Last Modified: July 14, 2020
GDPR is the General Data Protection Regulation, approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. The main goal of the GDPR is to create a cohesive and common system of privacy laws across all EU member countries (which included the United Kingdom until January 31, 2020) and enhance the privacy of EU residents. Like the Data Protection Directive, the GDPR is a principle-based regulation, requiring personal data to be processed fairly, lawfully and transparently for defined purposes only. It requires a business to limit collection of personal data and to safeguard personal data in its possession.
The GDPR raises the bar for processing personal data based on the consent of the data subject. In order to rely on consent, marketers must be able to demonstrate that the individual took some affirmative step to provide consent. You cannot infer consent from inaction, and you cannot condition providing goods or services based on a user's consent. While this will be a limiting factor in the use of consumer data, it creates a prime opportunity for organizations: opted-in consumers offer brands the chance to create a more personalized customer experience with targeted offers, deals, and coupons that are most relevant to them. This should improve trust and provide better transparency between the brand and their customers.
From a security standpoint, Recital 49 requires organizations to defend their networks against "accidental events" or "malicious actions" that could end up compromising the privacy and confidentiality of the personal data they have collected, explicitly citing the threat from Distributed Denial of Service (DDoS) attacks. In the event of a breach, companies will have 72 hours to notify their local data protection authority.
Here is some additional information to explain what Neustar has done to meet the upcoming GDPR regulations:
GDPR doesn't mean the end of effective online marketing. GDPR compliance isn't rocket science - but it does require a thoughtful and creative review and refinement of data policies and procedures to ensure respect for the new, stronger data protection framework in an increasingly global conversation.
The data Neustar processes varies from product to product and sometimes from customer to customer. To ensure GDPR compliance and changing privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a "data subject") as "personal data." This includes obviously personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers.
Neustar has certified its adherence to the US/EU Privacy Shield framework, which serves as an adequacy determination under EU data protection law. (We've also certified our compliance under the US/Swiss Privacy Shield framework.)
Though no longer part of the EU, transfers of personal data from the UK may still be made in reliance on the Privacy Shield . Under the Withdrawal Agreement between the UK and the EU, EU law (including EU data protection law) will continue to apply to and in the UK during the Transition Period from January 31, 2020, until December 31, 2020. During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. At the end of the Transition Period Neustar will continue to be able to rely on Privacy Shield to support data transfers from the UK based on its public commitment to honor the framework principles with respect to personal data transferred from the UK.
TrustArc - an approved provider - reviews and certifies our compliance and also provides independent dispute resolution services. TrustArc has also certified Neustar's compliance with the European Digital Advertising Alliance code (www.youronlinechoices.eu). We have entered into appropriate Data Protection Agreements, including GDPR required provisions and Model Controller-Processor clauses, with our affiliates and subprocessors, and Neustar will execute EU-approved Model Clauses and/or other addendums related to data privacy as appropriate based on our processing of personal data in the context of the applicable relationship with our clients, partners and vendors.
Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). To ensure compliance with GDPR requirements, we have conducted an enterprise-wise Business Impact Analysis, reviewed and updated all of our Privacy Impact Assessments (PIAs), and created Data Protection Impact Assessments (DPIAs) as required. Our personal data processing practices are described in our online privacy statement here. We describe the choices available to data subjects on our website here, and include links to additional information a tools offered by the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the European Digital Advertising Alliance (EDAA). We only collect personal data needed to provide our services, and process personal data only for specified or compatible purposes. Individuals may opt-out of data collection for marketing analytics on our website, as well as on the NAI, DAA, and/or EDAA platforms. We pseudonymize data promptly upon collection, aggregate data for reporting purposes, and promptly honor all opt-out requests. We do not process special categories of data ("sensitive data") and we do not permit our services to be used to determine an individual's eligibility for credit, employment, housing, or for other purposes that produce legal effects or otherwise significantly affects the data subject. Neustar has adopted industry best practices such as ISO 27001 compliant data security policies and procedures.
