GDPR FAQs

Since we aren’t lawyers, we are cautious in our approach to GDPR and want to be clear that we aren’t able to give legal advice for your site. We work with lawyers and important leaders in the industry to keep a close eye on everything related to GDPR and want to pass on as much useful info as we can. Things continue to change with GDPR implementation and lawmakers still haven’t weighed in on many crucial aspects, so we encourage you to take a conservative, thoughtful approach to compliance, make best efforts, and stay tuned as things evolve and new solutions are developed.

What is GDPR?

GDPR stands for General Data Protection Regulation, an initiative designed to give residents of the European Economic Area (EEA, which includes the European Union or EU, plus several additional countries) control over how their personal information is used.

GDPR is all about how you use your site visitors’ and customers' data. This includes the ads that we serve to them and how they are personalized, how your social sharing plugin stores data, how your commenting system logs user data, how your host records traffic, and many other things.  Being in compliance means understanding all of these components and providing transparency and control to your readers.

The fundamental point of GDPR is that users should have full control over their personal data, how it gets used, who uses it, and full visibility into those choices.

I’m not in the EU - do I need to do anything?

GDPR covers all companies that deal with EU residents, so even if you only have a small percentage of traffic coming from the EU, it applies to you and your site.

What is AdThrive doing for my ads?

Good news: your AdThrive ads are GDPR-compliant as of May 25, 2018.

We use a consent box to gather consent from EEA traffic to run personalized, relevant ads. EEA users who visit your site are asked to opt in to personalized ads. They can also learn more about how and why their data may be used, view the ad partners we work with for your site, or opt out and receive only non-personalized ads (which aren’t as valuable to advertisers).

How much of my traffic sees this consent box?

This consent box only displays for traffic coming from countries governed by GDPR. (Click here for a full list.) You can get a feel for how much of your traffic comes from these countries by opening your site’s Google Analytics account and selecting ‘Audience’ > ‘Geo’ > ‘Location.’ You’ll see the percentage of your total traffic that comes from each country around the world.

Screen_Shot_2018-05-21_at_2.58.54_PM.png

What does this consent box look like?

It's a banner that displays at the bottom of the page for EEA visitors stating that your site uses data to deliver personalized ads. It links to more details on the information that may be gathered and how that information may be used, and gives visitors the chance to accept or reject personalized ads or customize their preferences. Ideally, EEA visitors are used to seeing these types of opt-ins and will consent to normal data use.

GDPR_CMP.png

If the user clicks ‘Accept All’, they will continue to your site and be served personalized ads. If they choose ‘Reject All’, they will continue to your site and be served ads based on other factors, such as the content of the page. And if they choose ‘Update Your Settings,’ they have many more in-depth options.

What if the EEA visitor doesn’t consent?

If an EEA visitor doesn’t consent, they will be shown ads that don’t rely on any personal information. These ads aren’t as valuable to advertisers, because visitor information can’t be tracked.

How can an EEA user remove consent?

If an EEA user originally consents to receive personalized ads, but changes their mind later, they can easily update their ad privacy settings by clicking on the ‘Update Privacy Preferences’ option at the bottom of the site (only visible in EEA countries). This will bring them back to the consent box, offering them the original options again.

Update_Privacy_Preferences.png

Can my RPM be affected by GDPR?

The short answer for now is yes, depending on the percentage of EU traffic your site receives. Non-personalized ads don’t currently pay as well as ads based on a user’s browser history. Preliminary studies show up to 50% of EU users may consent to personalized ads when given the choice, so our consent framework lets you recapture as much of that revenue as possible.

Can I use a different method of gathering advertising consent for my readers?

Right now, our first priority is making sure the solutions we’re using are actually 100% in compliance. From our conversations with Google, other ad industry providers, and our lawyers, this release is our best effort to protect your site’s ads and do what it takes for compliance. As more information and standards come to light, we’ll be at the forefront of new and improved solutions for your ads.

Can I add custom wording to the consent box to cover other things?

This consent box is just covering cookies related to your ads for now (and remember, it only shows for EU traffic). As things evolve, we’re hoping for new solutions that let us include consent for other cookies too!

Outside of my ads, what else do I need to do?

Ads probably aren’t the only thing on your site tracking EEA users’ information. Comment and contact forms, a customer database, mailing list, plugins, widgets, hosts, and Google Analytics are just a handful of examples of other ways you may be collecting user information through your site.

One of the most important things you can do is take stock of the services and tools you use on your site and understand how they are processing information on your visitors and handling GDPR-compliance. For third party services, we recommend contacting each provider to ask what steps they are taking for GDPR-compliance.

Google Analytics

Google Analytics has introduced new data retention settings for GDPR. You can now choose how long Google Analytics keeps personal data, with the default being 26 months.

From Google:

“Keep in mind that standard aggregated Google Analytics reporting is not affected. The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports.” (source)

You can also anonymize IP addresses in Google Analytics so they are no longer considered personally identifying information. This doesn’t have any impact on the way we use Google Analytics to measure and report your ad performance.

Privacy Policy

GDPR requires some updated wording for your privacy policy, so we worked with our lawyers to help with that. We have some wording specific to your AdThrive ads that you can add to your privacy policy, as well as a sample privacy policy that you’re free to adapt to your needs.

ADVERTISING PRIVACY STATEMENT

This snippet describes how AdThrive uses data to provide ads to customers inside and outside the EU. Please make sure this snippet is inserted into your privacy policy so it can be fully compliant and correctly describe how we use the data of your users.

SAMPLE GDPR-COMPLIANT PRIVACY POLICY

This is a sample privacy policy that covers important information for GDPR and explains clearly how EEA users can consent to your site’s data usage, or ask you to update or remove their data.

You don't have to use this policy, but if you do choose to use any part of it, please make sure to go through each section of the document and select all of the correct options that apply to your business and how you use data with any and all partners you work with. (Basically, anything in brackets needs to be carefully considered.) We tried to list as many things you could use data for as possible, but make sure you add anything else that is relevant for your business. We recommend consulting a lawyer if you need additional guidance on your site's privacy policy.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request