On May 25, 2018, The General Data Protection Regulation came into effect. This legislation replaced previously adopted Data Protection Agreement (1995). The purpose of the regulation is strengthening the personal data safety and providing the user with more control over their personal data management.
GDPR & SmartyAds
Same way, we fine-tuned all our internal processes and procedures related to operational safety. We reviewed and modernized our entire security architecture, along with encryption methods, and verified that they fully meet the GDPR requirements.
We also made sure all our business partners are GDPR-compliant. Our vendors and other partners have been tested for compliance with the requirements of GDPR.
SmartyAds programmatic platforms facilitate the ad buying and selling for demand and supply parties and represent the intermediary, the processor of the personal information provided for targeting.
Therefore, SmartyAds as a data processor and the publisher as a data controller do bear the responsibility for handling GDPR-sensitive personal user data. SmartyAds relies on the publishers to obtain consent from the users.
SmartyAds has launched this F.A.Q page specifically to make our GDPR compliance understandable for the publishers, demand partners, agencies, vendors and partners.
Publishers’ questions answered
Q: I have previously signed the Data Protection Agreement, do I need the new SDK?
A: No matter which SDK version you are on now, we’ll make the utmost to ensure your GDPR compliance, however, we recommend to update the SDK in order to make sure your ad serving options are not limited.
Q: What if I need more time to prepare the consent form for my users?
A: You are free to manage your time for the consent form development individually but meanwhile you can benefit from serving contextual or non-targeted ads on your website. These types of ads do not require the user consent.
Q: What kind of personal data will be gathered by SmartyAds SDK?
A: During the integration procedure the publisher is free to choose which type of the personal data should be gathered by SDK in their apps. In the majority of cases, the publishers opt for such data as IP, Advertising ID, and GPS (geolocation data).
Q: How will SmartyAds deal with mediated ad networks bundles and their SDKs?
A: As soon as our mediated partners are ready, we will update the bundles as well.
Q: What will happen in case the user declines the consent?
A: In case the users decline the consent they will be shown non-targeted ads.
Q: What ads will be shown to users in case of consent withdrawal?
A: Every publisher should have on-site functionality that enables the users to withdraw a consent freely and unobstructedly. The SDK that belongs to the SmartyAds will classify such instances as withdrawn consents which means that geodata, GPS, IP address of such users will be anonymized. SmartyAds SDK will also flag the partners and networks the user has withdrawn the consent from. Such users will only be shown non-targeted ads.
Q: What are non-targeted ads?
A: The non-targeted ads are the ads that are not based on the user’s data, such as IP, geolocation or personal preferences. The non-targeted ads include contextual ads which take into account the app’s or the website’s content and try to adjust to it. Due to the fact, that these ads are not individually suited to the user they may result in lesser revenue for the publisher.
Q: What about the data retention policy of SmartyAds?
A: SmartyAds stores the personal information of the users for the time the app or the website is actively used and also 30 days after for gathering the statistics, receiving the analysis, and other purposes such as invoicing, dealing with discrepancy or fraud prevention but no longer than 90-day time frame.
Q: How will SmartyAds handle the requests for the personal data deletion?
A: In case your data subjects provided you with an information deletion request, you need to notify SmartyAds by sending your request in the written form, providing the advertising IDs.
In exchange for such request, SmartyAds will provide you with a copy of the information which is identified and found at SmartyAds and advertiser’s system about the data subject, containing corresponding ID and the confirmation of such data deletion.
Q: What information should be in the data deletion request?
A: SmartyAds will have to know the following details in order to execute the data deletion request of your data subject: 1) The date when the request has been made by the data subject 2) Official advertising ID of your data subject (IDFA, AAID), the ID of the device from which the request was made in UUID format 3) The ID of the application on the store, the name of the app or the website from which the request has been obtained.
Demand Partner’s questions answered
Q: How SmartyAds deals with consent when it comes to buyers?
A: SmartyAds uses extensions from IAB’s GDPR when it comes to programmatic exchanges to commit to the standards.
Q: Will the new GDPR standards mean demand partners will witness the traffic reduction?
A: No, the traffic is expected to remain on the same level but the bid requests will now contain the flags which anonymize the data according to new GDPR standards.
Q: Is advertising ID modified according to the bid request?
A: No, for all bid requests the advertising ID stays the same. IDFAs and GAIDs will be containing in the bid requests same way it was before.
Q: What is happening with the requests from users under 16 y.o?
A: SmartyAds anonymizes the personal data that belongs to the users under 16 y.o irrespective of their location, the information of such users will not be processed, no matter if they are EEA or non-EEA residents.
Q: What should be done in case the RTB specs can’t be supported?
A: Demand-side partners may obtain the non-targeted inventory if their integration is still unapdated. That’s why SmartyAds highly recommends to adopt the new RTB specifications and adhere to them, SmartyAds party will ensure the full support and GDPR compliance of specification.
Q: What if I’m non-EU based demand partner?
A: GDPR standards extend to companies globally, meaning that every entity EU or non-EU-based must adhere to the standards in case they collect, store or process the personal data that belongs to the EU residents. In case you did not bid on any EU-based impressions through SmartyAds programmatic ad platform and did not purchase any inventory you can ignore the personal data deletion or data access requests from SmartyAds.
Q: What is a procedure of data deletion?
A: If SmartyAds sends the request for the data deletion, the email list will specify all advertising IDs whose information should be deleted. The personal information in this regard should be referred to identifiable personal data that belongs to the data subject. To such data can be attributed: a name, an ID, geodata, any physical, cultural or social information that identifies the data subject, look up GDPR, Article 4. If you were issued with a data deletion request, please make sure you erase the data within 10 days, SmartyAds will forward the confirmation to the Publisher and Publisher to the data subject.