BidSwitch GDPR Compliance Update, May 10, 2018

The EU’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018. BidSwitch values data protection and consumer privacy, and we have been hard at work to ensure that our business and processes will be ready by that date.

BidSwitch is considered a Data Processor with respect to GDPR

As a technology layer connecting SSPs and DSPs, without direct relationships with data subjects (end-user consumers), BidSwitch is considered a Data Processor. The BidSwitch platform does not perform decisioning itself, but we will work closely with supply and demand partners to support User Consent requirements.

BidSwitch supports the IAB Compliance Framework

The IAB Tech Lab recently released their official version of GDPR support and we are happy to announce that by May 15th, 2018 we will support GDPR in BidSwitch protocols according to the IAB OpenRTB Advisory. We will enable compliance as defined by the IAB through supporting the passing of  GDPR eligibility and user consent via two extension fields. The following fields will be passed as extensions under the user section of a bid request:

  • Regs.ext.gdpr: Indicates whether the request is subject to GDPR regulation for the user
  • User.ext.consent: Indicates user consent when GDPR regulations are in effect

BidSwitch will not alter these fields as received by SSPs in any way. The field “Regs.ext.gdpr” will indicate whether the bid request is subject to GDPR regulation for the user and the field “user.ext.consent” will indicate user consent when GDPR regulation is in effect. This is accomplished by passing a ‘0’ or ‘1’ for each field as set out below:

  • 0 = No
  • 1 = Yes

For user consent, they will denote the following:

  • 0= No consent
  • 1= Consent

Please note that User.ext.consent=0 may include multiple classifications including: users with a revoked status, new users, and/or those who have stated no consent. An audit trail can be performed by the originating vendor, the controller who populated the consent data in the original bid request, to determine which of these classifications the user fell under.

Importantly, the two fields mentioned above are not mutually exclusive and BidSwitch will pass through either or both depending on what we receive from the SSP in the bid request. Per the IAB spec, anything with Regs.ext.gdpr=1 that does not have User.ext.consent present should be assumed as User.ext.consent=0.

Preparing for GDPR Compliance with BidSwitch

BidSwitch is working closely with all of our partners (SSPs, DSPs, etc.) to understand how we can best support GDPR compliant processes. We welcome any comments or questions you may have regarding our GDPR efforts in the days and weeks ahead. Please direct any inquiries on this matter to privacy@bidswitch.com.

-The BidSwitch Team