Overview

GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union which is in effect from 25th May 2018. Beeswax is fully committed to GDPR compliance in support of our diverse and sophisticated customers around the world.

In a broad sense, Beeswax is a Data Processor, as defined under the law, and follows the instructions of our customers, suppliers, and data providers as to the disposition of data in our system. Regarding our third party and supply (exchange) partnerships, we expect them to comply with the law and obtain consent as required by the regulations. We are also continually engaged in discussions with our various partners regarding their GDPR compliance.

We are committed to the European market and have a strong customer base in the region. Our data center is in the AWS Dublin region, and all data that leaves the EU is protected under our EU-US Privacy Shield certification.

Beeswax Internal Changes and Protections

Beeswax has been busy working to audit and review all of our data processes to comply with the GDPR requirements. These activities have included:

• Keeping data secure within our systems
• Maintaining our opt-out process and extending to mobile IDs
• Supporting the various obligations around data subject requests

New and Changed Fields in Log Files

To prepare for the forthcoming GDPR regulations in the European Union, Beeswax is taking steps to help our customers comply. Certain fields that are commonly used in RTB are considered “Personal Data”. In order to protect this data from being used or transferred outside of the Beeswax service, we will be making changes to these fields when passed in macros, bidding agent requests, augmentor requests, and log files. Specifically, for requests subject to GDPR handling without user consent, the following fields will be affected:

Additionally, for records subject to GDPR handling and without consent, the following fields will be added:

• The first three fields (user_id_hashed, ip_address_hashed, ipv6_address_hashed) will be populated only when the request is subject to GDPR handling and we have determined that you do not have user consent. This means not all records will have those fields populated
• The hashed IP address fields are the hashed versions of the full IP address, not the truncated IP address. The IP address fields will continue to contain truncated IP addresses in the EU
• The hashed user ID and hashed IP address fields may be used for counting (i.e. counting reach or frequency), but not for identification
  • This means that, for instance, you will not be able to upload those values for targeting
• The IAB consent string is base64-encoded. For the full specification, see here.

Example Log Change

The following win log record (non-relevant fields elided) before GDPR is in effect is transformed in the subsequent way:

Original

ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address

166.137.139.31,166.137.139.31,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,mid.9BA0861F-8F0D-4CC1-864E-35E5E8E2A28C,43.0668,-85.9347,2001:0db8:85a3:0000:0000:8a2e:0370:7334

Post-GDPR

ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address,user_id_hashed,ip_address_hashed,ipv6_address_hashed,is_gdpr,gdpr_consent_string

166.137.139.0,166.137.139.0,,,,,,,,43.066,-85.934,2001:0db8:85a3:0000:0000:8a2e:0370:,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,true,BOMqcNeOMqcNeAAABAENAEAAABAArAAA

Changes to Macro Values

When a request is subject to GDPR handling, macros will change in the following way:

Below details the expansion of the IS_GDPR and IS_GDPR_CONSENTED macros in different scenarios according to whether the auction is subject to GDPR and whether consent is present.

Exchange Integration and Consent

While each exchange/SSP is taking its own approach to gaining end-user consent, we believe that the most common workflow will be for publishers to ask for consent for the exchange, but allow DSPs to get access to user data under a category or blanket permission. Some exchanges will require that each DSP (such as Beeswax) get affirmative consent from the user in order to see auctions. In order to maximize our reach in Europe Beeswax has registered under the IAB EU's framework as a named vendor.

Upcoming Changes to Consent String Handling

If you are a registered IAB Vendor or Google AdX Provider please reach out to your account manager and provide your vendor IDs. Here is how Beeswax supports consent strings:

• For a given EU auction, if your vendor ID is present on the openRTB TCF (v. 2.0) consent string (user.ext.consent field) or the Google AdX consented_providers_settings field, we will send you personal data in the clear. This includes raw logs, call outs to your custom bidding agent or data augmentor as well as creative macros
• If you are not given explicit consent on an EU auction we will follow the normal treatment of personal data as outlined above.

User Syncing 

We will be expecting to receive gdpr, gdpr_consent, and optional gdpr_pd parameters on EU-based user sync URL calls to Beeswax, and customers can expect to see the same from us as well.

Example User Sync Calls

• Customer initiated user sync
  • https://match.prod.bidr.io/cookie-sync/ta?gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT_XXX}&gdpr_pd=${GDPR_PD}
• Beeswax initiated user sync
  • https://match.ta.io/cookie-sync/beeswax?user_id=${BEESWAX_COOKIE_ID}&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT_XXX}&gdpr_pd=${GDPR_PD}

Customer Data

Most Beeswax customers upload some data to our Bidder-as-a-Service™ in order to execute campaigns. Per our contractual terms, this data must be collected in accordance with "Applicable Laws", which now includes GDPR. It is our expectation and our customers' responsibility that all data uploaded to Beeswax (including any data uploaded prior to GDPR) in any form comply with this requirement.

Beeswax acts as a Data Processor with regard to Customer Data, which means we only use it upon our Customers' instructions, but are responsible for security and control of the data. To prepare for GDPR we have taken a number of steps to uphold these responsibilities:

• We have undertaken a complete internal audit of all of our data systems in order to understand at a granular level where such systems touch Personal Data.
• We have appointed a Data Protection Officer ("DPO") in compliance with the law.
• We have instituted security procedures such that in the unlikely event of a data breach we are able to fulfill the necessary notification obligations.
• We are in the process of updating our privacy policy.
• We have assured that any sub-processors we contract with are either not receiving any Personal Data or are similarly compliant to our standards.
• We are in the process of enhancing our opt-out capabilities to allow mobile IDs to be removed from serving.

Further Questions

If you have further questions about Beeswax's GDPR compliance, please feel free to reach out to your Account Manager or to Beeswax Support.