General Data Protection Regulation (GDPR) is a new set of regulations that is coming into force in Europe on May 25, 2018. It seeks to harmonize and strengthen data protection for individuals across Europe. If you serve ads, track users or personalise content in any way, GDPR affects you. GDPR applies to all publishers who serve European users, not just to publishers based in Europe.
Both publishers and ad vendors are responsible for GDPR compliance. You can be fined up to 20M Euros or 4% of global revenue for non-compliance.

Clickio is committed to fully comply with GDPR.
Learn more about our approach.
How is GDPR different from previous European data protection laws?
GDPR expands the definition of personal data, which now includes IP addresses, cookies, mobile ad IDs and more.
The GDPR is extra-territorial. It applies to all companies processing the personal data of EEA users, regardless of the company's location. For example, a website based in Brazil that shows personalised ads or content to users from Portugal must comply with GDPR.
The GDPR sets a higher standard for user consent. It requires consent to be "specific, informed, unambiguous, active and freely given." Consent must be easily withdrawn at any time.
GDPR introduces stiff fines for non-compliance, up to 20M Euros or 4% of global revenue. Everyone in the supply chain, from publishers to ad exchanges to DSPs might be liable. This means that ad exchanges would closely monitor the way publishers comply with the regulation and with the consent requirements.
What does GDPR mean for publishers?
Probably the single biggest change is the obligation for publishers to get consent from EEA users before processing their personal data and showing personalised ads.

Most major ad exchanges will require publishers to do so after May 25. For example, Google presented an updated EU user consent policy that sets out the following obligations.

You must obtain end users' legally valid consent to:
  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:
  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users' personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party's use of end users' personal data.
How should publishers gather consent? How should the user interface look like?
Cookiechoices.org, site by Google. "Here's a message that might be appropriate for your website, if you use products like Google AdSense or similar products from other organisations. Just remember, you'll need to adjust this to suit your own choice of vendors, uses of cookies and other information."
It is currently unclear what the industry standard for consent UI would be. However, Google has shared its guidance at Cookiechoices.org.

The first pop-up of this reference design gives a general disclosure and asks for users consent. The user can click on the link and get more details, including the full list of all partners who might have access to data.

If the user agrees, personalised ads can be served.

If the user declines, the second window is shown, informing that the ads will still be on the site, but they will not be personalised. This warning language also states that cookies will still be used on the site. This is similar to the old "cookie notification" banner, which does not require opt-in consent.

Clickio has developed a simple GDPR Consent Tool for publishers based on this reference design. It is currently live and available free of charge for all our publishers.
How will Clickio ad tags handle consent? How to pass consent status?
In order to help publishers comply with GDPR, Clickio tags would not serve personalised ads to EEA users unless there is a consent confirmation.

If you are using Clickio Consent Tool, you don't need to worry about passing consent to Clickio codes, as it happens seamlessly. Personalised ads will be automatically shown to users who agree to data collection.

If you are using another consent tool, you would need to send a consent signal to Clickio tags. Please check our technical documentation for details. Our ad ops specialists are happy to help you with the integration.

If you a using an IAB CMP tool to gather consent, please write to gdpr@clickio.com or contact your account manager to receive integration instructions.
Disclaimer: The information provided on this page is not intended to be legal advice or a comprehensive description of GDPR.