In May 2018, the European Union’s General Data Protection Regulation (GDPR) went into force, marking a significant moment after extensive discussions across industry forums that do business in the European Economic Area (EEA). With its introduction, the principles of integrity, transparency, and responsibility of data became central tenets guiding the digital advertising ecosystem in an era of stringent regulatory oversight.
The introduction of GDPR wasn’t without its challenges. The regulation, along with associated directives, provided clear guidelines regarding the classification of Personal Data, the roles and responsibilities of companies collecting this data, the conditions under which it could be transferred, and the rights preservation of data subjects. In the intricate machinery of the Programmatic Advertising ecosystem, it became imperative for participating companies to have well-defined roles and to thoroughly understand all facets of Personal Data collection and processing.
Since then, Mobsta has been unwavering in our commitment. We’ve upheld not only the protection of Personal Data and the rights of subjects but have also institutionalised ongoing processes to ensure full accountability of all data. We provide transparency for users regarding how their data is managed and ensure that our contractual commitments to data security and responsibility are echoed by all our contracting partners. In partnering with processors handling large volumes of Personal Data, Mobsta understands and champions the paramount importance of respecting privacy rights and upholding the highest data protection standards.
This document offers an insight “under the hood” of our data types, compliance program, privacy safeguards, and data practices. It elucidates the tools and protocols we use to ensure all location data, subscriber attributes, segments, and browsing histories are collected, stored, transferred, and deleted in alignment with the subject’s wishes and regional regulations. Our enduring efforts in these areas cement Mobsta’s position as a trusted partner in delivering compliant targeted advertising.
II.HOW DATA IS USED
Mobsta collects data to deliver advertising campaigns from three types of sources:
Each of the three types of data have different purposes within Mobsta offers. With those differences, all the contractual relationships have, at their core, data privacy and protection principles in the way we collect, store, and manage those data sources. At the core of all our data processing, is the concept of a foundational reference “truth set” from Mobile Operator Networks that enables Mobsta to offer data that is both highly accurate, and privacy compliant.
Mobsta, processes anonymous subscriber data from Mobile Network Operators (MNO). We collect and utilise this operator data in a privacy compliant way. We do not use operator data to target users directly, but rather as a “truth set” to validate data from multiple other sources. This “truth set” enables us to offer accurate, high quality data without ever disclosing the MNO-sourced user information into the Advertising Ecosystem. All MNO data stays within our secure environment, so concerns about inappropriate third-party transfers of data are mitigated. This allows Mobsta to offer data that is increasingly transparent, accurate, and validated in the ecosystem of GDPR regulations.
III. TYPES OF DATA
Mobsta also offers the processing of many types of data to deliver advertising solutions. Across the data categories listed below, Personal Data is present as a subset of the data type. Each element of Personal Data requires a consent mapping as part of a due diligence exercise to determine the entity who receives and implements the subject’s consent.
For any of the Personal Data in the categories below, especially Location and Session data, the subject’s consent is required not only to collect and utilise the data, but also for selecting segments based on behavioural traits. This is an important distinction to Advertisers as a clear, unambiguous path to targeting an ad to the right audiences requires data that has been properly vetted to be compliant with all applicable regulations and laws. As of May 25, if the path to the device owner’s privacy selections is not known, as is the case in today’s digital advertising ecosystem, the targeted campaign could cost Advertisers far more than the CPM they paid.
Explicit and unambiguous consent is required by a known source to allow compliance with the GDPR Article 6: Lawfulness of Processing. All organisations in the advertising ecosystem are now subject to this rule and to achieve this, they must know the type of data being processed, the ultimate source of that data, and the ways any data will be updated and maintained by the data subject. Mobsta uses the following data types to validate data and create segments in the Advertising
IV. COMPLIANCE WITH THE GDPR
Valuing transparency and accuracy in all our interactions is core to the way we do business. Below we detail various compliance mechanisms that are key to the GDPR compliance strategy implemented at Mobsta. With each compliance area, our long-term commitment to ongoing integration of the principles of the GDPR is evident. In each privacy mechanism described below, we meet or exceed the compliance standard outlines in the EU regulation.
These roles are defined in GDPR Article 4 as “Controller” and “Processor”. What control an organisation has in relationship to Personal Data is the determining factor here. The “Controller” is an organisation who determines the purposes for which, and the way in which, Personal Data is processed. By contrast, a “Processor” is one who processes Personal Data on behalf of the Data Controller.
In all our contracts Mobsta and our data partners take the role of the “Processor” of Personal Data, either on behalf of the Data Controller, or as a Sub Processor on behalf of other Data Processors. In being a Data Processor, we have committed contractually to GDPR compliant clauses which:
These PbD processes include the following:
Mobsta has developed procedures and process to address all rights of the user. As we covered our methods for consent management in a previous section, we also have methods to find and act to the subjects wishes for any personal data we may have by AdID, IP Address, or other pseudonymous indicators and to communicate with data source partners when the situation requires. We also have posted on our external website, information and contacts to assist data subjects through our DPO and give information they need to file a complaint with the supervising authority in full compliance of the GDPR.
With GDPR in full force (as of May 25th, 2018), Advertisers need to question and practice due diligence with the suppliers and partners they depend on in the EEA. It is easy for organisations to say that they are GDPR compliant or are somehow exempt from GDPR, but the proof of compliance requires a larger effort. The validation of GDPR principles lies in the five following areas:
Our campaign delivery products were built from the ground up with data privacy, integrity, and transparency on the forefront of our business priorities. We have built a foundation of data protection guidelines for every product and processing decision to ensure regulatory interpretation and implementation in all our services, contracts, and operations. As regulation evolves in the coming years, Mobsta will continue to be a trusted leader in data protection and compliance.