On May 25, 2018, The European Union will carry out its data protection reform and begin to enforce a new law called GDPR (General Data Protection Regulation). This law aims to strengthen and unify data protection for users within the European Economic Area (EEA). Fyber has created this GDPR resource page to provide our customers with information regarding Fyber’s GDPR readiness.
GDPR & Fyber
At Fyber, we invest great efforts in ensuring that our products and services adequately address legislative and regulatory requirements. Data protection and overall client trust in Fyber’s services continues to be of the highest importance to us.
The data that Fyber processes may include potentially identifiable information which may relate to users in the EEA. Consequently, we addressed the requirements under EU data protection laws, and specifically those of the forthcoming GDPR.
Fyber’s compliance with GDPR
On May 25, 2018, Fyber will be fully GDPR compliant.
GDPR applies to Fyber whenever Fyber processes personal data on behalf of publishers to provide their EEA users with targeted and relevant advertising.
As a data processor, Fyber does not require a separate GDPR consent from end users to collect and process publishers’ end-users’ personal information for the purpose of serving targeted and lucrative ads.
Fyber relies on publishers to obtain consent from their users for ad targeting. This is aligned with Fyber’s position as a platform that facilitates the serving of ads as an intermediary between supply and demand. Fyber position as a processor is enabled due to its careful handling of users’ data for the sole purpose of retrieving targeted and relevant ads. Advertising companies who voluntarily choose to be controllers (as defined within the GDPR) may have additional purposes and uses for a user’s personal data.
Fyber as a data processor and publishers as data controllers, are equally responsible under GDPR. Therefore, data protection and overall client trust in Fyber’s services continues to be of the highest importance to us. Fyber has already taken the necessary steps to comply with the upcoming GDPR framework. As part of this, Fyber implemented all necessary changes to its processes, documentation, policies, and contractual framework with its customers and partners.
What personal data does Fyber process via its SDK?
During the integration phase of Fyber’s SDK with a publisher’s app, the publisher may specify the type of personal data that will be shared with Fyber via the SDK. Most publishers enable the Fyber SDK to process information such as the following:
- Internet Protocol (IP) addresses
- Advertising ID
- Precise (GPS) location data, if permitted by the app
Is any of the processed data transferred outside of the EU?
Yes, Fyber stores all personal data on Amazon Web Services (AWS) cloud which is Privacy Shield certified. Fyber has taken the necessary contractual safeguards to guarantee that personal data is processed in compliance with the GDPR and has signed the required Data Processing Addendum (including Standard Contractual Clauses) with Amazon.
Any personal data processed by Fyber on behalf of publishers will solely be used for advertising and targeting purposes, and in accordance with the publisher’s instructions in its agreement with Fyber.
Fyber encourages its publishers to create their own consent dialogue to present to users on their apps or sites. A publisher who obtains consent directly from users may benefit from the following:
- Better user experience – Present users with a single message, on the screen and at time of your choosing, thereby avoiding multiple ‘opt-in’ messages presented on behalf of different ad vendors.
- Personal outreach – Engage users with a personal, tailored message that matches the tone of the app and its audience. The more personal the outreach, the better the chances of obtaining consent.
- Improved monetization – Users are more likely to provide consent if the request comes from the app developer than from an unfamiliar company such as an ad vendor.
- Enhanced control over data – With direct user consent, a publisher will be the owner of their users’ data. The alternative of counting on an ad vendor’s consent mechanism means that if and when a publisher decides to switch to another ad vendor that is a controller or introduce its own consent dialog, it may need to present all users with a new consent message.
Ensuring GDPR compliance with Fyber’s SDK
Fyber’s updated SDKs
Fyber processes personal data on behalf of the controller (e.g. the publisher) through a Software Development Kit (SDK) installed on an app or via a tag on a website. It is the duty of the controller to only use processors that are GDPR compliant.
Fyber implemented internal processes to anonymize user data in a way that still makes it useful for advertisers, while ensuring that user identity is protected. For example, whenever the updated Fyber SDK receives an indication that a user declined consent, it automatically anonymizes the GPS coordinate data and/or IP addresses before passing the ad request to demand partners for ad delivery, to ensure that no personal information is processed. In addition, Fyber will flag to its demand partners and/or mediated ad networks that the user did not provide the consent required under GDPR and does not wish to be served with targeted ads on the app. In such cases, only contextual ads will be shown to that user. Contextual ads are ads that are served based on the content of the page, app or site the user is viewing, and not based on personal data of a user.
All of Fyber’s SDKs will be updated prior to May 25, 2018. Fyber will send all publishers an update when a new SDK is available for download.
As a service to publishers, all new SDK will include new APIs to communicate user consent provided on the app to Fyber and will also include features to propagate consent to Fyber’s demand partners and mediated ad networks.
