GDPR: What You Need to Know

This document was last modified on and has an effective date of December 23, 2022.

GDPR is the General Data Protection Regulation, approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. The main goal of the GDPR is to create a cohesive and common system of privacy laws across all EU member countries and enhance the privacy of EU residents. Like the Data Protection Directive, the GDPR is a principle-based regulation, requiring personal data to be processed fairly, lawfully and transparently for defined purposes only. It requires a business to limit collection of personal data and to safeguard personal data in its possession.

The GDPR raises the bar for processing personal data based on the consent of the data subject. In order to rely on consent, marketers must be able to demonstrate that the individual took some affirmative step to provide consent. You cannot infer consent from inaction, and you cannot condition providing goods or services based on a user's consent. While this will be a limiting factor in the use of consumer data, it creates a prime opportunity for organizations: opted-in consumers offer brands the chance to create a more personalized customer experience with targeted offers, deals, and coupons that are most relevant to them. This should improve trust and provide better transparency between the brand and their customers.

From a security standpoint, Recital 49 requires organizations to defend their networks against "accidental events" or "malicious actions" that could end up compromising the privacy and confidentiality of the personal data they have collected, explicitly citing the threat from Distributed Denial of Service (DDoS) attacks. In the event of a breach, companies will have 72 hours to notify their local data protection authority.

Here is some additional information to explain what Neustar has done to meet the upcoming GDPR regulations:

• We reviewed and updated our existing Privacy Impact Assessments (PIAs) and reviewed the need to create Data Protection Impact Analysis (DPIAs) for relevant products and services. As part of this review, we updated our data inventories, documented our processing activities, articulated the lawful basis for any personal data processing subject to GDPR, and identified and mitigated associated privacy risks to ensure alignment with GDPR requirements.
• We adopted SOC-2 and ISO 27001 compliant data security standards and an enterprise-wide Privacy and Confidentiality Policy embodying GDPR principles and requirements.
• We built a streamlined data ingestion, inventory, retention/purge and processing systems and technologies to automate the application of our data governance policies.
• We reviewed and revised our privacy notices and transparency processes as well as our processes for receiving and responding to data subject requests for access, correction, erasure, objection, and portability as applicable.
• We created a GDPR compliant portal for receiving and processing Data Subject requests, including requests for confirmation of processing, access, correction, objection, and erasure of personal data.
• We reviewed and revised our customer and vendor facing contractual documentation to ensure that our obligations under GDPR - and our customers' - are fully reflected.
• We designated a Data Protection Officer and an EU Representative.
• We enhanced our existing privacy and security training to include GDPR-specific training.
• To support international data transfers, Neustar has certified its compliance with the US/EU and US/Swiss Privacy Shield frameworks, the European Interactive Digital Advertising Alliance (EDAA) Self-Regulatory Program and its US Counterpart (DAA). We are also compliant with the TRUSTe's TRUSTED Data Program. We have revised our vendor agreements and oversight practices to ensure GDPR compliance when we use subprocessors.

GDPR doesn't mean the end of effective online marketing. GDPR compliance isn't rocket science - but it does require a thoughtful and creative review and refinement of data policies and procedures to ensure respect for the new, stronger data protection framework in an increasingly global conversation.

1. What personal data does Neustar collect and how is GDPR compliance achieved?

The data Neustar processes varies from product to product and sometimes from customer to customer. To ensure GDPR compliance and changing privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a "data subject") as "personal data." This includes obviously personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers.

2. What is the legal basis for transferring data collected in Europe (including the United Kingdom) to the United States and elsewhere?

In most cases, where Neustar, acting as a data controller, processes personal data about Europeans, the processing is (i) necessary for the purposes of the legitimate interests of Neustar or its customers, and (ii) proportionate, i.e., those interests are not overridden by the interests or fundamental rights and freedoms of European data subjects. Other processing is undertaken with the freely given, specific and informed consent of the data subject. When we process personal data on behalf and at the direction of our customers, we require them, as controllers, to indicate that their collection and processing of personal data we handle is consistent with applicable data protection law, including the GDPR.

Neustar has certified its adherence to the US/EU Privacy Shield framework as well as the US/Swiss Privacy Shield framework. While this certification no longer services as an adequacy determination under EU data protection law, Neustar is hopeful that current US/EU discussions will identify a satisfactory framework. (For further information on this, please see Neustar’s Response to Schrems II.) In the meanwhile, we continue to adhere to the Privacy Shield Principles and Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate safeguards for personal data about EU residents transferred to the US. In compliance with the Privacy Shield Principles, Neustar commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Neustar at the addresses provided in the Privacy Statement. EU data subjects who do not receive a timely response or believe that their complaint has not been resolved may then contact our dispute resolution service provider, JAMS, at: Privacy Shield Dispute Resolution. The services of JAMS are provided at no cost.

