The GDPR isn’t the only EU legislation in the area of privacy and data protection. In fact, the ePrivacy Directive, which primarily focuses on securing privacy in the telecommunications sector, has a particular provision (Article 5(3)) which requires consent for the accessing or storing of information on a user device - which includes cookies and other devices used by online advertising technology for a variety of purposes (such as audience insights, targeting, ad verification and security). This meant that the directive has also often been called ‘the cookie law’.
There are two key ways in which the GDPR and the ePrivacy Directive interact:
As the ePrivacy Directive is an older law, originally entering into force in 2002 and getting an update in 2009, there has been an effort to adopt a newer version: the ePrivacy Regulation. This is still an ongoing process, and if you would like to learn more about IAB Europe’s advocacy efforts on this file you can find more information on our European Digital Policy page.
To help you on your journey and to keep things as simple as possible, here are some concepts and terms you should familiarise yourself with first; these are common in the world of data protection, but their exact meaning and context may be slightly different to what they initially seem.
Laws like the GDPR are designed to protect only personal data, and as a result understanding the definition of it is very important. The GDPR provides a very broad definition of personal data by design, and as a result the GDPR has a very broad application.
What makes something personal data? It’s not about which types of data are covered, but rather what the data can tell you about an individual. Generally speaking, any types of identifier that are unique to a single individual, such as tracking cookie identifiers that are used to recognise the same user across multiple websites on the internet, will likely be considered as personal data.
This term gets thrown around a lot in the world of data protection law. The term itself refers to almost any action that can be done to personal data - in fact the GDPR’s definition states processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”.
That includes (but isn’t necessarily limited to): “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” Even removing personal data from your database or servers is considered data processing under the GDPR, and this is why it's important to understand which kinds of data fall within the definition of personal data - if you “have” personal data as a company and use it in the course of business, you are processing it and have to abide by the GDPR’s principles.
Data subject is the term for an individual whose personal data is processed in a situation falling within the GDPR. They are the ‘subject’ of the data processing carried out. In an online advertising context, they are usually what we would call ‘consumers’, ‘customers’, and ‘internet users’.
Consent and Legitimate interests are two types of ‘legal basis’. A legal basis is a justification that is needed under the GDPR in order to do personal data processing. Without a legal basis, processing personal data of EU residents is illegal; but this also applies to any business processing personal data from within the EU, regardless of whether the data is about individuals within the EU.
Consent, as the name suggests, is a legal basis for data processing that relies on individuals giving consent to the company or organisation that wishes to process their personal data. It’s simple enough and straightforward as a concept, but the GDPR specifies four conditions that have to be met before consent can be considered as valid - specific, informed, freely given, and unambiguous.
In the post-GDPR world, many publisher organisations use consent management platforms (“CMPs”) to get consent on behalf of the publisher and its third party advertising partners. Want to learn more? Read our Guidance paper on Consent here.
The Legitimate Interest is a separate legal basis, which does not require up-front consent and has different conditions, namely that the controller can specify their legitimate interest, the data processing in question has to be necessary to achieve the legitimate interest, and the controller must make a balancing test to ascertain whether their data processing is justifiable without the content of the data subject.
It is important to bear in mind that, while the user’s up-front opt-in isn’t necessary, they must still be provided with granular information up front about the types of data being collected, the purpose for that collection, and which third parties will be receiving this data. Authorities will also do a case-by-case analysis to review whether the legitimate interest is valid in case there are investigations or complaints.
Controllers and Processors
The distinction between Controllers and Processors in data protection law is extremely important because it assigns the ultimate responsibility for ensuring the protection of personal data. Controllers are capable of deciding on the means, as well as the purposes of processing personal data. As some of the CJEU judgments show, this concept is interpreted quite broadly under the GDPR, and for many data processing operations there can be multiple joint controllers which must assign among themselves the various responsibilities arising from the GDPR.
A processor is an organisation that is procured by a controller or set of joint controllers in order to do specific tasks for the controller with personal data. They therefore do not decide on the means or the purposes of data processing, but carry it out for the controller. This may be the case where it offers a specific service on behalf of the controller, making use of data provided by the controller.