Table of Contents
Overview
GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union which is in effect from 25th May 2018. Beeswax is fully committed to GDPR compliance in support of our diverse and sophisticated customers around the world.
In a broad sense, Beeswax is a Data Processor, as defined under the law, and follows the instructions of our customers, suppliers, and data providers as to the disposition of data in our system. Regarding our third party and supply (exchange) partnerships, we expect them to comply with the law and obtain consent as required by the regulations. We are also continually engaged in discussions with our various partners regarding their GDPR compliance.
We are committed to the European market and have a strong customer base in the region. Our data center is in the AWS Dublin region, and all data that leaves the EU is protected under our EU-US Privacy Shield certification.
Beeswax Internal Changes and Protections
Beeswax has been busy working to audit and review all of our data processes to comply with the GDPR requirements. These activities have included:
- Keeping data secure within our systems
- Maintaining our opt-out process and extending to mobile IDs
- Supporting the various obligations around data subject requests
New and Changed Fields in Log Files
To prepare for the forthcoming GDPR regulations in the European Union, Beeswax is taking steps to help our customers comply. Certain fields that are commonly used in RTB are considered “Personal Data”. In order to protect this data from being used or transferred outside of the Beeswax service, we will be making changes to these fields when passed in macros, bidding agent requests, augmentor requests, and log files. Specifically, for requests subject to GDPR handling without user consent, the following fields will be affected:
Raw Log Field Name | Proto Field Name | GDPR Handling |
platform_device_ifa | Device.ifa | blank |
platform_device_idfa | Device.idfa | blank |
platform_device_didmd5 | Device.didmd5 | blank |
platform_device_didsha1 | Device.didsha1 | blank |
platform_device_dpidmd5 | Device.dpidmd5 | blank |
platform_device_dpidsha1 | Device.dpidsha1 | blank |
user_id | N/A | blank |
geo_lat | Device.lat | truncated to 3 decimal places |
geo_long | Device.long | truncated to 3 decimal places |
ua | Device.ua | blank |
ip_address | Device.ip | truncated to 3 octets |
ipv6_address | Device.ipv6 | truncated to 6 octets |
inventory_source_user_id | User.id | blank |
These fields will be impacted only when the request is subject to GDPR handling and we have determined that you do not have user consent. This means not all records will have those fields modified. Truncating geo_lat and geo_long reduces their accuracy to approximately 100 meters.
Additionally, for records subject to GDPR handling and without consent, the following fields will be added:
Raw Log Field Name | Proto Field Name | GDPR Handling |
user_id_hashed | N/A | pseudo-anonymized version of the original user ID |
ip_address_hashed | DeviceExtensions.ip_hashed | pseudo-anonymized version of the original IP address |
ipv6_address_hashed | DeviceExtensions.ipv6_hashed | pseudo-anonymized version of the original IPv6 address |
is_gdpr | RegulationsExtensions.gdpr | true or false, whether the record was subject to GDPR handling |
gdpr_consent_string | RegulationsExtensions.gdpr_consent_string | the raw IAB consent string, or “daisybit”, provided in the request |
- The first three fields (user_id_hashed, ip_address_hashed, ipv6_address_hashed) will be populated only when the request is subject to GDPR handling and we have determined that you do not have user consent. This means not all records will have those fields populated
- The hashed IP address fields are the hashed versions of the full IP address, not the truncated IP address. The IP address fields will continue to contain truncated IP addresses in the EU
- The hashed user ID and hashed IP address fields may be used for counting (i.e. counting reach or frequency), but not for identification
- This means that, for instance, you will not be able to upload those values for targeting
- The IAB consent string is base64-encoded. For the full specification, see here.