Updating your apps to Fyber’s latest SDK is essential in ensuring your compliance with GDPR.
Fyber strongly recommends notifying your users that they must update their app to the latest version to ensure compliance with the new EU regulation.
During the SDK update transition period, Fyber will enable only contextual ads (see above) to your EEA users or, if requested by the publisher, to all users, by removing all personal data of users who have not provided explicit consent.
Will I have to update to the new SDK if I have already signed Fyber’s DPA?
Yes, we’ll ensure you’re GDPR compliant regardless of which SDK version you have, but in order to ensure you’re not limited to contextual ads, we recommend updating to the new SDK sooner vs. later.
Will Fyber still service apps with older SDKs?
Yes, but only with contextual ads to EEA users or, if requested by the publisher, to all users.
I need more time to present my own consent form to users, what happens in the meantime?
No worries, until then, we will serve contextual ads to all EEA users that did not provide explicit consent, or, if requested by the publisher, to all users.
Will Fyber update mediated ad networks bundles to the latest version of their SDKs?
Fyber will update bundles gradually as they become available by our mediated network partners.
What happens if the user does not provide consent?
Fyber will serve contextual ads to all users who declined consent.
What happens if a user withdraws his/her consent?
The publisher should provide the user with an option in the app or site to withdraw consent. If a user withdraws consent, the Fyber SDK will treat it as if the user declined consent. In such cases, the SDK automatically anonymizes GPS coordinate data and/or IP address before passing the ad request to demand partners for ad delivery, to ensure that no personal information is processed. In addition, Fyber will flag to its demand partners and/or mediated ad networks that the user did not provide the consent required under GDPR and does not wish to be served with targeted ads in the app. This user will receive contextual ads only.
What are contextual ads?
Contextual ads are ads that are based on the context of the app rather than on the behavioural preferences, or personal data of a particular app’s user. These ads may potentially generate less revenue for the publisher.
What if I integrate with Fyber through a server-to-server API or a tag?
Fyber’s API and JS tags will be updated to support a placeholder to communicate user consent.
What is Fyber’s data retention policy?
I am using the IAB consent framework, what is Fyber’s vendor ID?
Fyber participates as a vendor in IAB Europe’s Transparency & Consent Framework, our vendor ID is 262.
If a user on an app declined consent for his/her personal data to be processed for ad targeting, Fyber will do the following:
- Send demand partners a flag that indicates that a user has declined consent
- Anonymize GPS coordinate data and/or IP addresses before sending the ad request to demand partners
Fyber expects all demand partners to honor the user’s choice and comply with GDPR by serving only contextual ads to such user. Demand partners are prohibited from de-anonymizing personal data for ad delivery purpose.
Demand Partners FAQs
How is Fyber communicating consent to programmatic buyers?
Fyber adopted IAB’s proposed GDPR extensions for its programmatic exchanges.
Should demand partners expect to see less traffic from the EU starting May 25th?
No. The volume of traffic is expected to remain steady, however, bid requests may include the new GDPR ‘flags’ and may have anonymized data.
Is the Advertising ID going to remain in tact for all bid requests?
Yes, IDFAs and GAIDs will be sent out in bid requests, as usual.
Can we still bid on requests that state that user consent was declined?
Yes, you can still serve ads to EU users that declined consent, but only with contextual ads.
How is Fyber handling ad requests from users under the age 16?
For users that are known to be younger than 16, Fyber anonymizes all personal information in the bid request from that user, regardless of the user being within EEA or outside of it.
What if we cannot accommodate the new RTB extensions?
For a limited time, demand partners may still receive anonymized inventory until they update their integration. That said, Fyber strongly recommends to adhere to the new RTB specs and update integrations as soon as Fyber rolls out support for it, to ensure compliance with GDPR.
Data Subject Requests for Data Access or Deletion
Article 15 and 17 of the GDPR provides data subjects with the right to access and/or delete personal data that is related to him/her or is about him/her. Fyber, as a processor, will cooperate with its controllers (i.e. Publishers) to help them to fully comply with any access and/or deletion request of a data subject and shall provide its controllers with the requested information or confirmation of deletion of such information, as soon as possible.
Mobile application / website developers and/or owners (“Publishers” or “Supply Partners”)
What do you need to provide Fyber?
To support your data subject’s request to access or delete personal data, you need to send Fyber the following details so Fyber could identify the relevant data related to the requesting data subject in its systems:
(a) the date on which the data subject made the request to you; and
(b) the Advertising ID (IDFA, AAID) of the requesting user’s device (in UUID format); and,
(c) the mobile application store ID, and mobile application or website name and URL (if applicable) from which the data subject’s request was made.
Please use the template attached here.
Please send it to email@example.com
Please send a separate document for each batch of data subject’s request in the future (i.e., don’t add them into an existing list).
