1. Oath
For advertisers

2. Consumers love brands who respect their privacy
However, many companies struggle to balance business goals and the privacy preferences of their customers

3. GDPR What is the buzz about? Effective date Consumer Choice
The General Data Protection Regulation (GDPR) is designed to give consumers in the EU more control over their personal data. It lays out specific requirements for data collection, storage and use, and will impose stiff fines on companies with poor data-handling practices or whose negligence led to data breaches. 
Effective date
Consumer Choice
Across Business
May 25, 2018
Opted-out by default (data collection/processing)
Visibility into how their data is used
each publisher/ network/ mobile app/ tech stack must be granted data rights
Affects all verticals with consumers in EU, not just advertising
Affects all companies doing business with EU consumers, not just EU-based companies.

4. has massive implications
EU consumers
GDPR
has massive implications
26M
EU businesses
€95B
Advertising spend 2018

5. Set up for success What you should know Oath is
Oath’s approach to GDPR is setting us up for success. Here is why:
Direct consumer relationships
As one of the largest online publishers, we have direct relationships with over 1B consumers. Smaller players, including point-solution tech companies, will face an uphill battle since they don’t have direct relationships with consumers.
Oath is
Set up for success
Holistic approach
Oath will be compliant with GDPR in many dimensions: respecting users’ data rights, better internal data controls and processes, and compliant agreements with our customers and partners.
Global solution
Oath’s privacy dashboard will be a global resource for consumers to control every aspect of their Oath data.
EU - all Oath data collection requires consumers to grant Oath any access to their data.
NAR, LATAM, APAC - Oath users will have granular controls for which data we can use and how it’s used.
First party consumer relationships are important: As one of the largest online publishers, we have direct relationships with over 1B consumers.   Only Google and Facebook have a similar relationship with as many consumers as we do. Smaller players including point-solution tech companies will face an uphill battle since they don’t have direct relationships with consumers.
Oath will be compliant with GDPR in many dimensions: employee data, registered user data, 3rd party processing of Oath data, Oath processing of 3rd party data, and data access, storage, and security.
Oath’s privacy dashboard will be a global resource for consumers to control every aspect of their Oath data and how we and our processors use it.
In EU, all Oath data collection requires an affirmative opt-in from consumers, or sufficient notice of our use
In NAR, LATAM, APAC, all Oath users will have granular opt-out controls for how their data is used.
Different companies in our industry will take different approaches to GDPR.  Some will take a “processor” dominant role, while others will take a “controller” role.  Each comes with different advantages and risks.

6. How will GDPR affect Oath?
Changes to privacy policies
Affects client and partner contracts and technical integrations.
Audience pools and targeting scale
Smaller audience pools for differentiated targeting (e.g. SRT, MRT) in Europe.
Privacy by design
Product will continue to incorporate consumer privacy and data security as we build our ad products and consumer properties.

7. What is Oath doing for GDPR?

8. Global consumer privacy dashboard
Consumers can see all data Oath collects/uses/shares
Consumers can see 3rd parties who process Oath data
Consumers can control which data is collected, who uses it and how it’s used

9. Consent Management Platform
Stores consumer privacy preferences for Oath’s O&O properties/apps
Transmits consent/block to Oath advertising platforms and 3rd party platforms
Works across devices, mobile web and mobile app

10. Tracking Software Website pixels SDKs
DOT pixels have new parameters explicitly for passing consent
Integrated directly into Oath’s CMP
Will align with IAB guidelines
ONE Mobile and Flurry have new code explicitly for passing consent
Consent passed via API
Will align with IAB guidelines

11. Brightroll OpenRTB upgrade
IAB incorporates GDPR compliance into industry spec
SSPs and DSPs can pass consent parameters in each bid request
Consent status comes from publishers’ CMPs
Brightroll OpenRTB
upgrade

12. Questions For your brand to ask
Do I have customers or prospects who live in the EU?
What data do I collect from EU consumers?
What digital properties/mobile apps/microsites is my brand using in the EU?
What data do my advertising and marketing tech providers collect from EU consumers?
Am I using EU consumer s as seed data for online advertising?
How will we capture EU consumer consent for data collection/processing?
How will we address the cleanup of data that EU consumers don’t want us to use?
How do we provide an audit trail for our consent-required transactions?
What changes do we need to make to our terms of service to be compliant?

13. GDPR Checklist for working with Oath1 2 3 4 5
Talk with your Oath sales lead about any contract revisions that may be required
Work with you Account Specialist to ensure our DOT tags are updated* to pass consent from your website(s) to Oath
As per IAB guidelines, include Oath as an approved 3rd party vendor in your consumer privacy notifications
Be sure to confirm you have consent for any addresses used in addressable advertising and audience modeling with Oath.
If you track mobile in- app conversions, be sure your attribution partner (TUNE, Kochava, AppsFlyer, etc) is GDPR compliant and you manage consent within your app
*The documentation for DOT pixel updates should be available mid April

14. Oath GDPR Timeline Jan Feb Mar Apr May Jun
Mar 15: Data Rights Contract language ed to EU clients
5/25: Oath and partners must be GDPR compliant
Q1 – migrating EU ONE clients to BR
4/3: Global User Consent event (non-EU)
4/30: all EU clients for ONE by AOL migrate to Brightroll
2/28: Oath deletes all unused consumer data
5/5: Oath privacy dashboard launch
4/17: Global User Consent event (EU)
Jan-Apr 30: on ONE by AOL we will be deleting all historical user data for EU consumers, to be completed by April 30. ONE by AOL will not be supporting the new OpenRTB features related to GDPR, as well as consent processing. Therefore, all EU ONE by AOL customers are being migrated to Brightroll.
2/28: for all Oath platforms, we have audited all consumer data and will remove data that is not being used.
4/3: GUCE: this is an event designed to increase our opt-in user base in EU. The event will be held globally, but is critical to increasing the scale of our targeting base in EU.

15. Appendix

16. Glossary CMP: Consent management platform
Daisybit: compressed information carried through the OpenRTB specification
DSR: Data Subject Rights
DPO: Data privacy officer: Main throat-to-choke for a company’s compliance with GDPR
GDPR: General Data Protection Regulation
GUCE: Oath’s Global User Consent Event: Starting April 3 - our push to get opt-in users in Europe.
O3P: Oath as 3rd party
PIA: Privacy Impact Assessment: Now required by law, software developers must incorporate "privacy by design” into any products that could use consumer data.
Pseudonymization: encryption/hashing of user info
TPP: third party partner. Any partner who receives data from a controller