Since we aren’t lawyers, we are cautious in our approach to GDPR and want to be clear that we aren’t able to give legal advice for your site. We work with lawyers and important leaders in the industry to keep a close eye on everything related to GDPR and want to pass on as much useful info as we can. Things continue to change with GDPR implementation and lawmakers still haven’t weighed in on many crucial aspects, so we encourage you to take a conservative, thoughtful approach to compliance, make best efforts, and stay tuned as things evolve and new solutions are developed.
What is GDPR?
GDPR stands for General Data Protection Regulation, an initiative designed to give residents of the European Economic Area (EEA, which includes the European Union or EU, plus several additional countries) control over how their personal information is used.
GDPR is all about how you use your site visitors’ and customers' data. This includes the ads that we serve to them and how they are personalized, how your social sharing plugin stores data, how your commenting system logs user data, how your host records traffic, and many other things. Being in compliance means understanding all of these components and providing transparency and control to your readers.
The fundamental point of GDPR is that users should have full control over their personal data, how it gets used, who uses it, and full visibility into those choices.
I’m not in the EU - do I need to do anything?
GDPR covers all companies that deal with EU residents, so even if you only have a small percentage of traffic coming from the EU, it applies to you and your site.
What is AdThrive doing for my ads?
Good news: your AdThrive ads are GDPR-compliant as of May 25, 2018.
We use a consent box to gather consent from EEA traffic to run personalized, relevant ads. EEA users who visit your site are asked to opt in to personalized ads. They can also learn more about how and why their data may be used, view the ad partners we work with for your site, or opt out and receive only non-personalized ads (which aren’t as valuable to advertisers).
How much of my traffic sees this consent box?
This consent box only displays for traffic coming from countries governed by GDPR. (Click here for a full list.) You can get a feel for how much of your traffic comes from these countries by opening your site’s Google Analytics account and selecting ‘Audience’ > ‘Geo’ > ‘Location.’ You’ll see the percentage of your total traffic that comes from each country around the world.
What does this consent box look like?
It's a banner that displays at the bottom of the page for EEA visitors stating that your site uses data to deliver personalized ads. It links to more details on the information that may be gathered and how that information may be used, and gives visitors the chance to accept personalized ads or customize their preferences. Ideally, EEA visitors are used to seeing these types of opt-ins and will consent to normal data use.
If the user clicks ‘Accept All’, they will continue to your site and be served personalized ads. If they choose ‘Update Your Settings,’ they have many more in-depth options for customizing their preferences.
What if the EEA visitor doesn’t consent?
If an EEA visitor doesn’t consent, they will be shown ads that don’t rely on any personal information. These ads aren’t as valuable to advertisers, because visitor information can’t be tracked.
How can an EEA user remove consent?
If an EEA user originally consents to receive personalized ads, but changes their mind later, they can easily update their ad privacy settings by clicking on the ‘Update Privacy Preferences’ option at the bottom of the site (only visible in EEA countries). This will bring them back to the consent box, offering them the original options again.
Can my RPM be affected by GDPR?
The short answer for now is yes, depending on the percentage of EU traffic your site receives. Non-personalized ads don’t currently pay as well as ads based on a user’s browser history. Preliminary studies show up to 50% of EU users may consent to personalized ads when given the choice, so our consent framework lets you recapture as much of that revenue as possible.
Can I use a different method of gathering advertising consent for my readers?
Right now, our first priority is making sure the solutions we’re using are actually 100% in compliance. From our conversations with Google, other ad industry providers, and our lawyers, this release is our best effort to protect your site’s ads and do what it takes for compliance. As more information and standards come to light, we’ll be at the forefront of new and improved solutions for your ads.
Can I add custom wording to the consent box to cover other things?
This consent box is just covering cookies related to your ads for now (and remember, it only shows for EU traffic). As things evolve, we’re hoping for new solutions that let us include consent for other cookies too!
Outside of my ads, what else do I need to do?
Ads probably aren’t the only thing on your site tracking EEA users’ information. Comment and contact forms, a customer database, mailing list, plugins, widgets, hosts, and Google Analytics are just a handful of examples of other ways you may be collecting user information through your site.
One of the most important things you can do is take stock of the services and tools you use on your site and understand how they are processing information on your visitors and handling GDPR-compliance. For third-party services, we recommend contacting each provider to ask what steps they are taking for GDPR-compliance.
Google Analytics has introduced new data retention settings for GDPR. You can now choose how long Google Analytics keeps personal data, with the default being 26 months.
“Keep in mind that standard aggregated Google Analytics reporting is not affected. The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports.” (source)
You can also anonymize IP addresses in Google Analytics so they are no longer considered personally identifying information. This doesn’t have any impact on the way we use Google Analytics to measure and report your ad performance.