SlideShare une entreprise Scribd logo

GDPR - Applift firstscreen june 2016

S
Saira Nayak, JD, CIPP/US/E
1  sur  18
Télécharger pour lire hors ligne
Why You Should Pay Attention to the GDPR* FirstScreen Conference Berlin, June 15, 2016 Saira Nayak, Chief Privacy Officer *not legal advice
One way to address data protection/privacy in ads... "The internet is the world's largest tracking machine, and anything that can be tracked, will be tracked, so the only way to deal with it is to: embrace the tracking * and say how do we civilize it... tame it.. domesticate it?" Kevin Kelly, “The Inevitable” *get over it
Today’s Discussion 1. What is the GDPR? Why should you care? 2. Ad ecosystem under current EU law vs. GDPR 3. US alignment with EU approach 4. Safe Harbor/Privacy Shield update 5. What you should be doing now to get ready.
What’s in a word? For purposes of this discussion: Privacy = end user rights around collection, use and sharing of “personal data” i.e. something that can identify the individual person. Data = contractual requirements that secure data between companies, or mobile platform requirements e.g. Apple’s developer guidelines for IDFAs. Security = practices that companies use to “secure” data; security is often defined in terms of how much the data is de-identified or anonymized.
1. What we should pay attention to the GDPR ● GDPR = General Data Protection Regulation ● Comes into force : May 2018 ● Significantly changes data protection requirements for companies doing business in all 28 EU Member States and the EEA ● Increases obligations on advertisers, and for the first time, includes potential liabilities for networks and publishers too. ● Fines = up to 4% of global revenue Isabelle Falque-Pierrotin of the CNIL.
2. Ad ecosystem under current EU law Publishers ● Typically an advertiser who is interested in monetizing its app traffic ● As a data controller or first party, still holds primary responsibility for data protection & privacy compliance Ad Network ● Usually classified as a data processor (EU) or third party (US) ● Can be viewed as a data controller if it determines “purpose and means” of the processing... Advertisers ● Classified as a data controller (EU) or a first party (US) ● As a data controller or first party, holds primary responsibility for data protection & privacy compliance
2. Ad ecosystem under GDPR Advertisers, Networks and Publishers can be jointly responsible and liable for data protection violations.
2. GDPR: Personal Data ● Personal data has now been expanded to include location data or an online identifier linked to the following: “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Sensitive data (requires opt-in) - now includes biometrics, genetics and sexual orientation. How will this impact: advertising, biometrics, internet of things, robotics, wearables? ● Technical identifiers that are “pseudonymized,” are exempt from access, data portability and right to be forgotten requirements.
Requirements around ad profiles/ tracking remain unclear. ● GDPR specifies “unambiguous consent” from end users when collecting personal data (including IP adds, ad IDs). ● But data processing OK if it’s in the “legitimate interest” of data controller OR to further a contract between end user and data controller. ● For now: ○ Upcoming Guidance on consent and profiling; UK DPA leading. ○ Industry groups e.g. IAB UK, are liaising with EU regulators to figure out how GDPR will apply to advertising, mobile, internet of things. 2. GDPR: Profiling & Tracking
2. GDPR: Other issues to watch Evidencing Operational Privacy ● Everyone is going to need to demonstrate Accountability through a comprehensive data management program, headed by a data protection officer New End User Rights ● 72 hour data breach notification ● Right to be forgotten (for personal data that isn’t pseudonymous) ● Data Portability (for personal data that isn’t pseudonymous) ● Children’s privacy law (age by individual country, under 13-16 years)
2. Will EU COPPA follow US rules? ● US COPPA - “verified parental consent” when targeting kids under 13 ● Even if you don’t target kids, but think kids are on your app/site, you need an age-gate (cc: Yelp) ● COPPA was first law in the world to categorize tech IDs Ad IDs and other “persistent identifiers” as “personal data” Advertisers and Publishers are responsible for COPPA compliance on their apps Networks are responsible for COPPA compliance only if they have actual knowledge that they are targeting ads to kids under 13.
3. What’s the FTC focused on nowadays? Cross Device Native Advertising Mobile Platform Security Practices Transparency, including ad disclosures Children’s Privacy (COPPA)
3. US-FTC alignment with GDPR position? Definitely. There’s COPPA. And check out these recent comments and blog post from the FTC’s Jessica Rich: "Even without a name, you can learn a lot about people if you use a persistent identifier to track their activities over time on a particular device. You also can communicate with them. So what does that mean for the online advertising industry? If you’re collecting persistent identifiers, be careful about making blanket statements to people assuring them that you don’t collect any personal information or that the data you collect is anonymous. And as you assess the risks to the data you collect, consider all your data, not just the data associated with a person’s name or email address."
● In October 2015, the EU’s Court of Justice declared Safe Harbor “inadequate” for EU to US transfers of personal data. ● Companies are scrambling to get contracts in place to address the gap. e.g. EU model clauses ( validity is also in doubt, FB case before ECJ). ● So far, EU and US negotiators haven’t been able to reach a decision on Safe Harbor 2.0 aka “Privacy Shield.” ● At issue: data retention, ability of EU citizens to sue US companies 4. Safe Harbor & Privacy Shield update
5. Takeaways? ● Pull together a cross-functional team to figure out how the GDPR applies to your business (legal, engineering, product, marketing, etc.) ● Map your data flows - end user, vendor, HR, etc. ● Then, map your upstream and downstream data relationships. Clients. Vendors. Users. Make sure you are covered on EU obligations. ● Get even more transparent with your privacy policy and consents. ● Consider a certification to evidence Accountability - eDAA, ePrivacy
5. Takeaways ● Get involved with industry groups who can educate EU regulators about how the European ad ecosystem works, and who it benefits. ● Challenge some assumptions? ➔ Does hashing really protect end user privacy? ○ If an ad ID can be reset by the end user, why should we hash an ad ID? ○ If all you have is a dynamic IP address, and a digital fingerprint, can you truly identify an end user? ➔ Is end user consent necessary if data collection is needed to deliver, optimize, or revolutionize your app or service? ● Are these issues are related to other important things you might be thinking about? Fraud …. Ad blockers…. Staying in the game.
GDPR Ambiguity of Unambiguous Consent by Phil Lee, FieldFisherWaterhouse What’s Relevant for Cookies, etc. under GDPR, by Christoph Bauer of ePrivacy Privacy Shield Don’t Hold your Breath (for Privacy Shield), ArsTechnica Don’t Cut off your Nose to Spite your Face (said my grandmother), by Jules Polonetsky, Future of Privacy US & Industry Best Practices FPF-CDT Best Practices (for Mobile App developers): Privacy on the Go (CA privacy rules): FTC “Start with Security” (US - data security guidelines for mobile apps): Importance of Securing Data (TUNE guidance on how the TMC secures data) 6. Resources
Thank You ! Especially Thomas, Johana, Svenja and Andrew Saira Nayak Chief Privacy Officer saira@tune.com @SairaNayak

