GDPR Guide for Publishers

On May 25, 2018, the GDPR (General Data Protection Regulation) will come into effect, requiring all organisations working with the personal data of EEA citizens to be compliant with the regulation. This guide outlines how a publisher can work with Sortable to be GDPR Compliant.

Updated Terms of Service

Many partners, including Sortable, will provide updated terms and privacy policies in advance of GDPR.

Part of Sortable's Updated Terms require the Publisher to gather consent from end users concerning what data is collected and how. The "Consent" section of this document has some suggestions on how to do this.

If you choose to decline the updated terms, there will be significant impact to revenue for EEA users. Without explicit user consent, in most cases we will not be able to deliver ads.

Consent

At a minimum, the GDPR requires that consent meets these standards:

  • Users must be aware of the identity of the controllers and the purposes of the processing.
    • This means identifying each ad partner used on a site.
    • In the case of Google, this also involves identifying the ad technology provides.
    • The purposes typically include collection of data and use of cookies for ad personalization and measurement.
  • Users must explicitly opt-in and have the option to refuse or withdraw consent.
  • Controllers can demonstrate the user has consented.

Under the GDPR, children under 16 cannot give consent.

The IAB has created a standard that meets these requirement and passes consent data along to partners participating in the advertising auctions. The standard defines how a Consent Management Platform (CMP) functions to collect consent from end users. Although Google has not officially opted to follow this standard yet, we provide recommendations for how to collect the consent needed to show Google personalized ads using the IAB framework.

Desktop and Mobile Web

There are several ways that a Publisher can collect user consent compatible with GDPR.

Desktop and Mobile Web consent options1. Sortable Hosted CMP2a. IAB CMP + Publisher Purpose for Google2b. IAB CMP + Custom Google Consent3. No Ads
Revenue ImpactLowLowLowHigh
Integration EffortLowMediumMediumLow
UX ImpactMediumMediumHighLow
Sortable Product Support

Small Business

YesYesNoYes
EnterpriseYes
Advertising Partner SupportGooglePersonalized and Non-personalized adsPersonalized and Non-personalized adsPublisher  manages Google consent and type of ads displayedN/A
Header BiddersUser consent is passed through to header biddersN/A
Server-2-Server ConnectionsUser consent is passed though to SSPs/DSPsN/A

1. Sortable-Hosted CMP

One of the easiest solutions is to opt in to using Sortable-hosted CMP. The Sortable CMP is automatically loaded for EEA users and prompts for consent before serving them ads. It will also collect the consent needed to show Google personalized ads.

Configuring Option 1

You'll need to provide the following to your account manager (see the integration guide for more details):

  • List of additional IAB Vendor IDs
  • Custom Publisher Purposes to display, if applicable
  • List of Google Technology Partners you're using, if you want Sortable to manage Google consent

2. IAB Compliant v1.1 CMP

Sortable supports integrating with a third-party IAB Compliant CMP. Sortable will query the CMP for consent and pass it on to header bidder and server-2-server partners.

Configuring Option 2

You'll need to provide the following to your account manager:

  • The ID of the custom purpose you are using for Google consent, if you would like Sortable to manage Google's publisher tags configuration.

Since Google is not a registered IAB Global Vendor, you'll need a way to gather consent for Google so that personalized ads are served. There are two options:

2a. Publisher Purpose for Google Personalized Ads

Set up your CMP with a custom purpose that, when accepted by the end users, allows Google to serve personalized ads. This is the approach that the Sortable-hosted CMP uses to collect the consent needed for personalized ads delivery.

If you would like Sortable to manage Google's publisher tags configuration and the delivery of personalized or non-personalized ads dependent on user consent, provide the ID of Google's custom purpose defined in your CMP. Sortable's behaviour will be the same as with our hosted CMP.

Note: Sortable Small Business customers must use this option.

2b. Custom Consent for Google Personalized Ads

This option is only available for Sortable Enterprise.

In this configuration, the publisher manages gathering consent for Google and configuring DFP to display personalized ads in the appropriate context. See Google's Guide on how to configure ad personalization settings in Google’s publisher ad tags.

3. No Ads

Although not recommended, Sortable can prevent ads from serving in the EEA. This can provide you with more time to investigate other strategies.

Configuring Option 3

Let your account manager know this is the option you will use.

4. Custom Consent Solution

This option is only available for Sortable Enterprise.

In this configuration the publisher manages gathering consent for Google, header bidders, and server-2-server demand. The publisher is responsible for meeting the minimum requirements for consent gathering under the GDPR. Additional integration is required by the publishers and Sortable to pass the collected consent to partners. Contact your account manager for more information.

Questions?

If you have any questions about Sortable’s approach to GDPR, please contact GDPRquestions@sortable.com.