General Data Protection Regulation (GDPR) is a new set of regulations that is coming into force in Europe on May 25, 2018. It seeks to harmonize and strengthen data protection for individuals across Europe. If you serve ads, track users or personalise content in any way, GDPR affects you. GDPR applies to all publishers who serve European users, not just to publishers based in Europe.
Both publishers and ad vendors are responsible for GDPR compliance. You can be fined up to 20M Euros or 4% of global revenue for non-compliance.

Clickio is committed to fully comply with GDPR.
Learn more about our approach.
How is GDPR different from previous European data protection laws?
GDPR expands the definition of personal data, which now includes IP addresses, cookies, mobile ad IDs and more.
The GDPR is extra-territorial. It applies to all companies processing the personal data of EEA users, regardless of the company's location. For example, a website based in Brazil that shows personalised ads or content to users from Portugal must comply with GDPR.
The GDPR sets a higher standard for user consent. It requires consent to be "specific, informed, unambiguous, active and freely given." Consent must be easily withdrawn at any time.
GDPR introduces stiff fines for non-compliance, up to 20M Euros or 4% of global revenue. Everyone in the supply chain, from publishers to ad exchanges to DSPs might be liable. This means that ad exchanges would closely monitor the way publishers comply with the regulation and with the consent requirements.
What does GDPR mean for publishers?
Probably the single biggest change is the obligation for publishers to get consent from EEA users before processing their personal data and showing personalised ads.

Most major ad exchanges will require publishers to do so after May 25. For example, Google presented an updated EU user consent policy that sets out the following obligations.

You must obtain end users' legally valid consent to:
  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:
  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users' personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party's use of end users' personal data.
To help publishers comply with the GDPR obligations, we developed a simple but comprehensive User Consent Tool that supports a number of approaches to user experience and consent.
Disclaimer: The information provided on this page is not intended to be legal advice or a comprehensive description of GDPR.