Recommandé

delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Hubbamar
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?MediaPost
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyopeyemiatilola1992
 
08 Ethics, Law and E-commerce
08 Ethics, Law and E-commerce08 Ethics, Law and E-commerce
08 Ethics, Law and E-commercemonchai sopitka
 
GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?MediaPost
 
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...VALLOYD
 

Recommandé

delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Hubbamar
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?MediaPost
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyopeyemiatilola1992
 
08 Ethics, Law and E-commerce
08 Ethics, Law and E-commerce08 Ethics, Law and E-commerce
08 Ethics, Law and E-commercemonchai sopitka
 
GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?MediaPost
 
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...VALLOYD
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Cyber law and introduction for undergrad
Cyber law and introduction for undergradCyber law and introduction for undergrad
Cyber law and introduction for undergradAzmawati Lazim
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010mleyden
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...Aurélie Pols
 
Cyber law
Cyber lawCyber law
Cyber lawAzmawati Lazim
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceNor Ayuzi Deraman
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber AttackBrian Miller, Solicitor
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends Endcode_org
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n itamitmitkar
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
 
Legal & moral issues in e commerce
Legal & moral issues in e commerceLegal & moral issues in e commerce
Legal & moral issues in e commerceDamo Ward
 
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...FLUZO
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacySarah Pearson
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyDanno320
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyvoelkeld
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 
Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyDMI
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 

Contenu connexe

Tendances

Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Cyber law and introduction for undergrad
Cyber law and introduction for undergradCyber law and introduction for undergrad
Cyber law and introduction for undergradAzmawati Lazim
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010mleyden
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...Aurélie Pols
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceNor Ayuzi Deraman
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends Endcode_org
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n itamitmitkar
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
 
Legal & moral issues in e commerce
Legal & moral issues in e commerceLegal & moral issues in e commerce
Legal & moral issues in e commerceDamo Ward
 
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...FLUZO
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacySarah Pearson
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyDanno320
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacyvoelkeld
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 

Tendances (20)

Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Cyber law and introduction for undergrad
Cyber law and introduction for undergradCyber law and introduction for undergrad
Cyber law and introduction for undergrad
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...
 
