What is the GDPR?
The General Data Protection Regulation, or GDPR, is a regulation that requires businesses to take very specific steps to protect the personal data of individuals located in the European Union (EU). The GDPR will take effect on May 25, 2018.
How Does the GDPR Apply to Factual?
The GDPR will apply to Factual when Factual is collecting, receiving and using certain kinds of data. The GDPR-protected data that Factual uses in its core business is primarily made up of the advertising identifiers of mobile devices. Factual doesn’t usually work with the kinds of data most people think of when they think of “personal” data, such as names, phone numbers, email addresses and physical addresses.
At Factual, we see the GDPR as an opportunity. We believe the location data market will benefit as a whole if all players unify their privacy protection practices to provide greater trust and transparency to end users.
How is Factual Preparing for the GDPR?
Factual is dedicated to meeting the requirements of the GDPR. Our compliance efforts include a broad range of high priority efforts, including the following:
Imposing tough requirements on data providers has always been a hallmark of Factual’s commitment to privacy. We are known throughout the industry for holding partners to a high standard. Prior to the GDPR, we required data providers to adhere to privacy requirements more stringent than common industry practice. Now, those rigorous standards form a strong foundation for Factual’s compliance with the upcoming requirements of the GDPR.
Specifically to the GDPR, Factual is putting appropriate terms in place with our data suppliers, customers and service providers. When Factual is acting as a processor of personal data, we will enter into data processing agreements that set out the obligations of both the provider and of Factual as the processor. When Factual is acting as a controller, we will enter into terms appropriate to the controller-to-controller relationship.
Protecting a Lawful Basis
Most of the data deemed as personal under the GDPR that Factual works with comes from third parties, like mobile app publishers and their partners. Factual’s standard terms have always required those data providers to get a clear, legally sufficient consent from end users before providing personal data to Factual. Going forward, we will continue to monitor guidance as regulators and advisory bodies seek to bring greater clarity to other potential lawful bases for processing personal data; however, Factual has no plans to discontinue its consent requirement.
Ensuring a Lawful Transfer
Factual complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks that were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
Factual is an active member of the Interactive Advertising Bureau (IAB), including its various IAB UK and IAB Europe GDPR Implementation Working Groups. These groups bring together leading experts from across the digital advertising industry to discuss the GDPR, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector.
With IAB Europe, Factual is participating in efforts to develop a transparency and consent framework. Factual fully supports the IAB Consent Standard.
The IAB Consent Standard is a technical mechanism designed to enable websites, advertisers and their ad technology partners to make more robust disclosures, as well as obtain, record and update consumers’ consent for their personal data to be processed in line with the GDPR. The mechanism enables transmission of user consent choices to the supply chain, increasing accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.
Privacy and Products
Factual implements opt outs via the Digital Advertising Alliance’s AppChoices tool to ensure users have a clear mechanism to opt out of Factual’s collection, use and transfer of their data for interest-based advertising.
Factual is preparing to roll out additional practices to meet the requirements of the GDPR, including conducting Data Protection Impact Assessments where needed, and providing additional mechanisms that enable individuals to exercise their rights under the GDPR, including the rights to access their personal data and to have that data erased.
Factual’s rigorous privacy standards have always been underpinned by a dedication to diligence and remaining informed. We are actively monitoring guidance and developments regarding the GDPR and the proposed ePrivacy Regulation.
Factual’s History of Privacy Leadership
Since our founding, Factual has incorporated a deep respect for privacy and data security into our policies and practices. Our products are designed with privacy at the forefront and our business has been built around compliance, security and respecting data rights.
Factual was among the first companies in the location data industry to become a member of the Network Advertising Initiative (NAI). We remain a member in good standing of the NAI and the Digital Advertising Alliance (DAA), and adhere to codes of conduct and principles laid out by both organizations.
Factual remains deeply committed to protecting the privacy of individuals. We view the GDPR as an opportunity to further enhance our commitment to privacy by design in our products, services and partnerships.