Example Log Change
The following win log record (non-relevant fields elided) before GDPR is in effect is transformed in the subsequent way:
Original
ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address
166.137.139.31,166.137.139.31,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,fb5895f534ce1b5e71d74133dfd988ed,de42e1bf24c4c155761c6d38b8bc6e8de4f1c780,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,9ba0861f-8f0d-4cc1-864e-35e5e8e2a28c,mid.9BA0861F-8F0D-4CC1-864E-35E5E8E2A28C,43.0668,-85.9347,2001:0db8:85a3:0000:0000:8a2e:0370:7334
Post-GDPR
ip_address,ip_range,platform_device_didmd5,platform_device_didsha1,platform_device_dpidmd5,platform_device_dpidsha1,platform_device_idfa,platform_device_ifa,user_id,geo_lat,geo_lon,ipv6_address,user_id_hashed,ip_address_hashed,ipv6_address_hashed,is_gdpr,gdpr_consent_string
166.137.139.0,166.137.139.0,,,,,,,,43.066,-85.934,2001:0db8:85a3:0000:0000:8a2e:0370:,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,158cf0d279c2c3c394a9a955a0a11758b52590715a39e5ddec313604d2d378c1,true,BOMqcNeOMqcNeAAABAENAEAAABAArAAA
Changes to Macro Values
When a request is subject to GDPR handling, macros will change in the following way:
Macro | GDPR Handling |
{{USER_ID}} | Blank |
{{IOS_ID}} | Blank |
{{ANDROID_ID}} | Blank |
{{LAT}} | Truncated to 3 decimal places |
{{LONG}} | Truncated to 3 decimal places |
{{USER_AGENT}} | Blank |
{{IP_ADDRESS}} | Truncated to first 3 octets |
{{IP_ADDRESS_IPV6}} | Truncated to first 6 octets |
{{IS_GDPR}} | Will be set to 1 for GDPR requests. 1 means it is a request from EU and is subject to GDPR. 0 means it is not a request from EU and therefore not subject to GDPR. |
{{IS_GDPR_CONSENTED}} | Will be set to 1 when the customer has the consent of the user when the auction is subjected to GDPR (i.e. IS_GDPR=1). See below for further details. |
Below details the expansion of the IS_GDPR and IS_GDPR_CONSENTED macros in different scenarios according to whether the auction is subject to GDPR and whether consent is present.
Scenario | Macro Value |
Auction regulated by GDPR and Customer has consent. | {{IS_GDPR}} = 1 {{IS_GDPR_CONSENTED}} = 1 |
Auction regulated by GDPR and Customer does not have consent. | {{IS_GDPR}} = 1 {{IS_GDPR_CONSENTED}} = 0 |
Auction not regulated by GDPR. | {{IS_GDPR}} = 0 {{IS_GDPR_CONSENTED}} = 0 |
Exchange Integration and Consent
While each exchange/SSP is taking its own approach to gaining end-user consent, we believe that the most common workflow will be for publishers to ask for consent for the exchange, but allow DSPs to get access to user data under a category or blanket permission. Some exchanges will require that each DSP (such as Beeswax) get affirmative consent from the user in order to see auctions. In order to maximize our reach in Europe Beeswax has registered under the IAB EU's framework as a named vendor.
Upcoming Changes to Consent String Handling
If you are a registered IAB Vendor or Google AdX Provider please reach out to your account manager and provide your vendor IDs. Here is how Beeswax supports consent strings:
- For a given EU auction, if your vendor ID is present on the openRTB TCF (v. 2.0) consent string (user.ext.consent field) or the Google AdX consented_providers_settings field, we will send you personal data in the clear. This includes raw logs, call outs to your custom bidding agent or data augmentor as well as creative macros
- If you are not given explicit consent on an EU auction we will follow the normal treatment of personal data as outlined above.
User Syncing
We will be expecting to receive gdpr, gdpr_consent, and optional gdpr_pd parameters on EU-based user sync URL calls to Beeswax, and customers can expect to see the same from us as well.
URL parameter | Corresponding Macro | Representation in URL |
gdpr | GDPR | &gdpr=${GDPR}We only support empty, 0, and 1 values. All other values, i.e., true and false, are non-valid. |
gdpr_consent | GDPR_CONSENT_XXXXX(XXXXX is numeric Vendor ID - the ID of the vendor on the GVL who is expecting this URL call) | &gdpr_consent=${GDPR_CONSENT_XXXXX}E.g. &gdpr_consent=${GDPR_CONSENT_123} for Vendor ID 123. |
gdpr_pd | GDPR_PD | &gdpr_pd=${GDPR_PD}Optional |
Example User Sync Calls
- Customer initiated user sync
- Beeswax initiated user sync
Customer Data
Most Beeswax customers upload some data to our Bidder-as-a-Service™ in order to execute campaigns. Per our contractual terms, this data must be collected in accordance with "Applicable Laws", which now includes GDPR. It is our expectation and our customers' responsibility that all data uploaded to Beeswax (including any data uploaded prior to GDPR) in any form comply with this requirement.
Beeswax acts as a Data Processor with regard to Customer Data, which means we only use it upon our Customers' instructions, but are responsible for security and control of the data. To prepare for GDPR we have taken a number of steps to uphold these responsibilities:
- We have undertaken a complete internal audit of all of our data systems in order to understand at a granular level where such systems touch Personal Data.
- We have appointed a Data Protection Officer ("DPO") in compliance with the law.
- We have instituted security procedures such that in the unlikely event of a data breach we are able to fulfill the necessary notification obligations.
- We are in the process of updating our privacy policy.
- We have assured that any sub-processors we contract with are either not receiving any Personal Data or are similarly compliant to our standards.
- We are in the process of enhancing our opt-out capabilities to allow mobile IDs to be removed from serving.
Further Questions
If you have further questions about Beeswax's GDPR compliance, please feel free to reach out to your Account Manager or to Beeswax Support.