Since the GDPR became active in May 2018, we have worked closely with the Interactive Advertising Bureau (IAB) and our lawyers to ensure our service and your ads are in compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
- Protects individuals in the EU. Applies outside of the EU when a company sells products or services to individuals inside the EU or when EU individuals are targeted or monitored
- Applies both to data “controllers” and data “processors,” irrespective of size and whether activity is for profit or not. Several obligations apply to “processors,” entities that process personal data on behalf of “controllers.”
- Covers “processing” of personal data, defined to include any operation performed on personal data, including collection.
The fundamental point of GDPR is that users should have full control over their personal data, how it gets used, who uses it, and full visibility into those choices.
I’m not in the EU - do I need to do anything?
GDPR applies to all companies that deal with EU residents, so even if you only have a small percentage of traffic coming from the EU, it applies to you and your site.
What is Raptive doing for my ads?
Good news: your Raptive ads are GDPR-compliant as of May 25, 2018.
We use a consent management platform (CMP) to gather consent from EU traffic to allow partner organizations to collect, access, and use individuals' information. EU users who visit your site are prompted to grant each of these partners consent to access their device. They can also learn more about how and why their data may be used, view the ad partners we work with for your site, or opt out.
How much of my traffic sees this consent box?
This CMP only displays traffic coming from countries governed by GDPR. (Click here for a full list.) You can get a feel for how much of your traffic comes from these countries by opening your site’s Google Analytics account and selecting ‘Audience’ > ‘Geo’ > ‘Location.’ You’ll see the percentage of your total traffic that comes from each country around the world.
What does this consent box look like?
In August 2020, we rolled out the latest version of the CMP, which was upgraded to comply with the latest IAB TCFv2 guidelines and provide the best user experience. We are partnering with LiveRamp, a trusted industry brand, for this service, and we chose them based on, among other things, data showing high opt-in rates for EU visitors.
The CMP allows users to view all partners/vendors that are active on your page, see which processing proposes those vendors are using, and have the option to consent or not on all these bases.
If the user clicks "Accept All", they will continue to your site and be served personalized ads. If they choose "Manage Settings," they have many more in-depth options for customizing their preferences.
How can an EEA user remove consent?
If an EU user originally consents to all the vendors and processing purposes on a page, but changes their mind later, they can easily update their ad privacy settings by clicking on the "Update Privacy Preferences" link in the footer of the site (only visible in EU countries). This will bring them back to the CMP, offering them the original options again.
Does GDPR affect my RPM?
The short answer is yes but very minimally, depending on the percentage of EU traffic your site receives. Personalized ads pay well — so pageviews without those ads reduce your overall earnings and RPM. Giving EU users the opportunity to consent through our consent framework lets you recapture as much of that revenue as possible.
Can I use a different method of gathering advertising consent for my readers?
Right now, our first priority is making sure the solutions we’re using are actually 100% in compliance. From our conversations with Google, the IAB, other ad industry providers, and our lawyers, this latest release is in line with best practices to protect your site’s ads and do what it takes for compliance. As more information and standards come to light, we’ll be at the forefront of new and improved solutions for your ads.
Can I customize the CMP wording?
Yes, but only minimal changes are allowed with wording and user interface. As part of the IAB TCFv2 there are strict standards that must be upheld to insure compliance. We can include any/all partners on your site in the CMP.
Outside of my ads, what else do I need to do?
Ads probably aren’t the only thing on your site collecting EU users’ information. Comment and contact forms, YouTube videos, Facebook tracking pixels, a customer database, mailing list, plugins, widgets, hosts, and Google Analytics are just a handful of examples of other ways you may be collecting user information through your site.
One of the most important things you can do is take stock of the services and tools you use on your site and understand how they are processing information on your visitors and handling GDPR-compliance. For third-party services, we recommend contacting each provider to ask what steps they are taking for GDPR-compliance.
If you use any service that requires you to add a pixel or script to your site, or if you call any "conversion tracking API" to report events to another company (such as Facebook CAPI) then please let us know so that we can configure the CMP correctly for you.
Since you must use Google Analytics to partner with Raptive, we’ve done our due diligence and worked with Google to delay Google Analytics data collection until the user has given consent. Our CMP includes code that delays Google Analytics data collection on a user has given consent.
On your end, You can choose how long Google Analytics keeps personal data, with the default being 26 months, through Google’s data retention settings.
“Keep in mind that standard aggregated Google Analytics reporting is not affected. The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports.” (source)
You can also anonymize IP addresses in Google Analytics so they are no longer considered personally identifying information. This doesn’t have any impact on the way we use Google Analytics to measure and report your ad performance.
Do I need a separate cookie notification pop-up?
We recommend against adding any additional cookie consent or notification widgets to your site, as they can negatively affect your ad earnings and they don’t interface with the consent framework to prevent any data collection.