Please do not add any additional details about the data subject, including any identifiable information, such as name, email address and telephone number of a data subject. Fyber does not hold or use this type of details about your data subjects.
Fyber would like to draw your attention to the fact that it is your responsibility to verify the identity of the requesting data subject before sending the access or deletion request to Fyber.
How is Fyber going to support data subjects request from you?
Fyber will take the following actions after receiving a written request from you to provide access or to erase personal data that is related to or is about your data subjects. In case of an access request, Fyber will provide you with a copy of all the personal data that Fyber and its advertisers have been able to identify on their systems about the data subject advertising ID. In case of a deletion request, Fyber shall provide confirmation on its behalf and on behalf of its Demand Partners that all personal data, that is related to advertising IDs provided in your request to Fyber, that Fyber and its Demand Partners identified in their systems has been deleted from such systems.
Fyber will respond to your request without undue delay and within one month from the date the data subject made the request to you, so please be sure to include the date you received the request from the data subject in the template you send Fyber together with your request. Please send the access or delete request to Fyber immediately after you receive it so Fyber and its Demand Partners shall have sufficient time to comply with the request.
Advertisers, DSPs, Ad Networks, Ad Agencies (“Demand Partners”)
Why do you need to cooperate with Fyber’s request?
As you know, data subjects (end users) have certain rights under GDPR, two of them are very relevant to the advertising industry: the right to access (i.e. to obtain a copy) of personal data concerning them (Article 15 GDPR) from the controller (usually the Publisher but could also be an advertiser), and the right to be forgotten (i.e. to have personal data that is concerning them to be deleted), Article 17 GDPR.
When a data subject sends an access or deletion request to the Publisher, the Publisher as the controller is responsible for complying with such request by either providing the data subject with a copy of the personal data concerning the data subject or confirming the deletion of such data from systems. As Publishers use the Fyber platform to serve targeted ads to such data subject, the Publisher also sends the data subject’s request to Fyber that, as a processor, processes such data on behalf of the Publisher to provide it with access to the Fyber platform and enable the serving of targeted ads to data subjects. In a similar way, Fyber is engaged with Demand Partners to enable the serving of targeted ads to the same data subject and therefore Fyber sends the access or delete request also to its Demand partners.
Under GDPR, all parties involved in the processing of personal data of data subjects, whether controllers or processors are equally liable and are subject to the same fines for non-compliance which are significantly high (the greater of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year). Fyber expects its Demand Partners to cooperate with such requests and respond to it in a timely manner as required by the GDPR.
If Demand Partner has a legal basis to process personal data concerning a data subject in Fyber’s access or delete request as an independent controller, then it can continue processing such data for its own purposes and notify Fyber via email to firstname.lastname@example.org about it. Otherwise, it is required to act as instructed by Fyber and either provide Fyber with a copy of the personal data concerning the data subject or confirm the deletion of such data from its systems- both within the provided response time.
When Fyber’s records show that Demand Partner placed a bid and/or bought ad space inventory from a mobile application/website that is owned/developed by a Publisher, Fyber will require your cooperation and assistance with such data subject’ requests as they apply to your company.
Fyber will send the access or deletion request to the Demand Partner contact person listed in Fyber’s database. In the event there is a dedicated person in your organization for GDPR issues, kindly refer Fyber’s request to that person and notify Fyber of such person’s contact information so Fyber could update it in its records and will not send you any further GDPR requests.
What if I am a Demand Partner based outside the EU?
If your company is not established in the European Union and you did not bid or purchase any ad inventory via the Fyber platform that is from users in the European Economic Area, then you can ignore any access or deletion request you receive from Fyber.
What will Fyber provide you with?
As part of Fyber’s request for you to cooperate and respond to data subjects’ access or deletion of personal data concerning them, Fyber will provide you with advertising ID (UUID format), mobile application store ID, mobile application or website name and URL (if applicable), and the Publisher name. This access or delete request will be provided to you in an excel file.
What actions are expected of you?
For data access requests: you must provide Fyber with a copy of all personal data concerning the listed advertising IDs that is stored in your systems. Please provide the data an excel form. You must also reach out to any third party that you have been sharing with such data while processing it for the provision of ads via the Fyber platform and obtain a copy of such data from such parties as well.
Please note that the GDPR requires that the data you provide will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 12 GDPR).
For data deletion requests: you must provide Fyber with a confirmation of deletion of all personal data concerning the listed advertising IDs, as well as that of your third parties.
Exactly what data needs to be provided or deleted?
You must provide or delete (as applicable) all personal data concerning the listed advertising IDs provided by Fyber. “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 GDPR).
You should send Fyber the data file or confirmation of data deletion without undue delay, and within 10 calendar days so Fyber will be able to forward your response to Publisher and Publisher can forward it to the relevant data subjects. Compliance with data subject’s rights and thus compliance with GDPR requires cooperation from all parties involved in the processing of personal data.