IAB in the News

GDPR Update

Wed, 07 Feb 2018

On April 27th 2016 the European Union adopted the General Data Protection Regulation (GDPR). The GDPR will become applicable law in the EU and European Economic Area on May 25th 2018.

The GDPR’s purpose is to create a coherent data protection framework across the EU. In doing this, GDPR substantially enhances data protection and privacy rights for people in the EU.

The GDPR will not only apply to companies in the EU but to any company, in any part of the globe offering goods or services to EU citizens where personal data is collected either electronically or manually, or that company monitors the behaviour of individuals within the EU. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.

The GDPR grants ‘Data Protection Authorities’ (DPA’s) of the EU the power to levy significant administrative fines against organisations found in breach of the law. Depending on the severity of the infringement, these fines can reach up to 20 million euros or 4 per cent of global turnover – whichever is greater.

There are six general principles of data privacy under the GDPR:

  1. Lawfulness, fairness and transparency of data processing – consent is the legal basis for processing data.
  2. Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes.
  3. Data minimisation: only personal data relevant to the specific purpose should be saved and processed.
  4. Accuracy of Data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up-to-date.
  5. Retention of Data: Data must be kept in an identifiable format and no longer than necessary.
  6. Integrity and confidentiality: data must be kept secure.

For the purposes of the regulation personal data can include a wide range of identifiers such as:

  1. IP Address
  2. Cookies
  3. Location Data
  4. RFID
  5. Personal data that has been pseudonymised
  6. Sensitive Personal Data such as genetic data or biometric data


The GDPR places a high standard for consent. The following standards apply:

  1. The Consent must be lawful.
  2. Consent should put individuals in control.
  3. Consent requires a positive opt-in not pre-checked or pre-conditioned
  4. Requests for consent must be prominent and separate from T’s & C’s.
  5. Clear, concise plain language that is easy to understand.
  6. Specify why you want the data and what you will do with it, who controls it and who processes it.
  7. Consent, if already gained prior to May 25th 2018 must be rechecked against GDPR standards and if doesn’t meet standards consent must be requested again.
  8. Individuals must be told they can withdraw their consent and when requests for consent are received they are actioned and advised in a timely manner.
  9. Ensure individuals can refuse consent without detriment.
  10. If online services are offered to children, consent is sought by age verification and parental-consent.
  11. Records must be kept of when and how consent was gained and what was advised at the time of consent.
  12. Consents must be refreshed at appropriate levels.

The GDPR protects an individual’s rights in the following ways:

  1. The right of consent
  2. The right to be informed
  3. The right of access
  4. The right to rectification
  5. The right to erase
  6. The right to restrict processing
  7. The right to data portability
  8. The right to object
  9. Rights in relation to automated decision making and profiling i.e. AI


What does this mean for the Online Advertising Industry?

Companies that wish to track online users (i.e. EU citizens) and collect data about them will have to get clear and voluntary consent. This can’t include pre-marked opt-in boxes and companies can’t deny access to users if they don’t consent. Also, consent will have to be received for each activity. So, for example, if a company wants to track a user’s behaviour via web analytics AND use their data for advertising, then they will have to get consent for both activities.

GDPR applies to first, second and third party data if the data relates to an ‘identifiable person’ who can be directly or indirectly identified in particular by reference to an identifier.

Therefore, how data is obtained, used and consented will be of paramount consideration at every level in the online ad ecosystem.

The GDPR requires advertisers to obtain active consent from customers, which will involve them specifically opting in to, rather than out of, a transaction.

While some organisations may be able to circumvent this by limiting premium services to those who opt in for data collection, such as customers agreeing to the collection of cookies, obtaining consent for programmatic advertising could cause difficulties. From May, if advertisers have not obtained specific consent from individuals, they cannot market to them in any shape or form.

The reach of the GDPR in New Zealand

 The following New Zealand digital media and advertising companies are captured by the GDPR regulations on data processing:

  • A New Zealand Digital Media or Advertising business with an office in the EU
  • A New Zealand Digital Media or Advertising business whose website targets EU customers for example by enabling them to order products in a European language (other than English) or enabling payments in euros
  • A New Zealand Digital Media or Advertising business whose website mentions customers or users in the EU; or
  • A New Zealand Digital Media or Advertising business that tracks individuals in the EU on the Internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes

IABNZ recommends that before the new regulation comes into force (25 May 2018), that New Zealand digital media and advertising businesses think about whether they are impacted by the changes. If the answer is ‘yes’ then start planning for the procedural, legal and operational changes necessary to ensure you stay on the right side of the new laws.

Current Data Protection Concepts for Digital Media Companies and Advertisers in New Zealand New Data Protection Concepts as results of GDPR  for Digital Media Companies/Advertisers in New Zealand
The concept of personal data (information) in New Zealand is similar to that of GDPR. However GDPR contains the right to be forgotten. It means a consumer can demand that your company delete all data about them. There is no similar fundamental right in New Zealand law.
The importance of consent when dealing with personal data is a core part of both the GDPR and New Zealand Privacy law. GDPR requires a data controller (Publishers, Advertisers, anyone collecting data directly from a consumer) to provide a consumer’s data in a machine readable format. The point is to make the data ‘portable’ so the consumer can move it around between data controllers. NZ privacy law does not demand that NZ digital media and advertising companies provide consumer data in a machine-readable format.
Data breach requirements are voluntary under NZ law. Data breaches are compulsory under GDPR. Data controllers can only appoint data processors who must demonstrate contractual guarantees to implement technical measures to ensure processing meets GDPR standards. NZ law does not stipulate legal differences between controllers and processors of data for digital media and advertising companies.
NZ Privacy Law has no requirement to demonstrate compliance with privacy principles. Under GDPR if you handle EU consumer data you must comply with GDPR.
NZ Privacy Law currently does not have fines for breaches. Complaints are dealt with in a mediation process. Fines of up to NZD1 million for corporations have been tabled by the Privacy Commissioner to the Minister of Justice as part of wider Privacy Act modernisation. The penalties under GDPR are significant – up to 20 million euros or 4% of global turnover (whichever is higher).