GDPR Guidelines & Changes

Background

GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union which is in effect from 25th May 2018. Beeswax is fully committed to GDPR compliance in support of our diverse and sophisticated customers around the world.

In a broad sense, Beeswax is a Data Processor, as defined under the law, and follows the instructions of our customers, suppliers, and data providers as to the disposition of data in our system. Regarding our third party and supply (exchange) partnerships, we expect them to comply with the law and obtain consent as required by the regulations. We are also continually engaged in discussions with our various partners regarding their GDPR compliance.

We are committed to the European market and have a strong customer base in the region. Our data center is in the AWS Dublin region, and all data that leaves the EU is protected under our EU-US Privacy Shield certification.

Beeswax Internal Changes and Protections

Beeswax has been busy working to audit and review all of our data processes to comply with the GDPR requirements. These activities have included:

  • Keeping data secure within our systems
  • Maintaining our opt-out process and extending to mobile IDs
  • Supporting the various obligations around data subject requests

New and Changed Fields in Log Files

To prepare for the forthcoming GDPR regulations in the European Union, Beeswax is taking steps to help our customers comply. Certain fields that are commonly used in RTB are considered “Personal Data”. In order to protect this data from being used or transferred outside of the Beeswax service, we will be making changes to these fields when passed in macros, bidding agent requests, augmentor requests, and log files. Specifically, for requests subject to GDPR handling without user consent, the following fields will be affected:

Raw Log Field Name Proto Field Name GDPR Handling
platform_device_ifa Device.ifa blank
platform_device_idfa Device.idfa blank
platform_device_didmd5 Device.didmd5 blank
platform_device_didsha1 Device.didsha1 blank
platform_device_dpidmd5 Device.dpidmd5 blank
platform_device_dpidsha1 Device.dpidsha1 blank
user_id N/A blank
geo_lat Device.lat truncated to 3 decimal places
geo_long Device.long truncated to 3 decimal places
ua Device.ua blank
ip_address Device.ip truncated to 3 octets
ipv6_address
Device.ipv6 truncated to 7 octets
inventory_source_user_id User.id blank

Notes:

  • These fields will be impacted only when the request is subject to GDPR handling and we have determined that you do not have user consent. This means not all records will have those fields modified
  • Truncating geo_lat and geo_long reduces their accuracy to approximately 100 meters

Additionally, for records subject to GDPR handling and without consent, the following fields will be added:

Raw Log Field Name Proto Field Name GDPR Handling
user_id_hashed N/A pseudo-anonymized version of the original user ID
ip_address_hashed DeviceExtensions.ip_hashed pseudo-anonymized version of the original IP address
ipv6_address_hashed DeviceExtensions.ipv6_hashed pseudo-anonymized version of the original IPv6 address
is_gdpr RegulationsExtensions.gdpr true or false, whether the record was subject to GDPR handling
gdpr_consent_string RegulationsExtensions.gdpr_consent_string the raw IAB consent string, or “daisybit”, provided in the request

Notes:

  • The first three fields (user_id_hashed, ip_address_hashed, ipv6_address_hashed) will be populated only when the request is subject to GDPR handling and we have determined that you do not have user consent. This means not all records will have those fields populated
  • The hashed IP address fields are the hashed versions of the full IP address, not the truncated IP address. The IP address fields will continue to contain truncated IP addresses in the EU
  • The hashed user ID and hashed IP address fields may be used for counting (i.e. counting reach or frequency), but not for identification
    • This means that, for instance, you will not be able to upload those values for targeting
  • The IAB consent string is base64-encoded. For the full specification, see here.

Example:

The following win log record (non-relevant fields elided) before GDPR is in effect is transformed in the subsequent way:

Original:

ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address

166.137.139.31,166.137.139.31,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,mid.9BA0861F-8F0D-4CC1-864E-35E5E8E2A28C,43.0668,-85.9347,2001:0db8:85a3:0000:0000:8a2e:0370:7334

Post-GDPR:

ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address,user_id_hashed,ip_address_hashed,ipv6_address_hashed,is_gdpr,gdpr_consent_string

166.137.139.0,166.137.139.0,,,,,,,,43.066,-85.934,2001:0db8:85a3:0000:0000:8a2e:0370:,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,true,BOMqcNeOMqcNeAAABAENAEAAABAArAAA

Changes to Macro Values

When a request is subject to GDPR handling, macros will change in the following way:

