR could be much more significant than it has been under the prior data privacy framework in the EU. With just days to go before the GDPR becomes enforceable, ad tech companies must now find solutions to meet the GDPR’s requirements.

richard      gary      justin

Richard S. Eisert

Digital Media, Technology & Privacy Partner

Davis & Gilbert LLP

212.468.4863 // reisert@dglaw.com

Gary A. Kibel

Digital Media, Technology & Privacy Partner

Davis & Gilbert LLP

212.468.4918 // gkibel@dglaw.com

Justin Lee

Digital Media, Technology & Privacy Associate

Davis & Gilbert LLP

212.468.4894 // jlee@dglaw.com