Cyber law
Cyber lawCyber law
Cyber law
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n it
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
 
Legal & moral issues in e commerce
Legal & moral issues in e commerceLegal & moral issues in e commerce
Legal & moral issues in e commerce
 
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacy
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacy
 
Chapter 8 big data and privacy
Chapter 8 big data and privacyChapter 8 big data and privacy
Chapter 8 big data and privacy
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of data
 

Similaire à GDPR - Applift firstscreen june 2016

Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyDMI
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Burton Lee
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Aaron Banham
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowVisitor Analytics
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
DP on both sides of the Atlantic - august 2015
DP on both sides of the Atlantic - august 2015DP on both sides of the Atlantic - august 2015
DP on both sides of the Atlantic - august 2015Saira Nayak, JD, CIPP/US/E
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?ANSItunCERT
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyIshay Tentser
 
Designing for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldDesigning for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldRobert Stribley
 

Similaire à GDPR - Applift firstscreen june 2016 (20)

Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacy
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to Know
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
DP on both sides of the Atlantic - august 2015
DP on both sides of the Atlantic - august 2015DP on both sides of the Atlantic - august 2015
DP on both sides of the Atlantic - august 2015
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Data protection
Data protectionData protection
Data protection
 
Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your Data
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technology
 
Designing for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldDesigning for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public World
 

