Guide to Privacy and Compliance in Programmatic Advertising for SSPs in 2024

As we step into 2024, the programmatic ecosystem is witnessing heightened scrutiny from regulatory bodies and an increasing demand for transparency. SSPs find themselves at the epicenter of this paradigm shift, requiring a thorough understanding of privacy rules. 

Different jurisdictions are implementing stringent regulations to safeguard user data. SSPs must be well-versed in the nuances of these regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and other region-specific mandates. A failure to comply with these regulations not only poses legal risks but can also lead to reputational damage.

This guide aims to equip SSPs with the knowledge and strategies necessary to be compliant in this dynamic environment.

1.EU General Data Protection Regulation, GDPR

The European Union, through GDPR and subsequent guidance from data protection authorities, has taken a strong stance against intrusive tracking practices like cookies for targeted advertising.

What is it?

The General Data Protection Regulation (GDPR) is a European Union law that sets strict rules for how organizations can collect, use, and store personal data. This includes data of people living in the EU, even if the organization itself is not located there.

Why is it important?

• High fines: The GDPR can impose fines on companies for especially severe violations, up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher (Art. 83(5) GDPR).
• Increased user awareness: People are more aware of their data privacy rights and expect organizations to handle their information responsibly.
• Regulatory compliance: Demonstrating GDPR compliance builds trust and is obligatory.

Key points to understand:

• There are principles organizations must follow when processing personal data, such as lawfulness, fairness, and transparency.
• Organizations must be able to demonstrate they are compliant with the GDPR.
• Organizations must implement appropriate technical and organizational measures to protect personal data.
• Organizations must obtain valid consent from individuals before processing their personal data.
• Individuals have a number of rights under the GDPR, such as the right to access, rectify, erase, and restrict the processing of their personal data.

What should SMEs do?

• Assess their GDPR compliance: Determine what personal data they collect, how they use it, and where it is stored.
• Develop a data protection strategy: Identify the steps needed to comply with the GDPR.
• Implement technical and organizational measures: Protect personal data from unauthorized access, use, disclosure, alteration, or destruction.
• Train staff: Ensure employees understand the GDPR and their responsibilities.
• Appoint a Data Protection Officer (DPO): Consider appointing a DPO if required.
• Seek legal advice: Consult with a lawyer to ensure your understanding and compliance.

Resources:

The official GDPR website: https://gdpr-info.eu/ 

The European Commission's GDPR portal: https://commission.europa.eu/law/law-topic/data-protection/reform_en 

The UK Information Commissioner's Office: https://ico.org.uk/ 

2.US California Consumer Privacy Act, CCPA

The CCPA in California mandates businesses to respect user-enabled global privacy controls, including browser plugins and device settings, signaling opt-out choices.

What is it?

The California Consumer Privacy Act (CCPA) is a law that grants California residents control over their personal information collected by businesses. It gives them the right to:

• Identify what personal information businesses collect and how it's used.
• Request businesses to delete their personal information.
• Stop businesses from selling or sharing their personal information.
• Request businesses to correct inaccurate information.
• Limit businesses' use and disclosure of sensitive information.
• Be treated fairly for exercising these rights.

Who does it apply to?

Many businesses, including data brokers, are subject to the CCPA if they:

• Have annual gross revenues exceeding $25 million.
• Buy, sell, or receive personal information of 50,000 or more California residents, households, or devices.
• Derive 50% or more of their annual revenue from selling California residents' personal information.

Note: CCPA does apply outside the United States. This is because the California Consumer Privacy Act applies to all entities that collect or process the personal information of Californians, regardless of where such entities are located.

What are businesses' responsibilities?

Businesses must respond to consumer requests, provide privacy notices, and implement data security measures.

Resources:

• California Attorney General's CCPA website: https://oag.ca.gov/privacy/ccpa
• CCPA FAQs: https://oag.ca.gov/consumers

Around the world

Beyond the prominent regulations like GDPR and CCPA, numerous other privacy and compliance frameworks impact programmatic advertising globally. 

Brazil:

• Lei Geral de Proteção de Dados (LGPD): Similar to GDPR, LGPD grants Brazilian citizens control over their personal data and imposes strict obligations on businesses processing it. Effective since 2020, it requires businesses to obtain consent, provide data access and deletion rights, and implement security measures.

India:

• Digital Personal Data Protection Bill: This proposed law resembles GDPR in its focus on data protection and user rights. It aims to regulate the collection, processing, and storage of personal data by businesses, including those involved in programmatic advertising. While not yet enacted, the PDP Bill is expected to significantly impact data practices in India.

China:

• Personal Information Protection Law (PIPL): Effective since November 2021, the PIPL establishes a national framework for personal data protection in China. It grants individuals similar rights as GDPR and CCPA, but with additional restrictions on cross-border data transfers. Advertisers targeting Chinese audiences must comply with these regulations and ensure data localization where applicable.

Japan:

• Act on the Protection of Personal Information (APPI): This law requires businesses to obtain consent for collecting and using personal data and implement security measures. Additionally, the revised APPI, effective in 2022, introduced stricter regulations on data transfers and processing of sensitive information.

Singapore:

• Personal Data Protection Act (PDPA): This law grants individuals control over their personal data and requires businesses to obtain consent before collecting and using it. It also imposes data localization requirements and restricts cross-border data transfers.

Turkey:

• Law on the Protection of Personal Data (KVKK): Similar to GDPR, KVKK grants Turkish citizens control over their personal data and requires businesses to obtain consent, provide data access and deletion rights, and implement security measures.

Additional Regulations:

• ePrivacy Directive (ePR): Although not yet in effect, the ePR is expected to significantly impact online tracking and targeting practices across the European Union. It aims to regulate cookies and other tracking technologies and requires user consent for non-essential tracking.
• Children's Online Privacy Protection Act (COPPA): This US law establishes rules for collecting and using personal information from children under 13. It requires verifiable parental consent and imposes limitations on data sharing and marketing practices.
• IAB Europe Transparency & Consent Framework

Impact on Advertisers, Publishers, Providers

Publishers: Need to implement alternative targeting solutions and diversify revenue streams.

Advertisers: Have to adapt their targeting strategies and prioritize user-centric, contextual advertising approaches.

Providers (SSPs, DSPs, Ad Exchanges): Must develop innovative solutions that respect user privacy while enabling effective advertising.

Navigating the complex landscape of privacy regulations in programmatic advertising requires continuous adaptation and vigilance. By understanding and complying with relevant regulations, programmatic participants can ensure user trust, protect personal data, and thrive in the digital advertising ecosystem.