GDPR: Implementation

Managing Data

In order to protect user privacy and comply with GDPR, Improve Digital takes the role of 'data controller' for the use of 360 Polaris cookies, and 'data processor' for data passed in the ad calls from the content provider. More information about this is available in our Platform Privacy Policy.

If a website user chooses to opt-out of sharing their personal data, and the content provider facilitates the passing of this decision to Improve Digital, specific user information is not stored or processed, in accordance with GDPR. This user data includes:

  • the user matching cookie ID
  • any 'search' keywords included in the ad request string
  • the lowest 8 bits of the IP address
  • mobile device ID

How to be GDPR compliant

The following guide provides information for publishers on how to work with Improve to ensure GDPR compliancy for European traffic.

Step 1 - Choose your grounds for processing user data

As Improve Digital will be GDPR compliant, all publishers should decide on their grounds for processing the personal data of their users. This can be either user consent, or 'legitimate interest'. More information about this is available here.

If user consent is the grounds for processing user data, you will need to implement either the IAB Consent & Transparency or the Improve Digital frameworks.

If your ground of processing user data is 'legitimate interest', please confirm this by mail to us so we can arrange this for you in the Improve platform. This setting will apply to all impressions we receive. You can easily override this setting by implementing the consent mechanism in placement tags as described below.

Step 2 - Implement a consent management platform (CMP)

A CMP is the interface that is implemented on the publisher's sites which allows the user to decide on their choice to share personal data, and facilitates the passing of this information to connected buying partners. The IAB has a list of registered consent management provider vendors here.

 

Step 3 - Implement a consent framework to send consent to Improve Digital

In order to receive consent from a publisher CMP, a framework should be chosen. This defines how consent will be forwarded to demand partners. The IAB Transparency and Consent framework is fast becoming the industry standard.

Option 1 (recommended): IAB Transparency and Consent Framework

This framework has been developed by the IAB and industry partners including Improve Digital. The documentation on how to implement the framework is available from the IAB here:

https://iabtechlab.com/standards/gdpr-transparency-and-consent-framework

The implementation differs depending on the type of Improve Digital product:

  • Display / Smart Tag / Video (VAST) / InApp 'tag in tag'
    Improve cannot support IAB CMP framework for legacy tags without publisher re-tagging their pages. The publisher should pass the consent string to Improve via &GDPR={gdpr}.
  • Dynamic tags
    There are two ways to pass the consent information to our ad server. Both approaches require publisher to insert one line of code on their web page, ideally in the page header before the idpt.createAdSlot is called.
    1. Use idpt.setGdprConsent(value); for passing the consent data directly. Value can be any of 0/1/2 or an IAB consent string. Example implementation is available here.
    2. idpt.lookupIabGdprConsent(timeout); will ask IAB CMP framework to provide consent string (either from a cookie if user already gave the consent or through a UI when user visits the website for the first time or consent expired). Timeout (in milliseconds) will determine how long will be waited for the consent. Example: idpt.lookupIabGdprConsent(5000); will wait 5 seconds to received the consent. If timeout expires the ad server will be called without passing any consent data. Example implementation is available here.

    If for any reason both setGdprConsent and lookupIabGdprConsent are called on the same page, the consent data received from setGdprConsent takes precedence.

    Note: Passing the consent via the addKeyValue() (the "kvw" field hack) is deprecated.

  • Header Bidding
    Publishers should update to the latest versions of Prebid (i.e. versions 1.x and up). There is a new Improve Digital adaptor available here - the code should be amended with our correct vendor ID, 253
    Note: If the publisher is using Prebid version 0.x, there isn’t currently a module for Prebid that supports the IAB framework. Publishers using Prebid 0.x therefore have 2 choices: migrate to Prebid 1.x or use the Improve Digital framework.
  • InApp SDK (Improve Digital)
    The iOS and Android settings for limiting user data are available in the operating systems: Limit Ad Tracking (iOS) and 'Opt-out of interest-based ads' (Android) can be used initially if chosen by the user. The SDK will be updated to allow the consent values to be passed in the ad calls. Publishers will be notified when this is ready for implementation.

Option 2 (an interim solution): Improve Digital Framework

The Improve Digital framework is best used as an interim solution while publishers implement the IAB framework as described above, as the buy side now strongly advocates the IAB framework. Binary values are used to indicate consent and determine how Improve Digital will process the user data.

