Time for an audit: ad tech GDPR compliance
What things should you be evaluating with your vendors?
I’ve sat through multiple GDPR round tables, webinars, and panels over the past few months. I know. Fun, right? Through this I’ve come to these conclusions: these regulations will be enforced, they’re incredibly complex/confusing, and it seems like it’s just another way for lawyers to make more money than all of us (kidding).
Because of the complexity and unfamiliarity of GDPR it’s hard to figure out where to start and how to build a high level auditing plan for your vendors (especially in the user data ocean that is ad tech). Here are some high level things to focusing on when evaluating ad tech vendors compliance with the new regulations/rules:
Unique user identifiers or personal data
You should be looking at every cookie you use, why you use it (multiple use cases?), how long you use it, and who else may be receiving it from you. If you or a vendor/SaaS product you use captures any personal data (eg. IP address, geolocation, address, CC numbers, etc.) you need to identify what those are, who you get that info from, and who in your org has access to that data.
Real user measurement
Many publishers use tools to measure real user experience data such as RUM (New Relic, Soasta/Akamai, etc.)or user reply technology (Fullstory, Logrocket, Tealeaf, etc.). If you use this tech, make sure to find out what unique identifiers they’re capturing.
Viewability measurement
Everyone in the ad tech supply chain is using a viewability tool (Moat, Activeview, etc.). Are any of these tools capturing unique identifiers?
Fraud tech
Are you using any fraud tech to track a users actions on your site? Find out if there’s any sensitive user data there.
Sync requests
This type of request shares data from cookies, loaded in a user’s browser when visiting a site. Although the data is used for ad targeting, it also has lots of data on the specific user. Focus on these types of requests, because this is where many data leaks occur.
Engagement analytics
Are you tracking impressions, view through, or conversions? Of course you are. There are unique identifiers here.
Cross device attribution
Are you tracking users across devices? Vendors need user data in order to capture/track this.
By no means is this a full plan/solution, but it’s a solid starting point. Build a plan, over-communicate with vendors, and get as granular as possible. What else? What are some other things to plan for when preparing for GDPR?
