GDPR Regulation under GPP

This topic explains GDPR and its principles, and how it protects the rights of users while sharing data. 

The GDPR is a strict data privacy and security law and it came into effect on May 25th, 2018. It grants consumers rights to determine how their personal data is processed. For more information, see GDPR.

What is a Consent String Format

A consent string format is a coded character string that stores information about the consumer’s consent choices. It enables publishers, advertisers and downstream partners to decode which consents end-users have agreed to.

Difference Between Regulation and Consent String Format

Regulation refers to the law and guidelines established by governing bodies to control the collection, sharing, and selling of personal information. Examples of regulations are GDPR, CCPA, VCPA, etc.

The consent string format is the encoded data string with a specific structure that communicates user consent preferences to publishers in digital advertising. Some consent string format examples are TCF, US Privacy String, and GPP.

Next, we will learn about two consent string formats that support GDPR, namely GPP and TCF.

GPP and TCF

The Global Privacy Platform (GPP) by the Interactive Advertising Bureau (IAB) is a standardized global framework for managing user consent in digital advertising. For more information, see GPP.

The TCF (Transparency and Consent Framework) String, an IAB Europe initiative, is an EU-specific format for conveying user consent and publisher transparency in the digital advertising ecosystem. For more information, see TCF.

TCF was launched on April 25, 2018, while GPP was launched more recently on June 1, 2022.

What does the development of GPP mean for TCF?

Since TCF v2, the use of the Transparency and Consent Framework has changed. There are more publisher restrictions and many new vendors have been added to the IAB's Global Vendor List. This results in the consent string getting larger and becoming more problematic.

Many regions, not just Europe, have progressed to a point where a standardized consent norm is necessary. The GPP is part of a suite of solutions addressing global privacy challenges. With GPP, there's a new, more unified way for publishers to understand and comply with user consent preferences.

Applicability of GDPR in EEA

The General Data Protection Regulation (GDPR) is applicable throughout the European Economic Area (EEA), which includes all European Union (EU) member states along with Norway, Iceland, and Liechtenstein. 

Key points regarding GDPR applicability in the EEA:

• GDPR applies to entities (businesses, organizations, public authorities) processing personal data within the EEA, covering both data controllers and processors.
• It protects the rights and privacy of individuals in the EEA, including citizens, residents, and visitors.
• GDPR has extraterritorial reach, affecting non-EEA organizations if they process data of EEA individuals, especially when offering goods/services or monitoring behavior.
• It establishes standards for data protection, including principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
• GDPR grants individuals rights like access, rectification, erasure, and data portability, and the right to object to certain processing.
• For data transfer outside the EEA, GDPR requires adequate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules) to ensure data protection.

Applicability of GDPR to US-based Businesses

Under certain circumstances, the GDPR can have implications for businesses or entities outside the EU, including those in the United States. These are:

• If a business or organization in the United States processes the personal data of individuals who are in the EEA, the GDPR may apply to that processing.
• If a U.S.-based business offers goods or services to individuals in the EEA, it may be subject to the GDPR, even if the processing occurs outside the EU.
• If a U.S. organization monitors individuals' online behavior in the EEA, the GDPR may apply, regardless of the organization's location.
• If a U.S. company receives personal data from organizations in the EEA, there may be GDPR implications, and the transfer of data must comply with GDPR requirements for international data transfers.

In summary, GDPR applies only to U.S-based businesses if they collect information from EEA/UK residents in any way.

Why doesn’t InMobi CMP support GDPR for U.S. users

InMobi CMP doesn’t support GDPR in the U.S. because mentioning GDPR in conjunction with U.S. regulations might create confusion to users in the U.S. region because these legal frameworks have distinct scopes, requirements, and approaches to data protection.

Here are a few reasons why GDPR consents and US regulation consents are not collected simultaneously from the end-user:

• GDPR is a European Union regulation, and its scope is specific to the protection of personal data of individuals within the European Economic Area (EEA). On the other hand, U.S. regulations primarily address data protection within the United States.
• When discussing U.S. regulations, it is more pertinent to focus on the specific state laws, such as CCPA, rather than an EU regulation like GDPR. Failure to comply with these can lead to legal consequences, fines, and reputational damage. Compliance with GDPR alone doesn't cover state-specific laws, which could result in non-compliance and customer dissatisfaction.