We have adopted the revised SCCs, approved by the Commission on 4 June 2021 going forward and will transition existing agreements to the new SCCs by 27 December 2022. Pending completion of the consultation now underway by the UK Information Commissioner Office (ICO) transfers of personal data from the UK will be governed by the SCCs plus the UK Addendum to the EU Standard Contractual Clauses published by ICO.

3. How does Neustar comply with the GDPR principles, including lawful, fair and transparent processing, purpose limitation, collection minimization, accuracy, storage limitation, integrity and confidentiality, and accountability?

Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). To ensure compliance with GDPR requirements, we have conducted an enterprise-wise Business Impact Analysis, reviewed and updated all of our Privacy Impact Assessments (PIAs), and created Data Protection Impact Assessments (DPIAs) as required. Our personal data processing practices are described in our online privacy statement here. We describe the choices available to data subjects on our website here, and include links to additional information a tools offered by the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the European Digital Advertising Alliance (EDAA). We only collect personal data needed to provide our services, and process personal data only for specified or compatible purposes. Individuals may opt-out of data collection for marketing analytics on our website, as well as on the NAI, DAA, and/or EDAA platforms. We pseudonymize data promptly upon collection, aggregate data for reporting purposes, and promptly honor all opt-out requests. We do not process special categories of data ("sensitive data" as applicable to the GDPR) and we do not permit our services to be used to determine an individual's eligibility for credit, employment, housing, or for other purposes that produce legal effects or otherwise significantly affects the data subject. Neustar has adopted industry best practices such as ISO 27001 compliant data security policies and procedures.

Neustar is a member of the Digital Advertising Alliance ("DAA") and adheres to each organization's Codes and Principles. Our IDMP adheres to the European Interactive Digital Advertising Alliance's ("EDAA") principles described at: www.youronlinechoices.eu. Neustar and its subsidiaries participate in, comply with and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, as applicable. Neustar also participates in the IAB Europe Transparency & Consent Framework, which is designed to help all parties in the digital advertising chain ensure that they comply with the EU's General Data Protection Regulation and ePrivacy Directive when processing personal data or accessing and/or storing information on a user's device, such as cookies, advertising identifiers, device identifiers and other tracking technologies. (We are monitoring recent reports regarding the Belgian Data Protection Authority’s inquiry into the IAB Framework and will comply with any additional requirements imposed by the European Data Protection Board in this context.)

All of our offerings are designed to serve the legitimate interests of our customers in understanding and enhancing the effectiveness of their advertising efforts, identifying and preventing fraud and malicious online activity, and facilitating safe and reliable user experiences without compromising fundamental privacy rights.

4. How will Neustar comply with other controller/processor obligations?

As previously indicated, Neustar adopted "Privacy by Design" principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice we prepare privacy impact assessments for products/services involving personal data processing. We modified our PIA templates to comply with the GDPR DPIA requirements where the nature, scope, context and purposes of personal data process is likely to result in a high risk to the rights and freedoms of natural persons. Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes. Neustar has reviewed, revised, and updated our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar is currently rolling out a new data architecture, which streamlines and automates data ingestion, inventory, security, and governance. We took necessary steps to document our processing activities in accordance with Article 30 of the GDPR, and as (previously) a Safe Harbor participant and (currently) a Privacy Shield participant, we have long agreed to cooperate with EU, UK and Swiss supervisory authorities.

5. How will Neustar ensure compliance with a data subject's access, rectification, erasure and objection rights under GDPR?

Neustar honors all data subject requests to opt-out of the processing of their personal data. Subject to the limitations contained in Article 11 of the GDPR, Neustar honors access, rectification, erasure, and portability requests. Neustar does not permit use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.

We enhanced our existing online request portal to handle these requests and will also accept emails sent to privacy@team.neustar. We comply with the GDPR requirement to provide information without undue delay and in any event within one month of receipt of the request.

6. What about data portability and erasure requests?

Much of the data collected and maintained by Neustar as a data controller or on behalf of our customers is proprietary and/or "derived" or "inferred" data that is not subject to the GDPR's portability requirement. Because the pseudonymized data is of extremely limited utility to individuals and its processing for advertising analytics purposes is justified by the legitimate interests of the data controller not outweighed by the individual's privacy rights, we do not believe that the portability obligations apply. We reviewed our procedures carefully to facilitate efficient receipt and fulfillment of data subject rights requests where they do apply and continue to enhance the functionality of our data subject access portal.

