GDPR is the General Data Protection Regulation, approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. The main goal of the GDPR is to create a cohesive and common system of privacy laws across all EU member countries and enhance the privacy of EU residents. Like the Data Protection Directive, the GDPR is a principle-based regulation, requiring personal data to be processed fairly, lawfully and transparently for defined purposes only. It requires a business to limit collection of personal data and to safeguard personal data in its possession.
The GDPR raises the bar for processing personal data based on the consent of the data subject. In order to rely on consent, marketers must be able to demonstrate that the individual took some affirmative step to provide consent. You cannot infer consent from inaction, and you cannot condition providing goods or services based on a user’s consent. While this will be a limiting factor in the use of consumer data, it creates a prime opportunity for organizations: opted-in consumers offer brands the chance to create a more personalized customer experience with targeted offers, deals, and coupons that are most relevant to them. This ultimately should improve trust and provide better transparency between the brand and their customers.
From a security standpoint, Recital 49 requires organizations to defend their networks against “accidental events” or “malicious actions” that could end up compromising the privacy and confidentiality of the personal data they have collected, explicitly citing the threat from Distributed Denial of Service (DDoS) attacks. In the event of a breach, companies will have 72 hours to notify their local data protection authority.
Here is some additional information to explain what Neustar is doing to meet the upcoming GDPR regulations:
GDPR doesn’t mean the end of effective online marketing. GDPR compliance isn’t rocket science - but it does require a thoughtful and creative review and refinement of data policies and procedures to ensure respect for the new, stronger data protection framework in an increasingly global conversation. Neustar’s GDPR compliance efforts are on track to deliver full compliance in advance of the 25 May 2018 enforcement date.
The data Neustar processes varies from product to product and sometimes from customer to customer. To ensure GDPR compliance and changing privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a “data subject”) as “personal data.” This includes obviously personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers.
Neustar has certified its adherence to the US/EU Privacy Shield framework, which serves as an adequacy determination under EU data protection law. (We’ve also certified our compliance under the US/Swiss Privacy Shield framework.) TrustArc – an approved provider - reviews and certifies our compliance and also provides independent dispute resolution services. TrustArc has also certified Neustar’s compliance with the European Digital Advertising Alliance code (www.youronlinechoices.eu). We have entered into appropriate Data Protection Agreements, including GDPR required provisions and Model Controller-Processor clauses, with our affiliates and subprocessors, and Neustar will execute EU-approved Model Clauses and Data Protection Addendum.
Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). To ensure compliance with GDPR requirements, we have conducted an enterprise-wise Business Impact Analysis and are currently reviewing and updating all of our Privacy Impact Assessments (PIAs) and creating Data Protection Impact Assessments (DPIAs) as required. Our personal data processing practices are described in our online privacy statement here. We describe the choices available to data subjects on our website here, and include links to additional information a tools offered by the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the European Digital Advertising Alliance (EDAA). We only collect personal data needed to provide our services, and process personal data only for specified or compatible purposes. Individuals may opt-out of data collection for marketing analytics on our website, as well as on the NAI, DAA, and/or EDAA platforms. We pseudonymize data promptly upon collection, delete full IP addresses after 10 days, aggregate data for reporting, and promptly honor all opt-out requests. We do not process special categories of data (“sensitive data”) and we do not permit our services to be used to determine an individual's eligibility for credit, employment, housing, or for other purposes that produce legal effects or otherwise significantly affects the data subject. Neustar has adopted industry best practices such as ISO 27001 compliant data security policies and procedures.
Neustar is a member of the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) and adheres to each organization's Codes and Principles. Our IDMP adheres to the European Interactive Digital Advertising Alliance's (“EDAA”) principles described at: www.youronlinechoices.eu. Neustar and its subsidiaries (participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Neustar has received the TrustArc (TRUSTe) Privacy Seal signifying that this privacy statement and our practices have been reviewed for compliance with the TRUSTe program and enabling individuals with unresolved privacy or data use concern that we have not addressed satisfactorily, to contact TRUSTe directly at https://feedback-form.truste.com/watchdog/request.
All of our offerings are designed to serve the legitimate interests of our customers in understanding and enhancing the effectiveness of their advertising efforts, identifying and preventing fraud and malicious online activity, and facilitating safe and reliable user experiences without compromising fundamental privacy rights.