GDPR - Applift firstscreen june 2016

  • 1. Why You Should Pay Attention to the GDPR* FirstScreen Conference Berlin, June 15, 2016 Saira Nayak, Chief Privacy Officer *not legal advice
  • 2. One way to address data protection/privacy in ads... "The internet is the world's largest tracking machine, and anything that can be tracked, will be tracked, so the only way to deal with it is to: embrace the tracking * and say how do we civilize it... tame it.. domesticate it?" Kevin Kelly, “The Inevitable” *get over it
  • 3. Today’s Discussion 1. What is the GDPR? Why should you care? 2. Ad ecosystem under current EU law vs. GDPR 3. US alignment with EU approach 4. Safe Harbor/Privacy Shield update 5. What you should be doing now to get ready.
  • 4. What’s in a word? For purposes of this discussion: Privacy = end user rights around collection, use and sharing of “personal data” i.e. something that can identify the individual person. Data = contractual requirements that secure data between companies, or mobile platform requirements e.g. Apple’s developer guidelines for IDFAs. Security = practices that companies use to “secure” data; security is often defined in terms of how much the data is de-identified or anonymized.
  • 5. 1. What we should pay attention to the GDPR ● GDPR = General Data Protection Regulation ● Comes into force : May 2018 ● Significantly changes data protection requirements for companies doing business in all 28 EU Member States and the EEA ● Increases obligations on advertisers, and for the first time, includes potential liabilities for networks and publishers too. ● Fines = up to 4% of global revenue Isabelle Falque-Pierrotin of the CNIL.
  • 6. 2. Ad ecosystem under current EU law Publishers ● Typically an advertiser who is interested in monetizing its app traffic ● As a data controller or first party, still holds primary responsibility for data protection & privacy compliance Ad Network ● Usually classified as a data processor (EU) or third party (US) ● Can be viewed as a data controller if it determines “purpose and means” of the processing... Advertisers ● Classified as a data controller (EU) or a first party (US) ● As a data controller or first party, holds primary responsibility for data protection & privacy compliance
  • 7. 2. Ad ecosystem under GDPR Advertisers, Networks and Publishers can be jointly responsible and liable for data protection violations.
  • 8. 2. GDPR: Personal Data ● Personal data has now been expanded to include location data or an online identifier linked to the following: “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Sensitive data (requires opt-in) - now includes biometrics, genetics and sexual orientation. How will this impact: advertising, biometrics, internet of things, robotics, wearables? ● Technical identifiers that are “pseudonymized,” are exempt from access, data portability and right to be forgotten requirements.
  • 9. Requirements around ad profiles/ tracking remain unclear. ● GDPR specifies “unambiguous consent” from end users when collecting personal data (including IP adds, ad IDs). ● But data processing OK if it’s in the “legitimate interest” of data controller OR to further a contract between end user and data controller. ● For now: ○ Upcoming Guidance on consent and profiling; UK DPA leading. ○ Industry groups e.g. IAB UK, are liaising with EU regulators to figure out how GDPR will apply to advertising, mobile, internet of things. 2. GDPR: Profiling & Tracking
  • 10. 2. GDPR: Other issues to watch Evidencing Operational Privacy ● Everyone is going to need to demonstrate Accountability through a comprehensive data management program, headed by a data protection officer New End User Rights ● 72 hour data breach notification ● Right to be forgotten (for personal data that isn’t pseudonymous) ● Data Portability (for personal data that isn’t pseudonymous) ● Children’s privacy law (age by individual country, under 13-16 years)
  • 11. 2. Will EU COPPA follow US rules? ● US COPPA - “verified parental consent” when targeting kids under 13 ● Even if you don’t target kids, but think kids are on your app/site, you need an age-gate (cc: Yelp) ● COPPA was first law in the world to categorize tech IDs Ad IDs and other “persistent identifiers” as “personal data” Advertisers and Publishers are responsible for COPPA compliance on their apps Networks are responsible for COPPA compliance only if they have actual knowledge that they are targeting ads to kids under 13.
  • 12. 3. What’s the FTC focused on nowadays? Cross Device Native Advertising Mobile Platform Security Practices Transparency, including ad disclosures Children’s Privacy (COPPA)
  • 13. 3. US-FTC alignment with GDPR position? Definitely. There’s COPPA. And check out these recent comments and blog post from the FTC’s Jessica Rich: "Even without a name, you can learn a lot about people if you use a persistent identifier to track their activities over time on a particular device. You also can communicate with them. So what does that mean for the online advertising industry? If you’re collecting persistent identifiers, be careful about making blanket statements to people assuring them that you don’t collect any personal information or that the data you collect is anonymous. And as you assess the risks to the data you collect, consider all your data, not just the data associated with a person’s name or email address."
  • 14. ● In October 2015, the EU’s Court of Justice declared Safe Harbor “inadequate” for EU to US transfers of personal data. ● Companies are scrambling to get contracts in place to address the gap. e.g. EU model clauses ( validity is also in doubt, FB case before ECJ). ● So far, EU and US negotiators haven’t been able to reach a decision on Safe Harbor 2.0 aka “Privacy Shield.” ● At issue: data retention, ability of EU citizens to sue US companies 4. Safe Harbor & Privacy Shield update
  • 15. 5. Takeaways? ● Pull together a cross-functional team to figure out how the GDPR applies to your business (legal, engineering, product, marketing, etc.) ● Map your data flows - end user, vendor, HR, etc. ● Then, map your upstream and downstream data relationships. Clients. Vendors. Users. Make sure you are covered on EU obligations. ● Get even more transparent with your privacy policy and consents. ● Consider a certification to evidence Accountability - eDAA, ePrivacy
  • 16. 5. Takeaways ● Get involved with industry groups who can educate EU regulators about how the European ad ecosystem works, and who it benefits. ● Challenge some assumptions? ➔ Does hashing really protect end user privacy? ○ If an ad ID can be reset by the end user, why should we hash an ad ID? ○ If all you have is a dynamic IP address, and a digital fingerprint, can you truly identify an end user? ➔ Is end user consent necessary if data collection is needed to deliver, optimize, or revolutionize your app or service? ● Are these issues are related to other important things you might be thinking about? Fraud …. Ad blockers…. Staying in the game.
  • 17. GDPR Ambiguity of Unambiguous Consent by Phil Lee, FieldFisherWaterhouse What’s Relevant for Cookies, etc. under GDPR, by Christoph Bauer of ePrivacy Privacy Shield Don’t Hold your Breath (for Privacy Shield), ArsTechnica Don’t Cut off your Nose to Spite your Face (said my grandmother), by Jules Polonetsky, Future of Privacy US & Industry Best Practices FPF-CDT Best Practices (for Mobile App developers): Privacy on the Go (CA privacy rules): FTC “Start with Security” (US - data security guidelines for mobile apps): Importance of Securing Data (TUNE guidance on how the TMC secures data) 6. Resources
  • 18. Thank You ! Especially Thomas, Johana, Svenja and Andrew Saira Nayak Chief Privacy Officer saira@tune.com @SairaNayak