On May 25, 2018, The European Union will carry out its data protection reform and begin to enforce a new law called GDPR (General Data Protection Regulation). This law aims to strengthen and unify data protection for users within the European Economic Area (EEA). Fyber has created this GDPR resource page to provide our customers with information regarding Fyber’s GDPR readiness.
GDPR & Fyber
At Fyber, we invest great efforts in ensuring that our products and services adequately address legislative and regulatory requirements. Data protection and overall client trust in Fyber’s services continues to be of the highest importance to us.
The data that Fyber processes may include potentially identifiable information which may relate to users in the EEA. Consequently, we addressed the requirements under EU data protection laws, and specifically those of the forthcoming GDPR.
Fyber’s compliance with GDPR
On May 25, 2018, Fyber will be fully GDPR compliant.
GDPR applies to Fyber whenever Fyber processes personal data on behalf of publishers to provide their EEA users with targeted and relevant advertising.
As a data processor, Fyber does not require a separate GDPR consent from end users to collect and process publishers’ end-users’ personal information for the purpose of serving targeted and lucrative ads.
Fyber relies on publishers to obtain consent from their users for ad targeting. This is aligned with Fyber’s position as a platform that facilitates the serving of ads as an intermediary between supply and demand. Fyber position as a processor is enabled due to its careful handling of users’ data for the sole purpose of retrieving targeted and relevant ads. Advertising companies who voluntarily choose to be controllers (as defined within the GDPR) may have additional purposes and uses for a user’s personal data.
Fyber as a data processor and publishers as data controllers, are equally responsible under GDPR. Therefore, data protection and overall client trust in Fyber’s services continues to be of the highest importance to us. Fyber has already taken the necessary steps to comply with the upcoming GDPR framework. As part of this, Fyber implemented all necessary changes to its processes, documentation, policies, and contractual framework with its customers and partners.
What personal data does Fyber process via its SDK?
During the integration phase of Fyber’s SDK with a publisher’s app, the publisher may specify the type of personal data that will be shared with Fyber via the SDK. Most publishers enable the Fyber SDK to process information such as the following:
- Internet Protocol (IP) addresses
- Advertising ID
- Precise (GPS) location data, if permitted by the app
Is any of the processed data transferred outside of the EU?
Yes, Fyber stores all personal data on Amazon Web Services (AWS) cloud which is Privacy Shield certified. Fyber has taken the necessary contractual safeguards to guarantee that personal data is processed in compliance with the GDPR and has signed the required Data Processing Addendum (including Standard Contractual Clauses) with Amazon.
Any personal data processed by Fyber on behalf of publishers will solely be used for advertising and targeting purposes, and in accordance with the publisher’s instructions in its agreement with Fyber.
Fyber encourages its publishers to create their own consent dialogue to present to users on their apps or sites. A publisher who obtains consent directly from users may benefit from the following:
- Better user experience – Present users with a single message, on the screen and at time of your choosing, thereby avoiding multiple ‘opt-in’ messages presented on behalf of different ad vendors.
- Personal outreach – Engage users with a personal, tailored message that matches the tone of the app and its audience. The more personal the outreach, the better the chances of obtaining consent.
- Improved monetization – Users are more likely to provide consent if the request comes from the app developer than from an unfamiliar company such as an ad vendor.
- Enhanced control over data – With direct user consent, a publisher will be the owner of their users’ data. The alternative of counting on an ad vendor’s consent mechanism means that if and when a publisher decides to switch to another ad vendor that is a controller or introduce its own consent dialog, it may need to present all users with a new consent message.
Ensuring GDPR compliance with Fyber’s SDK
Fyber’s updated SDKs
Fyber processes personal data on behalf of the controller (e.g. the publisher) through a Software Development Kit (SDK) installed on an app or via a tag on a website. It is the duty of the controller to only use processors that are GDPR compliant.
Fyber implemented internal processes to anonymize user data in a way that still makes it useful for advertisers, while ensuring that user identity is protected. For example, whenever the updated Fyber SDK receives an indication that a user declined consent, it automatically anonymizes the GPS coordinate data and/or IP addresses before passing the ad request to demand partners for ad delivery, to ensure that no personal information is processed. In addition, Fyber will flag to its demand partners and/or mediated ad networks that the user did not provide the consent required under GDPR and does not wish to be served with targeted ads on the app. In such cases, only contextual ads will be shown to that user. Contextual ads are ads that are served based on the content of the page, app or site the user is viewing, and not based on personal data of a user.