Neustar is a member of the Digital Advertising Alliance ("DAA") and adheres to each organization's Codes and Principles. Our IDMP adheres to the European Interactive Digital Advertising Alliance's ("EDAA") principles described at: www.youronlinechoices.eu. Neustar and its subsidiaries participate in, comply with and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, as applicable. Neustar has received the TrustArc (TRUSTe) Privacy Seal signifying that this privacy statement and our practices have been reviewed for compliance with the TRUSTe program and enabling individuals with unresolved privacy or data use concern that we have not addressed satisfactorily, to contact TRUSTe directly at https://feedback-form.truste.com/watchdog/request. Neustar also participates in the IAB Europe Transparency & Consent Framework, which is designed to help all parties in the digital advertising chain ensure that they comply with the EU's General Data Protection Regulation and ePrivacy Directive when processing personal data or accessing and/or storing information on a user's device, such as cookies, advertising identifiers, device identifiers and other tracking technologies.
All of our offerings are designed to serve the legitimate interests of our customers in understanding and enhancing the effectiveness of their advertising efforts, identifying and preventing fraud and malicious online activity, and facilitating safe and reliable user experiences without compromising fundamental privacy rights.
As previously indicated, Neustar adopted "Privacy by Design" principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice we prepare privacy impact assessments for products/services involving personal data processing. We modified our PIA templates to comply with the GDPR DPIA requirements where the nature, scope, context and purposes of personal data process is likely to result in a high risk to the rights and freedoms of natural persons. Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes. Neustar has reviewed, revised, and updated our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar is currently rolling out a new data architecture, which streamlines and automates data ingestion, inventory, security, and governance. We took necessary steps to document our processing activities in accordance with Article 30 of the GDPR, and as (previously) a Safe Harbor participant and (currently) a Privacy Shield participant, we have long agreed to cooperate with EU, UK and Swiss supervisory authorities.
Neustar honors all data subject requests to opt-out of the processing of their personal data. Subject to the limitations contained in Article 11 of the GDPR, Neustar honors access, rectification, erasure, and portability requests. Neustar does not permit use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.
We enhanced our existing online request portal to handle these requests and will also accept emails sent to firstname.lastname@example.org. We comply with the GDPR requirement to provide information without undue delay and in any event within one month of receipt of the request.
Much of the data collected and maintained by Neustar as a data controller or on behalf of our customers is proprietary and/or "derived" or "inferred" data that is not subject to the GDPR's portability requirement. Because the pseudonymized data is of extremely limited utility to individuals and its processing for advertising analytics purposes is justified by the legitimate interests of the data controller not outweighed by the individual's privacy rights, we do not believe that the portability obligations apply. We reviewed our procedures carefully to facilitate efficient receipt and fulfillment of data subject rights requests where they do apply, and continue to enhance the functionality of our data subject access portal.
Unlike the right to opt-out of direct marketing, the right "to be forgotten" is not an absolute right under the GDPR. Organizations may continue to process data if it remains necessary for the purposes for which it was originally collected and has a legal ground (other than consent) for processing. As indicated above, there are legitimate reasons for processing pseudonymized personal data for advertising analytics and fraud prevention that are proportionate to the privacy rights of data subjects.
While certain opt-outs and subject access requests can be automated, it is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual's identity in order to ensure that the person making the request is the individual to whom the data relates (or someone authorized by the data subject). The amount of information depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we require reasonable evidence of identity and/or EEA/UK presence. While we do have some forms of identification that we will always accept, we are always willing to work with the data subject.
Kevin Hughes, Executive Vice President and General Counsel, has been appointed Neustar's Data Protection Officer.
We collect the following data elements in connection with our IDMP and MTA service
Based on the processes described above, with the exception of the transitory storage of full IP addresses, we pseudonymize all potential personal data, and associate this information with alphanumeric cookie IDs. This information is then aggregated to provide information about the number of unique impressions, engagements and conversions per campaign, advertiser, site, audience or location. The aggregation process removes any cookie-level information, i.e., all potential personal data. We retain pseudonymous cookie-level data (events, hashed/truncated IP addresses, URLs) for up to 19 months, and aggregated events data for up to 18 months.
Personal data is not required for MMM service. The following aggregated data may be provided by the data exporter. Please note that these are only examples of types of data collected and is subject to change after closer analysis and review of the customer's business needs.
At this time, Neustar does not offer its FRC products outside of the United States.