Unlike the right to opt-out of direct marketing, the right "to be forgotten" is not an absolute right under the GDPR. Organizations may continue to process data if it remains necessary for the purposes for which it was originally collected and has a legal ground (other than consent) for processing. As indicated above, there are legitimate reasons for processing pseudonymized personal data for advertising analytics and fraud prevention that are proportionate to the privacy rights of data subjects.

7. How will Neustar ensure that it discloses information to the right person?

While certain opt-outs and subject access requests can be automated, it is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual's identity in order to ensure that the person making the request is the individual to whom the data relates (or someone authorized by the data subject). The amount of information depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we require reasonable evidence of identity and/or EEA/UK presence. While we do have some forms of identification that we will always accept, we are always willing to work with the data subject.

8. Who is Neustar's Data Protection Officer?

J. Beckwith Burr of HARRIS, WILTSHIRE & GRANNIS LLP has been appointed Neustar’s Data Protection Officer.

Appendix 1

Identity Data Management Platform (IDMP) & Multi-Touch Attribution (MTA)

We collect the following data elements in connection with our IDMP and MTA service

• Alphanumeric strings that indicate (i) the ad displayed; (ii) the user's engagement with the ad (e.g., click on, play video, etc.); and (iii) any conversion activity. These strings are not, on their own, personal data.
• IP Addresses, which we treat as personal data, are collected. The full IP address is captured in the application logs but deleted after 10 days. A truncated version of the IP address (i.e., last octet dropped) and one-way hashed IP addresses are securely transmitted to the US for use in preparing customer-analytics reports.
• IP Addresses may be used to help determine geolocation at city, town, country or DMA level.
• The referrer URL is collected, including query-string information, to provide improved measurement insights, such as impressions per website and to track non-taggable and organic/earned media clicks for measurement and attribution. Prior to using this data, however, we use algorithms to obfuscate potential personal information (e.g., IP addresses, passwords, emails, financial or other sensitive identifiers).
• If you are using our onboarding services (available in the UK and France only), we collect hashed email addresses from you, along with coded attribute data. In the UK and France, we also may collect hashed email addresses, mobile-ad identifiers, and/or city/metro area/provincial-level geolocation data from data partners.
• We may also collect hashed mobile-ad identifiers, and latitude and longitude values that are or are rendered imprecise.

Based on the processes described above, with the exception of the transitory storage of full IP addresses, we pseudonymize all potential personal data, and associate this information with alphanumeric cookie IDs. This information is then aggregated to provide information about the number of unique impressions, engagements and conversions per campaign, advertiser, site, audience or location. The aggregation process removes any cookie-level information, i.e., all potential personal data. We retain pseudonymous cookie-level data (events, hashed/truncated IP addresses, URLs) for up to 19 months, and aggregated events data for up to 18 months.

Marketing Mix Modeling

Personal data is not required for MMM service. The following aggregated data may be provided by the data exporter. Please note that these are only examples of types of data collected and is subject to change after closer analysis and review of the customer's business needs.

1. Type of marketing activity - including TV, Radio, Newspaper, Out of Home, Online Display, Online Video, Paid Search, Paid Social Media, Direct Catalog, Email, In-Store Marketing, Mobile SMS, Outbound Call Center, Sponsorship Activation, Sponsorship Media, Organic Social, or other paid marketing activity
2. Date or date range of the marketing activity
3. Monetary amount spent on the marketing activity
4. Location of the marketing activity when applicable — such as country, DMA, region, retail-store identifier, or other location information agreed upon by data exporter and importer
5. Products covered by the marketing activity when applicable — such as specific product, brand, division or other product information agreed upon by data exporter and importer
6. Measure of online marketing reach, which may include one (1) or more of the following:
   • Impressions
   • Clicks
   • Quantity
   • Circulation
   • GRPs
   • TRPs
   • Spots
   • Calls
   • Social Engagement
   • Event Activation Measure (i.e. Attendance)
   • Quantity Sent
   • Quantity Opened
7. Additional Information to distinguish the marketing activity from others of the same type can include the following:
   • Media Subtype (Banner, Wrap, etc.)
   • Network / Site Name / Site Type / Search Engine Name / Social Platform / Station / Station Type / Publication / Publication Type / Print Type
   • Length, Daypart
   • Creative Name / Campaign Name / Subject Line
   • Language
   • Program Type / Title
   • Size / Print Page Count
   • Device Type
   • Customer Type for Direct Marketing (Customer or Prospect)
   • Sponsorship Activation may include information on the category, subcategory and activation name of the activity

Fraud, Risk & Compliance Products

At this time, Neustar does not offer its FRC products outside of the United States.