In the light of the GDPR legislation and the use of Adhese (or online advertising), there are two parties involved:
- Data controllers, or the clients of Adhese. Data controllers decide which data to collect and what to do with it. They must implement a way to ask for permission to use Personally Identifiable Information (PII) for advertising purposes.
- Data processors, the role Adhese takes in this process. Everything is handled through the Adhese platform, and efforts for data protection (e.g., encryption) are in place. However, Adhese cannot decide on the use of personally identifiable information.
Adhese acts as a processor of data under the GDPR in the EU. Adhese does not decide what possible Personally Identifiable Information (PII) is collected and what it is used for, but our platform can and does process PII in certain implementations. The controllers of the data that flows through the system must have consent to use any PII. To use PII, a consent flag will have to be passed with each Adhese request to enable PII use and the possibility to set any cookies.
Passing consent to Adhese
Adhese account owners can add the tl parameter to a request in any implementation to define whether or not PII can be used for their application of Adhese.
The tl parameter can have two values:
- all: There is user consent. All PII mentioned in the consent request can be used in campaigns.
- none (default): There is no user consent to track and use PII. Users can still see ads, but they are not tracked. No cookies will be set either so that no frequency capping can be applied, and those campaigns will be excluded. This is also the default setting when left out, or any other value than all is used
If the tl parameter is not present, no personally identifiable information (PII) will be used or logged. This includes: no cookies to identify browsers, no device IDs, no frequency capping, no fingerprinting, no IP, and derived geographical data.
Even when consent is given, Adhese does not log any PII. Except for the reports with a time range of more than one day, this has no further consequences for the use of Adhese.
Other measures to guarantee privacy
Besides, by default not using any PII, Adhese has several other measures in place to guarantee compliance with GDPR and ePrivacy.
- Every Adhese implementation is an instance of the platform running its own database and using its own set of domains to face the public. This means no data can be shared between two Adhese instances. Implementations can run on the first domain, making sure cookies stay within the context they were set and for which consent was given.
- Adhese does not log any PII even when consent is given, so users will never be identifiable in any log files.
- If consent for a unique identifier for one day is given, that cookie ID will be logged as a hash with sufficient collision to ensure the original cookie ID can never be identified. The ID is used for reporting unique browsers over one day.