Terminologies from Your Retargeting Provider's GDPR Compliance

GDPR compliance. We’ve all read them with the finest of the fine toothed combs, but the fact is that between the fine lines, we still might not be able to catch the real implications. That’s exactly why we’ve informed ourselves with the help of our legal counsel, Christian Eustermann, and would love to share the insights with you. He advises exactly what to watch out for, making the GDPR compliance a lot less daunting.

We take data privacy seriously - not only as your retargeting provider, but also as mobile users ourselves. Here are the key terminologies you’ll want to look out for:

The gist: Who has control of user data? The advertiser should be in control. The advertiser is responsible in determining the purpose and means of the processing (Art. 4 7. GDPR).

The implications: If the retargeter claims control or joint control, then the advertiser no longer has exclusive control over the means of the processing. As such, the advertiser loses control over the personal data of its users. The Advertiser can no longer be certain that personal user data provided to its retargeting partner is only used for the purposes agreed. It is possible that data could then be used in ways that are not covered by the users original consent (Art. 6 (1) a) GDPR) given to the advertiser. This would then violate GDPR principles.

The gist: “Legitimate Interest” is the weakest legal ground to base data processing on, as it may be interpreted or challenged.

The implications: While it is the weakest, it is also the most flexible and thus loved by many marketers: if they discover a new legitimate interest to base the processing of your users personal data on, they may repurpose your users personal data to the new “legitimate interest”. “Consent” is stronger.

If your retargeting partner relies on “Legitimate Interest” (Art. 6 (1) f) GDPR) to conduct its business, this essentially means that your retargeting partner is doing more than your user has consented to. Otherwise they wouldn’t have to rely on “Legitimate Interest” but would be using “Consent” (Art. 6 (1) a) GDPR).

When it comes to consent, advertisers typically gather user consent for marketing and remarketing. If the partner bases its processing on legitimate interest, it may be using the data for other purposes. Examples could be using the data for the purposes of a competing advertiser, for further analysis, or for the resale of user data (or any insight taken from that data).

When relying on “legitimate interest” you also need to balance (LIA - legitimate interest assessment) your interest to market, versus the rights of the individual (“the interests or fundamental rights and freedoms of the data subject which require protection of personal data”) and actively communicate the results of the assessment to the individual. Having this information in a privacy policy is mandatory, but not sufficient!

The gist: If your retargeting partner mentions Automated Decision-Making and / or Profiling, your Retargeter is using your users data for purposes other than advertising or remarketing!

The implications: Beware if your retargeting partner mentions “Automated Decision-Making” or “Profiling” in their privacy policy. Mentioning Automated Decision-Making and/or Profiling is enough for the personal data of your users to be used for legally relevant decisions with significant impact on your user (Art. 22 (1) GDPR). Dynamic pricing is an example of automated decision-making, wherein different users receive different product prices depending on the time and date, their location, age, or even worse their entries with scoring companies. Yikes!

Advertising is exempt from these limitations of Art. 22 GDPR, as it is considered to not create significant consequences.

If you want your retargeting partner to profile users for you, and if you’ve obtained user consent for it, the next hurdle to overcome is Art. 22 (3) GDPR prescribing the Advertiser to “implement suitable measures to safeguard users’ rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Advertiser, to express his or her point of view and to contest the decision”. Ask yourself twice - are you able to establish a compliant process in programmatic advertising?

The danger of “control”, “joint control”, “legitimate interest” and “automated decision-making” is that these terminologies can lead to your retargeting partner repurposing the personal data of your users outside the scope of their original consent.

This risk is especially prominent, where the retargeter also relies on “Legitimate Interest” (Art. 6 (1) f) GDPR) or “Automated Decision-Making” (Art. 22 (1) GDPR).

If the retargeting partner is working outside of being a mere Processor and/or relies on “Legitimate Interest” to conduct its business, they do not necessarily have to silo your users’ personal data separate from the data of other advertisers and thus competitors.

The retargeting partner might use your users personal data to advertise a competitor’s product, because they already know what works best with which user. Information can be exploited directly or through the insights gained through the use of “Automated Decision-Making”.

Such operation may be hinted at by the product range the retargeter offers. If for example, “lookalike targeting” is offered, it might be of the agreed kind, based on anonymous audience information, or audience information the retargeting partner already collected during your campaign, but conveniently forgot to delete and then repurposed for use to the benefit of your competitor.

Remerge always assumes the role of the Processor, solely acts upon user Consent, does not employ Automated Decision-Making and never repurposes data, but siloes data separately for each single Advertiser and deletes all user personal data at the end of each campaign.