The framework is implemented on Improve Digital tags as follows:

  • Display / Smart Tag / Video / InApp 'tag in tag'
    Publisher to add '&GDPR={binary value macro}' to the ad tag for each placement tag, for example:

    'http(s)://ad.360yield.com/*?p=1234567&GDPR={binary value macro}'

    Note: Your tag might differ depending on the type, and smart tags will include your publisher ID. The key value setup is the same for these tags.

  • Dynamic tags
    There are two ways to pass the consent information to our ad server. Both approaches require publisher to insert one line of code on their web page, ideally in the page header before the idpt.createAdSlot is called.
    1. Use idpt.setGdprConsent(value); for passing the consent data directly. Value can be any of 0/1/2 or an IAB consent string. Example implementation is available here.
    2. idpt.lookupIabGdprConsent(timeout); will ask IAB CMP framework to provide consent string (either from a cookie if user already gave the consent or through a UI when user visits the website for the first time or consent expired). Timeout (in milliseconds) will determine how long will be waited for the consent. Example: idpt.lookupIabGdprConsent(5000); will wait 5 seconds to received the consent. If timeout expires the ad server will be called without passing any consent data. Example implementation is available here.

    If for any reason both setGdprConsent and lookupIabGdprConsent are called on the same page, the consent data received from setGdprConsent takes precedence.

    Note: Passing the consent via the addKeyValue() (the "kvw" field hack) is deprecated.

  • Header Bidding
    Prebid (both 0.x and 1.x): publishers to set GDPR inside keyValues object in the ad unit configuration for each ad slot. Example: http://hb.360yield.com/gdpr/improvedigital_hb_gdpr_example.html

 

What binary values should be passed into the ad call?

Value

Description

0

The user does not give consent for processing the data.

1

The user gives consent for processing the data.

2

The publisher decides on legitimate interest therefore there is no user input required here.

null

the user is not in a country where GDPR applies.

 

 

Important: If Improve Digital doesn’t receive any consent value from the publisher, either in the tag or through the legitimate consent setting on the Improve platform, the users geo location will be used to determine if consent is required, i.e. the location is covered by GDPR. If consent is required, the user data will not be processed. Improve has a short grace period after 25 May to allow publishers time to fully implement solution; during this time user data will be processed on the grounds of a publisher accepting 'legitimate consent'.

 

Step 4 - Notify Improve Digital of GDPR compliancy

Publishers should inform their Improve account team that the GDPR solution is setup and ready, including which consent management platform (CMP) and framework will be used.

 

Step 5 (for publishers using DFP) - Enable Improve Digital as a Technology Provider

Google's DoubleClick For Publishers providers the Ad Technology Provider Control feature to manage a publisher's partners, which are setup in orders. If a publisher is using DFP as an ad server, in order to continue running Improve Digital tags on European traffic, it is essential to be specified as a provider in this console.

>> Follow the steps here to configure this.

 

Additional considerations

Classic campaigns

Classic campaigns booked in 360 Polaris using third party tags will need to contain the GDPR consent values which are sent from the publisher to Improve in the ad call.

To collect the IAB consent string from the Improve ad call and insert into the creative, you will need to first know from the tag vendor which parameter they expect to be inserted into the tag, and if they support the IAB Framework. If they can support receiving and processing the consent string, add the tag parameter as they instruct, and set the key value to the 360 Polaris macro '{RAW_GDPR}'.

For example:

<script type="text/javascript" src="https://ad.somevendor.com/?ids=12345678&t=js&GDPR={RAW_GDPR}"></script>

In order to comply with GDPR if using the IAB framework, all tags including passbacks should be updated to the above in order to pass the consent string.

Multiple consent values per publisher

For cases where publishers are using 'legitimate interest' as the grounds for processing user data:

  • if the IAB framework is used, the tags will need to be updated as indicated above
  • if the Improve Digital framework is used, publishers can inform their Improve account team and the 'legitimate interest' setting will be activated on the Improve platform. If however the decision is changed, you can inform Improve or add the user consent values to the tags.

If there are sites in the same publisher account where both 'legitimate interest' and user consent will be used, the placement tags should be updated as shown above to pass the consent values.

Further Information

  • Information on the basics of GDPR is available here.
  • FAQs about GDPR are available here.
Was this article helpful?
1 out of 1 found this helpful