As previously indicated, Neustar adopted “Privacy by Design” principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice we prepare privacy impact assessments for products/services involving personal data processing, and are modifying these templates to comply with the GDPR DPIA requirements where the nature, scope, context and purposes of personal data process is likely to result in a high risk to the rights and freedoms of natural persons. Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes (although, with respect to the IDMP, we do not believe that any breach compromising the pseudonymized data is likely to result in a high risk to the rights and freedoms of natural persons). Over the past year Neustar has reviewed, revised, and updated our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar is currently rolling out a new data architecture, which streamlines and automates data ingestion, inventory, security, and governance. In advance of the May enforcement date, Neustar is implementing policies and procedures to document our processing activities in accordance with Article 30 of the GDPR, and as (previously) a Safe Harbor participant and (currently) a Privacy Shield participant, we have long agreed to cooperate with EU supervisory authorities.
Neustar honors all data subject requests to opt-out of the processing of their personal data. Subject to the limitations contained in Article 11 of the GDPR, Neustar will honor access, rectification, erasure, and portability requests. Neustar does not permit use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.
We are enhancing our existing online request portal to handle these requests and will also accept emails sent to firstname.lastname@example.org. We will comply with the GDPR requirement to provide information without undue delay and in any event within one month of receipt of the request.
Much of the data collected and maintained by Neustar as a data controller or on behalf of our customers is proprietary and/or “derived” or “inferred” data that is not subject to the GDPR’s portability requirement. Moreover, the nature of this information is of extremely limited utility to individuals and because the processing of pseudonymized personal data for advertising analytics purposes is justified by the legitimate interests of the data controller not outweighed by the individual’s privacy rights, we do not believe that the portability obligations apply. We are reviewing our procedures carefully to identify modifications that can be made to facilitate efficient receipt and fulfillment of data subject rights requests where they do apply.
Unlike the right to opt-out of direct marketing, the right “to be forgotten” is not an absolute right under the GDPR. Organizations may continue to process data if it remains necessary for the purposes for which it was originally collected and has a legal ground (other than consent) for processing. As indicated above, there are legitimate reasons for processing pseudonymized personal data for advertising analytics and fraud prevention that are proportionate to the privacy rights of data subjects.
It is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual’s identity in order to reasonably determine that the person making the request is the individual to whom the data relates (or someone authorized by the data subject). The amount of information depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we will require reasonable evidence of identity. While we do have some forms of identification that we will always accept, we are always willing to work with the data subject. Neustar’s Data Opt Out Portal is being modified to address GDPR requirements.
J. Beckwith (“Becky”) Burr is Neustar’s Deputy General Counsel and Chief Privacy Officer, and has been designated as Neustar’s Data Protection Officer for GDPR purposes. As Neustar’s Chief Privacy Officer, Becky is responsible for implementing the company’s “privacy by design” program, and ensuring that the company maintains state-of-the-art privacy and data security to protect customer and consumer information.
Becky joined Neustar in 2012 from the Washington, DC office of Wilmer Cutler Pickering Hale and Dorr, where she was a partner in the Communications, Privacy and Internet Law Practice Group and the Financial Institutions Practice Group. Her practice was both regulatory and transactional, focused on e-commerce, information technology, intellectual property licensing, and international regulation of communications and information technology. While she was in private practice Chambers consistently recognized her as a leader in privacy, data security, and information technology law, America’s Leading Lawyers in Business (Global), and The Best Lawyers in America.
Prior to joining WilmerHale, Becky served as the Associate Administrator and Director of International Affairs and the National Telecommunications and Information Administration (NTIA), where she was responsible for the privacy and Internet governance work streams described in the Clinton Administration’s Framework for Global Electronic Commerce. She also served as an Attorney Advisor at the Federal Trade Commission from 1995 – 1997, where she participated in developing the FTC’s approach to competition, consumer protection, and privacy/data protection in the digital marketplace.
We collect the following data elements in connection with our IDMP and MTA service:
Based on the processes described above, with the exception of the transitory storage of full IP addresses, we pseudonymize all potential personal data, and associate this information with alphanumeric cookie IDs. This information is then aggregated to provide information about the number of unique impressions, engagements and conversions per campaign, advertiser, site, audience or location. The aggregation process removes any cookie-level information, i.e., all potential personal data. We retain pseudonymous cookie-level data (events, hashed/truncated IP addresses, URLs) for up to 19 months, and aggregated events data for up to 18 months.
Personal data is not required for MMM service. The following aggregated data may be provided by the data exporter. Please note that these are only examples of types of data collected and is subject to change after closer analysis and review of the customer’s business needs.
At this time, Neustar does not offer its FRC products outside of the United States.