Designing for Privacy in an Increasingly Public World
GDPR - Applift firstscreen june 2016
1. Why You Should Pay Attention
to the GDPR*
FirstScreen Conference
Berlin, June 15, 2016
Saira Nayak, Chief Privacy Officer
*not legal advice
2. One way to address data protection/privacy in ads...
"The internet is the world's largest tracking machine, and
anything that can be tracked, will be tracked, so the
only way to deal with it is to:
embrace the tracking *
and say how do we civilize it... tame it.. domesticate it?"
Kevin Kelly, “The Inevitable”
*get over it
3. Today’s Discussion
1. What is the GDPR? Why should you care?
2. Ad ecosystem under current EU law vs. GDPR
3. US alignment with EU approach
4. Safe Harbor/Privacy Shield update
5. What you should be doing now to get ready.
4. What’s in a word?
For purposes of this discussion:
Privacy = end user rights around collection, use and sharing of “personal data” i.e. something
that can identify the individual person.
Data = contractual requirements that secure data between companies, or mobile platform
requirements e.g. Apple’s developer guidelines for IDFAs.
Security = practices that companies use to “secure” data; security is often defined in terms of
how much the data is de-identified or anonymized.
5. 1. What we should pay attention to the GDPR
● GDPR = General Data Protection Regulation
● Comes into force : May 2018
● Significantly changes data protection requirements for companies doing
business in all 28 EU Member States and the EEA
● Increases obligations on advertisers, and for the first time, includes
potential liabilities for networks and publishers too.
● Fines = up to 4% of global revenue
Isabelle Falque-Pierrotin of the CNIL.
6. 2. Ad ecosystem under current EU law
Publishers
● Typically an advertiser
who is interested in
monetizing its app traffic
● As a data controller or
first party, still holds
primary responsibility for
data protection & privacy
compliance
Ad Network
● Usually classified as a data
processor (EU) or third
party (US)
● Can be viewed as a data
controller if it determines
“purpose and means” of the
processing...
Advertisers
● Classified as a data
controller (EU) or a first
party (US)
● As a data controller or
first party, holds primary
responsibility for data
protection & privacy
compliance
7. 2. Ad ecosystem under GDPR
Advertisers, Networks and Publishers can be jointly responsible
and liable for data protection violations.
8. 2. GDPR: Personal Data
● Personal data has now been expanded to include location data or an online identifier
linked to the following:
“one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
Sensitive data (requires opt-in) - now includes biometrics, genetics and sexual orientation.
How will this impact: advertising, biometrics, internet of things, robotics, wearables?
● Technical identifiers that are “pseudonymized,” are exempt from access, data portability
and right to be forgotten requirements.
9. Requirements around ad profiles/ tracking remain unclear.
● GDPR specifies “unambiguous consent” from end users when collecting
personal data (including IP adds, ad IDs).
● But data processing OK if it’s in the “legitimate interest” of data controller OR
to further a contract between end user and data controller.
● For now:
○ Upcoming Guidance on consent and profiling; UK DPA leading.
○ Industry groups e.g. IAB UK, are liaising with EU regulators to figure out
how GDPR will apply to advertising, mobile, internet of things.
2. GDPR: Profiling & Tracking
10. 2. GDPR: Other issues to watch
Evidencing Operational Privacy
● Everyone is going to need to demonstrate Accountability through a
comprehensive data management program, headed by a data protection officer
New End User Rights
● 72 hour data breach notification
● Right to be forgotten (for personal data that isn’t pseudonymous)
● Data Portability (for personal data that isn’t pseudonymous)
● Children’s privacy law (age by individual country, under 13-16 years)
11. 2. Will EU COPPA follow US rules?
● US COPPA - “verified parental consent” when targeting kids under 13
● Even if you don’t target kids, but think kids are on your app/site, you need an age-gate
(cc: Yelp)
● COPPA was first law in the world to categorize tech IDs Ad IDs and other “persistent
identifiers” as “personal data”
Advertisers and Publishers are
responsible for COPPA compliance on
their apps
Networks are responsible for COPPA
compliance only if they have actual
knowledge that they are targeting ads
to kids under 13.
12. 3. What’s the FTC focused on nowadays?
Cross Device
Native Advertising
Mobile Platform Security Practices
Transparency, including ad disclosures
Children’s Privacy (COPPA)
13. 3. US-FTC alignment with GDPR position?
Definitely. There’s COPPA. And check out these recent comments
and blog post from the FTC’s Jessica Rich:
"Even without a name, you can learn a lot about people if you use a
persistent identifier to track their activities over time on a particular device.
You also can communicate with them. So what does that mean for the online
advertising industry? If you’re collecting persistent identifiers, be careful
about making blanket statements to people assuring them that you don’t
collect any personal information or that the data you collect is anonymous.
And as you assess the risks to the data you collect, consider all your data, not
just the data associated with a person’s name or email address."
14. ● In October 2015, the EU’s Court of Justice declared Safe Harbor
“inadequate” for EU to US transfers of personal data.
● Companies are scrambling to get contracts in place to address the gap.
e.g. EU model clauses ( validity is also in doubt, FB case before ECJ).
● So far, EU and US negotiators haven’t been able to reach a decision on
Safe Harbor 2.0 aka “Privacy Shield.”
● At issue: data retention, ability of EU citizens to sue US companies
4. Safe Harbor & Privacy Shield update
15. 5. Takeaways?
● Pull together a cross-functional team to figure out how the GDPR applies
to your business (legal, engineering, product, marketing, etc.)
● Map your data flows - end user, vendor, HR, etc.
● Then, map your upstream and downstream data relationships. Clients.
Vendors. Users. Make sure you are covered on EU obligations.
● Get even more transparent with your privacy policy and consents.
● Consider a certification to evidence Accountability - eDAA, ePrivacy
16. 5. Takeaways
● Get involved with industry groups who can educate EU regulators about how the
European ad ecosystem works, and who it benefits.
● Challenge some assumptions?
➔ Does hashing really protect end user privacy?
○ If an ad ID can be reset by the end user, why should we hash an ad ID?
○ If all you have is a dynamic IP address, and a digital fingerprint, can you truly
identify an end user?
➔ Is end user consent necessary if data collection is needed to deliver, optimize, or
revolutionize your app or service?
● Are these issues are related to other important things you might be thinking about?
Fraud …. Ad blockers…. Staying in the game.
17. GDPR
Ambiguity of Unambiguous Consent by Phil Lee, FieldFisherWaterhouse
What’s Relevant for Cookies, etc. under GDPR, by Christoph Bauer of ePrivacy
Privacy Shield
Don’t Hold your Breath (for Privacy Shield), ArsTechnica
Don’t Cut off your Nose to Spite your Face (said my grandmother), by Jules Polonetsky, Future of Privacy
US & Industry Best Practices
FPF-CDT Best Practices (for Mobile App developers):
Privacy on the Go (CA privacy rules):
FTC “Start with Security” (US - data security guidelines for mobile apps):
Importance of Securing Data (TUNE guidance on how the TMC secures data)
6. Resources
18. Thank You !
Especially Thomas, Johana, Svenja and Andrew
Saira Nayak
Chief Privacy Officer
saira@tune.com
@SairaNayak