This content is not meant to take the place of official and/or professional legal counsel, please refer to your lawyer for any legal advice
The General Data Protection Regulation (GDPR) is a new set of regulations that took effect on May 25, 2018, surrounding the privacy, control, and transfer of data for EU citizens. The goal of the GDPR is to ensure that all EU citizens are protected against privacy and data breaches in a world where data is increasingly important, creating an environment that is very different from 1995 when the previous directive was established. Although the key principles from the previous directive surrounding data privacy still remain true, several changes have been proposed to the regulatory policies. The key points of the GDPR are detailed below, along with more information about the impacts this will have on organizations.
Increased Territorial Scope (extraterritorial applicability)
The biggest change applied to the regulatory landscape of data privacy is probably the extended jurisdiction of the GDPR, as it will apply to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location. In the previous directive, territorial applicability was a bit ambiguous and referred to data process “in the context of an establishment”, which has arisen in several high-profile court cases. The territorial applicability of the GDPR is very clear: it applies to the processing of personal data by controllers and processors in the European Union, whether the processing takes place in the EU or not. It will also apply in cases where the controller or processor is not established in the EU when the activities relate to: offering goods or services to EU citizens (regardless whether a payment is required or not) and monitoring behaviours that take place within the European Union. Non-EU companies processing the data of EU citizens will also have to appoint a representative in the EU.
M32 CONNECT’S ACTION PLAN
M32 converted its entire network to follow the GDPR guidelines, the General Data Protection Regulation, applicable to all EU citizens. As a result, all websites managed by M32 Connect will not be able to display any ads to EU visitors if they are not equipped with an IAB Certified Consent Management Platform, a tool used to request, receive and store users’ consent.
As similar laws will be adopted in different countries in the coming years, this decision will extend anywhere the law will require it.
WHAT IS A COOKIE?
When you visit a website, not only are you offered information or services, but your computer may also be offered a “cookie.” A cookie is a small file that is passed from a website to an end user’s (your) computer, often without your knowledge or consent.
WHO IS AFFECTED BY GDPR?
Any company that controls or processes personal data or behavioural information from an individual in an EU country will be impacted by GDPR. In the digital and programmatic industry, this includes nearly every company with an online presence. We strongly advise our publishers to follow these principles even if their European traffic is low as it remains a good and relevant practice to protect users’ privacy.
IS GDPR EQUIVALENT TO ADCHOICES AND CASL IN CANADA?
Not really as GDPR is broader. CASL is only focusing on the spamming aspect of privacy and AdChoices is a program helping the industry better manage privacy but is not a law. For more information about these three concepts please visit:
WHAT ARE THE 6 BASIC PRINCIPLES AROUND GDPR?
- The Principles of Lawfulness, Fairness, and Transparency: Following these principles, companies must make it clear as to why data is being collected and how it will be used.
- The Principle of Purpose Limitation: This means that companies must have a legitimate purpose for processing the information and can only use the data for the objectives they have clearly described and justified.
- The Principle of Data Minimization: Organizations must ensure that they are only requesting the minimum necessary amount of data required for their purpose and that it is relevant for this purpose.
- The Principle of Trueness, Accuracy: This principle states that data controllers must make sure that information remains accurate and valid, otherwise that it should be rectified or removed.
- The Principle of Storage Limitation: It limits how long the data is stored, for it should be kept in a way which allows identification of a person for no longer than is necessary for the described purposes.
- The Principle of Integrity and Confidentiality: This principle protects the integrity and privacy of data as companies must take all required measures to make sure all the personal data is protected and secure.
WHAT IS M32’S RESPONSIBILITY?
SUGGESTIONS TO OUR CANADIAN PUBLISHERS
Please note that we are only making suggestions concerning the advertising side of the GDPR. You should also review the other aspects of your users’ privacy.
Here are the five tactics we suggest putting in place to manage the advertising privacy:
- Declare clearly that you are using cookies and collecting behavioural and analytical data
- Add a link in your website’s footer to your privacy and cookie policies and to a consent management
platform or any opt-out cookie tool
- Make sure there are no cookies associated with pages where users transact or subscribe to your paid services
- Move your site under the https protocol