Macro  GDPR Handling
{{USER_ID}} Blank
{{IOS_ID}} Blank
{{ANDROID_ID}} Blank
{{LAT}} Truncated to 3 decimal places
{{LONG}} Truncated to 3 decimal places
{{USER_AGENT}} Blank
{{IP_ADDRESS}} Truncated to first 3 octets
{{IP_ADDRESS_IPV6}} Truncated to first 7 octets
{{IS_GDPR}} Will be set to 1 for GDPR requests. 1 means it is a request from EU and is subject to GDPR. 0 means it is not a request from EU and therefore not subject to GDPR. 
{{IS_GDPR_CONSENTED}} Will be set to 1 when the customer has the consent of the user when the auction is subjected to GDPR (i.e. IS_GDPR=1). See below for further details.

Below details the expansion of the IS_GDPR and IS_GDPR_CONSENTED macros in different scenarios according to whether the auction is subject to GDPR and whether consent is present.

Scenario Macro Value
Auction regulated by GDPR and Customer has consent. {{IS_GDPR}} = 1
{{IS_GDPR_CONSENTED}} = 1
Auction regulated by GDPR and Customer does not have consent. {{IS_GDPR}} = 1
{{IS_GDPR_CONSENTED}} = 0
Auction not regulated by GDPR. {{IS_GDPR}} = 0
{{IS_GDPR_CONSENTED}} = 0

Exchange Integration and Consent

While each exchange/SSP is taking its own approach to gaining end-user consent, we believe that the most common workflow will be for publishers to ask for consent for the exchange, but allow DSPs to get access to user data under a category or blanket permission. Some exchanges will require that each DSP (such as Beeswax) get affirmative consent from the user in order to see auctions. In order to maximize our reach in Europe Beeswax has registered under the IAB EU's framework as a named vendor.

Upcoming Changes to Consent String Handling

If you are a registered IAB Vendor or Google AdX Provider please reach out to your account manager and provide your vendor IDs. Here is how Beeswax supports consent strings:

  • For a given EU auction, if your vendor ID is present on the openRTB TCF (v. 2.0) consent string (user.ext.consent field) or the Google AdX consented_providers_settings field, we will send you personal data in the clear. This includes raw logs, call outs to your custom bidding agent or data augmentor as well as creative macros
  • If you are not given explicit consent on an EU auction we will follow the normal treatment of personal data as outlined above.

We are separately reviewing how we will handle cases when the exchange does not send a consent string in the auction, and will update this article as we learn more.

Customer Data

Most Beeswax customers upload some data to our Bidder-as-a-Service™ in order to execute campaigns. Per our contractual terms, this data must be collected in accordance with "Applicable Laws", which now includes GDPR. It is our expectation and our customers' responsibility that all data uploaded to Beeswax (including any data uploaded prior to GDPR) in any form comply with this requirement.

Beeswax acts as a Data Processor with regard to Customer Data, which means we only use it upon our Customers' instructions, but are responsible for security and control of the data. To prepare for GDPR we have taken a number of steps to uphold these responsibilities:

  • We have undertaken a complete internal audit of all of our data systems in order to understand at a granular level where such systems touch Personal Data.
  • We have appointed a Data Protection Officer ("DPO") in compliance with the law.
  • We have instituted security procedures such that in the unlikely event of a data breach we are able to fulfill the necessary notification obligations.
  • We are in the process of updating our privacy policy.
  • We have assured that any sub-processors we contract with are either not receiving any Personal Data or are similarly compliant to our standards.
  • We are in the process of enhancing our opt-out capabilities to allow mobile IDs to be removed from serving.

Changes in Supply from Exchange Partners (as of June 14, 2018)

The number of auctions we access in the EU has gone down less than expected. Here are a couple things to note:

  • Currently the majority (80%+) of MoPub auctions from EU countries contain a zeroed out device ID (i.e. 00000000-0000-0000-0000-000000000000)
    • Starting Monday June 18th we will remove these device IDs from auctions so that they are treated as “User ID Not Present” in targeting and filtering
    • MoPub has stated that as their publishers upgrade to MoPub SDK 5.0 version or higher, the number of auctions with device IDs in the clear will steadily increase
  • Google AdX supply was only nominally affected in the EU. All auctions we are receiving have personal data in the clear.

Further Questions

If you have further questions about Beeswax's GDPR compliance, please feel free to reach out to your Account Manager or to support@beeswax.com.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us