On May 25, 2018, the EU General Data Protection Regulation, or GDPR, will take effect. The GDPR is groundbreaking legislation in the European Union and has a very broad reach, applying to EU-directed websites and other third parties who engage in the monitoring and targeting of end users of those websites.
We at LiveIntent have been preparing intently for the GDPR, and have produced this white paper to let you know how we enable our partners—publishers, advertisers, agencies, and others—to comply with the GDPR. In this white paper, we will highlight and focus on the following topics:
- What is the GDPR, and when does it apply? Some of our partners may be covered, and others might not. Either way, we are flexible and able to support your needs.
- What is LiveIntent’s role under the GDPR? The GDPR covers different categories of entities known as controllers and processors. We will describe LiveIntent’s role as a processor under the GDPR.
- How does LiveIntent support our partners’ GDPR compliance efforts? In this section, we will discuss the steps we have taken to support our partners’ GDPR compliance efforts.
What is the GDPR, and when does it apply?
The GDPR is a comprehensive information privacy law that was enacted by the European Union in 2016, with an effective date of May 25, 2018. It replaced the existing Data Protection Directive, originally adopted in 1995, which required each EU Member State to adopt laws consistent with the Directive. The Regulation, by contrast, applies equally as written to each EU Member State.
At its core, the GDPR applies to the “processing” of “personal data” in relation to EU individuals. We address these two terms below:
- “Personal data” is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” GDPR Art. 4(1). By this definition, unique cookie identifiers and IP addresses can be considered “personal data.”
- “Processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR Art. 4(2). Essentially, any usage of personal data is considered “processing.”
The GDPR, of course, is a European law. It therefore does not apply to all online “processing” of “personal data.” Where an entity such as a website is located outside of the EU, it can only be subject to the GDPR if, under GDPR Art. 3(2), it involves the processing of personal data of data subjects who are in the EU related to either:
- the offering of goods or services, irrespective of whether payment is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the EU.
LiveIntent acts as a service provider to our partners and makes available technology that our partners deploy to help facilitate their online advertising solutions. Because the test for GDPR compliance relies on whether our business partners offer EU-directed services, we are reliant on our partners to let us know when the GDPR applies to them, so we can help you comply with your GDPR obligations, as described later in this white paper.
What is LiveIntent’s role under the GDPR?
The GDPR distinguishes between two different types of entities, controllers and processors, each of which has a distinct set of obligations under the law.
- A “controller” is a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by [EU] or Member State law, the controller or the specific criteria for its nomination may be provided for by [EU] or Member State law.” GDPR Art. 4(7).
- A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” GDPR Art. 4(8).
LiveIntent occupies the role as a processor under the GDPR, because LiveIntent processes the data it collects through its technology solely on behalf of our customers without the right to define our own processing purposes. For example, we will process data received or generated via a campaign only for our customers’ purposes; LiveIntent does not own any of this data.
In addition, LiveIntent maintains an Identity Graph, a database that stores the known identifiers that correlate to our customers’ end users. LiveIntent stores identifiers in its Identity Graph solely for the purposes of our customers, and thus is a processor of this data as well. Customers contribute identifiers to the LiveIntent Identity Graph in order to benefit from the identifiers added by other customers to the Identity Graph.
Customers at all times remain in control of the personal data processed on their behalf by LiveIntent.
How does LiveIntent support our partners’ GDPR compliance efforts?
We take our partners’ privacy compliance obligations seriously. To that end, we have taken steps to support our partners’ GDPR compliance efforts, to the extent that our partners are subject to the GDPR.
The primary way in which we do this is by offering a GDPR Data Protection Addendum to our customers who may be subject to the GDPR. As mentioned above, we are reliant on our customers to indicate whether or not their website or newsletter processes personal data in a manner subject to the GDPR. If you indicate to us that you are not subject to the GDPR, then we will provide our standard services to you as usual. If you indicate to us that you are subject to the GDPR, then we will provide to you our GDPR Data Protection Addendum, which incorporates provisions that Article 28 of the GDPR requires controllers to include in their agreements with processors.
Our GDPR Data Protection Addendum contains key provisions memorializing our processor relationship with our customers. For example, we commit to processing any personal data collected through the services only on our customers’ behalf, and in accordance with our customers’ instructions. We agree to assist our customers in undertaking data protection impact assessments, and in complying with data subject rights requests under the GDPR. We agree to delete or return any personal data at the end of the agreement.
We also note that as controllers (or in acting on behalf of controllers), our customers will have other obligations in relation to LiveIntent’s processing of their personal data. For example, controllers are required to provide a privacy notice to end users containing information about the processing of their personal data, which should include information about the purposes for which LiveIntent processes personal data on your behalf. In addition, LiveIntent’s technology is dependent on our customers’ use and incorporation of cookies and HTML tags into their websites and email newsletters. Because our customers have the direct relationship with their end users, they are responsible for obtaining any consent required from their end users to place the cookies and HTML tags that LiveIntent uses to provide our service. For more information about your obligations to provide notice and obtain consent under the GDPR, we recommend that you check with your own GDPR counsel or consultant.