Privacy

[Webinar] The TL;DR on GDPR, Plus Your Follow-up Questions Answered

Ben Golden

To celebrate the 30-day countdown to the enforcement date for the General Data Protection Regulation, TUNE hosted a webinar on April 25th about how marketers are preparing for GDPR. We were joined by Lieke den Ouden, Strategic Project Manager at AppLift, and Meredith Halama, Privacy & Security Partner at Perkins Coie LLP. The topic was popular — so popular that our webinar software capped out the maximum number of registrants!

The TL;DR on GDPR: How Marketers Are Preparing Webinar

Check out the original conversation in the free recorded webinar, where we answered these 22 questions on GDPR. But our participants wanted more, so we’ve consolidated your top unanswered questions and answered them below. Enjoy!


The TL;DR on GDPR: How Marketers Are Preparing

Tightened data privacy rules through the European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Non-compliance could cost you millions. Are you ready?

Watch the Webinar


(By the way — annoying disclaimer — the below should not be construed as legal advice. If you have specific questions about application of the GDPR or your company’s responsibilities under the regulation, please consult with your company’s attorney.)

Question: GDPR asks companies to engage in privacy by design and privacy by default. Huh?

Answer: Under the GDPR, companies have a general obligation to integrate reasonable technical and organizational measures into their processing activities. The GDPR specifically calls out privacy by design and privacy by default as new legal requirements.

Privacy by design is the concept that a company should consider privacy during all design stages of a project and throughout the lifecycle of data processing, taking into account the nature, purposes, context, and scope of processing and its implications.

Privacy by default means that technical systems and services default to privacy-centric settings whenever an end user may have choices about the processing of their personal data, and that such data is only kept for as long as necessary to provide the product or service. Embedding these principles into your engineering and product team’s workflows is a great way to build privacy awareness and prevent unintentional data storage.

Q: Think of the children! How does GDPR address advertising to minors?

A: While the U.S. previously led the way with COPPA, GDPR includes similar digital privacy rules for minors. Our friends at IAPP have provided a nice comparison of COPPA and GDPR guidance for handling children’s data, which is known as GDPR-K. In summary, GDPR-K requires all publishers with a potential audience of kids to require parental consent and to only carry out contextual advertising, rather than behavioral targeting or profiling.

In addition, GDPR-K allows each EU member state to determine their age threshold of a child, between 13 to 16 years old. COPPA defines a child as under 13 years old, but Germany, Netherlands, and France have already stated that their age threshold will be 16 years old. Here’s a summary of one developer’s quest to make apps GDPR-K compliant.

Q: What’s the deal with cookies and GDPR?  

ABetween the GDPR and upcoming ePrivacy Regulation, prepare for changes to the way cookies may be tracked. When cookies can identify an individual via their device, it is considered personal data in the eyes of the GDPR. Organizations will need to either stop collecting the offending cookies or have a lawful reason to collect and process this data.

Similarly, organizations will also need to obtain legal consent from their end users in order to collect and process data received from cookies. The simple warning box found on websites that basically states “This site uses cookies” will no longer be sufficient. Consent must be given through a clear affirmative action, e.g. checking a box. Check out Bozho’s Tech Blog for a deeper explanation on tracking cookies and GDPR.

Q: How is GDPR going to impact lead generation forms?

A: When you obtain consent to process personal data, make sure it’s requested for specific, explicit, and legitimate purposes. This means you should err toward granularity in describing how you will use that personal data; for lead generation, that may mean asking for multiple checkboxes if you’ll use information for different purposes.

It’s OK to incentivize consent for marketing purposes (e.g., “You can only download this whitepaper if you consent to electronic marketing by us”), but future marketing efforts need to include opt-out rights. This blog from Econsultancy goes into greater depth on this subject.

Q: I understand that TUNE is a data processor, and it is the data controllers who have the obligation to obtain consents from data subjects. But where can I learn more about what TUNE is doing to prepare for GDPR?

A: Glad you asked! Across our product portfolio, TUNE operates as a processor of personal data, and seeks to establish transparent, privacy-centric relationships with our data controller clients and partners. We host a GDPR information page and sent the following information to our partners and clients a few weeks ago.

Product Updates

As previously announced, HasOffers will implement 25-month rolling retention for log-level reporting. HasOffers clients may also opt in to real-time IP obfuscation and unique Device ID blanking for all EU countries, which will otherwise be retained for 120 days. Additional GDPR-related HasOffers product details are available here.

Attribution Analytics, the centerpiece of the TUNE Marketing Console (TMC), will also apply 25-month rolling retention windows for log-level records unless we have otherwise agreed to a separate retention policy with you. Details on how to export historical data from the TMC are available here.

Contractual Updates

We now offer Data Processing Agreements for all TUNE clients and partners that process personal data in the EU. Related GDPR Addenda are available here. Additional FAQs describing Data Processing Agreements with TUNE are available as a PDF download here. The GDPR Addendum will not be applicable if you have agreed to a separate data processing agreement with TUNE.

Learn More

TUNE provides additional guidance to end users at optoutmobile.com. See also additional background on how we secure data in TMC and HasOffers, as well as updated privacy policies for TMC, HasOffers, and our corporate website. Industry best practices in security and data protection will be shared here.

You can find the EU’s list of GDPR FAQs here.

Even if you are not based in the EU, we encourage you to evaluate your data privacy practices and determine appropriate actions. Compliance under GDPR is a shared responsibility, so please don’t hesitate to reach out if you have questions.

Never miss a thing!

Want the goods delivered straight to your inbox?
Sign up for our blog recap emails to stay in-the-know about digital marketing, analytics, and optimization.

Author
Ben Golden

As General Counsel, Ben Golden helps TUNE solve problems, manage risk, and lay the foundation for continued growth. Prior to joining TUNE, Ben was an attorney at Perkins Coie, served on the University of Washington's Board of Regents, managed a state legislative campaign, researched in Ghana on behalf of a start-up social enterprise, split an apple strudel with Kofi Annan while working at a think tank in Salzburg, and lectured on Pink Floyd lyrics as an English teacher in Taiwan. As a Double Dawg and proud Seattleite, Ben is thrilled with TUNE's industry leadership and community engagement.