Nitro Blog

GDPR, CCPA, and future privacy law compliance for publishers

The General Data Protection Regulation (GDPR) was a groundbreaking win for privacy advocates and members of the European Union. After arriving in May 2018 the legislation has, among other things, regulated how companies store and transfer personal data.

The month following the GDPR’s implementation saw the California Consumer Privacy Act (CCPA) signed into law. Consequently, these laws forced all levels of the advertising chain to adapt by building new tools and cleaning up their data security.

  • EU users now interface with Consent Management Platforms (CMP) on most sites they visit. CMPs have the information and tools for the user to make informed consent decisions.
  • California users gained the right to stop the sale of their personal data with opt-out links.
  • Advertising networks are reading consent signals from CMPs to determine what they can legally do with the data.
  • Privacy Policies now wax poetic on data collection, handling, transfer, and security practices.

Still, it’s common for us to run into publishers outside of the EU surprised to learn they have GDPR compliance responsibilities. On the flip side, there are publishers in the EU skeptical about the need to support the opt-out functionality for their California users.

Why should I need to comply with foreign privacy laws?

A reasonable question. After all, you probably aren’t doing anything with their data yourself. There are considerations though if those users see third party ads embedded on your site. Under the GDPR, regardless of your physical location in the world, you’re a “Data Controller”.

Ad networks like Google and Amazon use personal data to pick the most relevant ad to show the user. Therefore, they also qualify as data controllers, which comes with increased legal exposure. In the absence of consent, your ad networks will err on the side of caution and serve non-personalized ads, and that’s a serious revenue loss.

All legal issues aside, you should participate in compliance if you expect to monetize those users.

What does GDPR & CCPA compliance look like?

Publishers acting in accordance with the GDPR and the Transparency and Consent Framework (TCF) would;

  • Curate the list of which vendors can run ads;
  • Clearly disclose to the user their rights, the list of vendors, and the purposes for which the vendors process data;
  • Obtain consent from the user to process data;
  • Transparently make available user consent data through a valid TCF v2.0 API;
  • Use a CMP service registered with IAB Europe TCF;

Additionally, publishers following the CCPA would;

  • Show a “Do Not Sell My Personal Information” link to California users on the homepage and in the privacy policy. The link allows the user to directly opt-out, without any barriers like registration.
  • Inform advertisers not to sell the user’s information if they have opted-out.
  • Update their privacy policy with all of the requisite CCPA disclosures.

When you decided to put ads on your website, international privacy laws were probably not one of your first thoughts. Your monetization partner should be well-equipped with the tools and know-how to get you fully compliant.

At NitroPay, we were ready for the GDPR with a built-in CMP for our publishers. This CMP was certified by IAB Europe for TCF v1.1, and re-certified for TCF v2.0. Futhermore, ahead of the CCPA we created an opt-out tool and put out the CCPA compliance guide.

CMP interface for GDPR, visible on
CMP interface, only visible to EU users (source: EDHREC)

As new regulation arrives, we’ve got your back. NitroPay ad technology gets timely compliance updates, and we keep our publishers well-informed. If you’re a publisher looking for a better display and video ad partner, we’d love to hear from you.