All of Fyber’s SDKs will be updated prior to May 25, 2018. Fyber will send all publishers an update when a new SDK is available for download.
As a service to publishers, all new SDK will include new APIs to communicate user consent provided on the app to Fyber and will also include features to propagate consent to Fyber’s demand partners and mediated ad networks.
Updating your apps to Fyber’s latest SDK is essential in ensuring your compliance with GDPR.
Fyber strongly recommends notifying your users that they must update their app to the latest version to ensure compliance with the new EU regulation.
During the SDK update transition period, Fyber will enable only contextual ads (see above) to your EEA users or, if requested by the publisher, to all users, by removing all personal data of users who have not provided explicit consent.
Will I have to update to the new SDK if I have already signed Fyber’s DPA?
Yes, we’ll ensure you’re GDPR compliant regardless of which SDK version you have, but in order to ensure you’re not limited to contextual ads, we recommend updating to the new SDK sooner vs. later.
Will Fyber still service apps with older SDKs?
Yes, but only with contextual ads to EEA users or, if requested by the publisher, to all users.
I need more time to present my own consent form to users, what happens in the meantime?
No worries, until then, we will serve contextual ads to all EEA users that did not provide explicit consent, or, if requested by the publisher, to all users.
Will Fyber update mediated ad networks bundles to the latest version of their SDKs?
Fyber will update bundles gradually as they become available by our mediated network partners.
What happens if the user does not provide consent?
Fyber will serve contextual ads to all users who declined consent.
What happens if a user withdraws his/her consent?
The publisher should provide the user with an option in the app or site to withdraw consent. If a user withdraws consent, the Fyber SDK will treat it as if the user declined consent. In such cases, the SDK automatically anonymizes GPS coordinate data and/or IP address before passing the ad request to demand partners for ad delivery, to ensure that no personal information is processed. In addition, Fyber will flag to its demand partners and/or mediated ad networks that the user did not provide the consent required under GDPR and does not wish to be served with targeted ads in the app. This user will receive contextual ads only.
What are contextual ads?
Contextual ads are ads that are based on the context of the app rather than on the behavioural preferences, or personal data of a particular app’s user. These ads may potentially generate less revenue for the publisher.
What if I integrate with Fyber through a server-to-server API or a tag?
Fyber’s API and JS tags will be updated to support a placeholder to communicate user consent.
What is Fyber’s data retention policy?
If a user on an app declined consent for his/her personal data to be processed for ad targeting, Fyber will do the following:
- Send demand partners a flag that indicates that a user has declined consent
- Anonymize GPS coordinate data and/or IP addresses before sending the ad request to demand partners
Fyber expects all demand partners to honor the user’s choice and comply with GDPR by serving only contextual ads to such user. Demand partners are prohibited from de-anonymizing personal data for ad delivery purpose.
Demand Partners FAQs
How is Fyber communicating consent to programmatic buyers?
Fyber adopted IAB’s proposed GDPR extensions for its programmatic exchanges.
Should demand partners expect to see less traffic from the EU starting May 25th?
No. The volume of traffic is expected to remain steady, however, bid requests may include the new GDPR ‘flags’ and may have anonymized data.
Is the Advertising ID going to remain in tact for all bid requests?
Yes, IDFAs and GAIDs will be sent out in bid requests, as usual.
Can we still bid on requests that state that user consent was declined?
Yes, you can still serve ads to EU users that declined consent, but only with contextual ads.
How is Fyber handling ad requests from users under the age 16?
For users that are known to be younger than 16, Fyber anonymizes all personal information in the bid request from that user, regardless of the user being within EEA or outside of it.
What if we cannot accommodate the new RTB extensions?
For a limited time, demand partners may still receive anonymized inventory until they update their integration. That said, Fyber strongly recommends to adhere to the new RTB specs and update integrations as soon as Fyber rolls out support for it, to ensure compliance with GDPR.