Ad Network Identity Crisis: When am I a Controller or a Processor? What Am I? The General Data Protection Regulation (GDPR) is privacy legislation that brings a great deal of risk liability for any business or person working with what is defined as “personal data.� GDPR has raised more questions than answers when it answers, especially when it comes to the controller processor relationship. Adding to the complexity is the constantly shifting title shift based on activity and motivation for working with personal data. And no industry has more questions than the advertising networks that link website publishers renting space on their sites with advertisers looking to put their ads in front of an audience to get them to click and find out more about their offers. Operating beneath this surface is a host of intermediary service providers operating on behalf of the advertisers to perform bidding services. As data is transferred between the various parties, serious questions arise around who holds the liability under GDPR.
Ad Network Overview On one side you have the website publisher looking to sell advertising impression space on a website. The publisher is motivated to sell that impression space to the advertiser willing to pay the highest price. Connecting publishers to the advertising exchange are the SupplySide Platform (SSP) where they can post information about their audience, available impression space, and terms. The SSP connects publisher inventory to the Demand-Side Platform (DSP) where advertisers are looking for site space with the highest traffic levels for their demographic interest segments. Advertisers often contract with Account Based Marketing (ABM) service providers to monitor space purchasing opportunities and execute bids. The whole thing takes fractions of a second and that operates as an online auction. When a publisher posts a bid, they transfer enough information about the person, content, geo-location, and site category to allow the advertisers or their ABM agents to evaluate whether they want to bid and define their pricing thresholds. Much of this information is defined as personal data under GDPR Recital 30 and other privacy regulations because it contains the visitors IP address, geolocation, and potentially cookie identifiers. Because this whole transaction happens in fractions of a second, the regulatory question becomes who is the controller and who is the processor.
Controller Processor Relationship Under GDPR