General Data Protection Regulation
On May 25, 2018, The General Data Protection Regulation came into effect. This legislation replaced the previously adopted Data Protection Agreement (1995). The purpose of the regulation is strengthening personal data safety and providing the user with more control over their personal data management.
GDPR and VerusMedia
Same way, we fine-tuned all our internal processes and procedures related to operational safety. We reviewed and modernized our entire security architecture, along with encryption methods, and verified that they fully meet the GDPR requirements.
We also made sure all our business partners are GDPR-compliant. Our vendors and other partners have been tested for compliance with the requirements of GDPR.
VerusMedia’s programmatic platforms facilitate the ad buying and selling for demand and supply parties and represent the intermediary, the processor of the personal information provided for targeting.
Therefore, VerusMedia as a data processor and the publisher as a data controller do bear the responsibility of handling GDPR-sensitive personal user data. VerusMedia relies on the publishers to obtain consent from the users.
VerusMedia has launched this F.A.Q. page specifically to make our GDPR compliance understandable for the publishers, demand partners, agencies, vendors and partners.
Publishers Questions Answered:
Q: Does your current SDK ensure GDPR compliance?
A: No matter which SDK version you are on now, we’ll make the utmost to ensure your GDPR compliance, however, we recommend to update the SDK in order to make sure your ad serving options are not limited.
Q: What if I need more time to prepare the consent form for my users?
A: You are free to manage your time for the consent form development individually but meanwhile you can benefit from serving contextual or non-targeted ads on your website. These types of ads do not require user consent.
Q: What kind of personal data will be gathered by VerusMedia SDK?
A: During the integration procedure the publisher is free to choose which type of personal data should be gathered by SDK in their apps. In the majority of cases, the publishers opt for such data as IP, Advertising ID, and GPS (geolocation data).
Q: How will VerusMedia deal with mediated ad networks bundles and their SDKs?
A: As soon as our mediated partners are ready, we will update the bundles as well.
Q: What will happen in case the user declines the consent?
A: In case the users decline the consent they will be shown non-targeted ads.
Q: What ads will be shown to users in case of consent withdrawal?
A: Every publisher should have on-site functionality that enables the users to withdraw a consent freely and unobstructedly. The SDK that belongs to the VerusMedia will classify such instances as withdrawn consents which means that geodata, GPS, IP address of such users will be anonymized. VerusMedia SDK will also flag the partners and networks the user has withdrawn the consent from. Such users will only be shown non-targeted ads.
Q: What are non-targeted ads?
A: The non-targeted ads are the ads that are not based on the user’s data, such as IP, geolocation or personal preferences. The non-targeted ads include contextual ads which take into account the app’s or the website’s content and try to adjust to it. Due to the fact, that these ads are not individually suited to the user they may result in less revenue for the publisher.
Q: What about the data retention policy of VerusMedia?
A: VerusMedia stores the personal information of the users for the time the app or the website is actively used, and also 30 days after for gathering the statistics, receiving the analysis, and other purposes such as invoicing, dealing with discrepancy or fraud prevention, but no longer than 90-day time frame.
Q: How will VerusMedia handle the requests for the personal data deletion?
A: In case your data subjects provided you with an information deletion request, you need to notify VerusMedia by sending your request in the written form, providing the advertising IDs.
In exchange for such request, VerusMedia will provide you with a copy of the information which is identified and found at VerusMedia and advertiser’s system about the data subject, containing corresponding ID and the confirmation of such data deletion.
Q: What information should be in the data deletion request?
A: VerusMedia will have to know the following details in order to execute the data deletion request of your data subject: 1) The date when the request has been made by the data subject 2) Official advertising ID of your data subject (IDFA, AAID), the ID of the device from which the request was made in UUID format 3) The ID of the application on the store, the name of the app or the website from which the request has been obtained.
Demand Partners Questions Answered:
Q: How VerusMedia deals with consent when it comes to buyers?
A: VerusMedia uses extensions from IAB’s GDPR when it comes to programmatic exchanges to commit to the standards.
Q: Will the new GDPR standards mean demand partners will witness the traffic reduction?
A: No, the traffic is expected to remain on the same level but the bid requests will now contain the flags which anonymize the data according to new GDPR standards.
Q: Is the advertising ID modified according to the bid request?
A: No, for all bid requests the advertising ID stays the same. IDFAs and GAIDs will be contained in the bid requests.
Q: What is happening with the requests from users under 16 y.o?
A: VerusMedia anonymizes personal data that belongs to the users under 16 y.o irrespective of their location, the information of such users will not be processed, no matter if they are EEA or non-EEA residents.
Q: What should be done in case the RTB specs can’t be supported?
A: Demand-side partners may obtain the non-targeted inventory if their integration is still unapdated. That’s why VerusMedia highly recommends to adopt the new RTB specifications and adhere to them. VerusMedia will ensure the full support and GDPR compliance of specification.
Q: What if I’m non-EU based demand partner?
A: GDPR standards extend to companies globally, meaning that every entity EU or non-EU-based must adhere to the standards in case they collect, store or process the personal data that belongs to the EU residents. In case you did not bid on any EU-based impressions through VerusMedia programmatic ad platform and did not purchase any inventory you can ignore the personal data deletion or data access requests from VerusMedia.
Q: What is the procedure of data deletion?
A: If VerusMedia sends the request for the data deletion, the email list will specify all advertising IDs whose information should be deleted. The personal information in this regard should be referred to identifiable personal data that belongs to the data subject. To such data can be attributed: a name, an ID, geodata, any physical, cultural or social information that identifies the data subject, look up GDPR, Article 4. If you were issued with a data deletion request, please make sure you erase the data within 10 days, VerusMedia will forward the confirmation to the Publisher and Publisher to the data subject.