Skip to main content

Advertiser Information

This guidance is provided to participating advertisers to explain how The Trade Desk has developed EUID with European data protection law in mind. This does not constitute legal advice, and advertisers should seek their own advice on their participation in EUID and compliance with applicable law.

1. Data processing in the EUID ecosystem

EUID starts from the premise that the creation and use of an EUID to serve targeted advertising involves the processing of personal data by EUID advertisers. Under European data protection laws, each publisher or advertiser that submits an email address or phone number to be converted into an EUID will be considered a “controller” for that data and for any subsequent use they make of that EUID.

The rule owner of the EUID ecosystem—currently The Trade Desk—is also a controller for the creation of an EUID and its subsequent return to the applicable publisher or advertiser. This is because the rule owner plays an important role in the decision to facilitate the creation of consistent EUID identifiers and create the EUID ecosystem.

The GDPR explains that where there are two or more controllers, they are joint controllers where they jointly determine the purposes and means of processing. In the EUID ecosystem, the rule owner is a joint controller with each advertiser that submits an identifier for conversion into an EUID. The rule owner’s responsibility as a controller is limited and does not extend to the subsequent use of an EUID by the advertiser for advertising purposes.

2. What does this mean for the EUID Agreement?

Joint controllers must set out clearly how they are each responsible for data protection compliance. In the EUID Agreements, the responsibilities are set out in the Exhibit headed "Allocation of Responsibility." It is set out in this section that:

  • The advertiser and The Trade Desk must let each other know if they receive requests from individuals or supervisory authorities that relate to EUID.

  • Each advertiser must provide a point of contact for its own consumers. Individuals will be able to use this point of contact to opt out of EUID processing carried out by a specific advertiser.

  • The Trade Desk, as the rule owner, will provide a central portal. This will allow individuals to opt out of the use of EUIDs across the entire EUID ecosystem. This is important to help advertisers demonstrate that EUID provides individuals with an easy way to exercise their rights.

3. Notice and EUID

The EUID POC Agreement asks each advertiser to provide certain minimum information about EUID to individuals, including information about the role of the joint controllers, and to provide a link to the EUID Privacy Notice from The Trade Desk. Advertisers seeking to rely on consent may find this easier to supply alongside their consent language. Otherwise, we recommend that this is included within your privacy notice.

Short sample language that we provide as an example of language that could be included in a privacy notice is available online at Consent Examples.

Advertisers participating in EUID are required to have a valid legal basis for their processing of personal data. The Trade Desk recognizes that this is the responsibility of the advertiser as allocated under the EUID Agreement. The Trade Desk expects that many advertisers will choose to rely on consent. If this is an advertiser’s preferred approach, they must ensure that their consent is valid and we recommend following the guidance provided below.

We request that advertisers meet the requirements set out in the GDPR. In particular, consent to create an EUID should meet the following requirements:

  • It must be freely given (that is, no cookie-walls).

  • It must be specific and informed, including providing the following:

    • Information about the use of email or phone numbers to create the EUID.

    • Information about the identity of the relevant controllers (including The Trade Desk).

    • A link to the privacy notice from The Trade Desk, which provides more information about EUID.

  • It must be unambiguous.

  • It must be demonstrated by clear and affirmative action (it cannot be included in small print or in the Terms and Conditions).

  • It must explain that individuals can withdraw their consent.

Advertisers relying on consent must also be able to provide proof of this consent, if required. We ask that the evidence record the following:

  • The identifier in relation to which consent has been obtained.

  • The timestamp indicating when consent was obtained.

  • The action taken by the individual to indicate consent.

  • A copy of the language presented to the individual to request consent.

Sample consent language is available: see Consent Examples.

For email addresses that were collected before the advertiser was an EUID participant, advertisers should consider whether they can rely on legitimate interest as a lawful basis for using those email addresses. This is a legal assessment for the advertiser to assess. Ideally, the advertiser should undertake efforts to provide notice of EUID and how to opt out to customers, even when the email addresses have already been collected from their customer.

4.3 What about legitimate interest?

The Trade Desk acknowledges that the European Data Protection Board guidance on targeting social media users states that legitimate interests may in some circumstances be sufficient to justify the use of an email address collected by an advertiser to identify and target users on a social media platform.

Our position is that legitimate interests may be a legal basis for the creation of an EUID from a user’s email address, provided that the appropriate balancing assessment has been undertaken and the appropriate processes are in place.

This is a matter for each advertiser to determine, depending on the particular situation and on guidance from data protection authorities relevant to that advertiser. Advertisers must ensure that they only share email addresses or phone numbers for conversion to an EUID where they are confident that the consent on which they rely remains valid, and must not continue to use or share an EUID where any underlying consent is no longer valid.

5. Restrictions on the use of EUID

There are strict protections in place when special category data is processed. Special category data, as provided for in the GDPR, includes, for example, personal data that concerns health or reveals political opinions. EUID is not designed for use with special category data, and our EUID Agreements require that advertisers do not associate an EUID with special category data.

Advertisers are also required to prevent the creation of an EUID for an individual under the age of 18.

6. Reporting data breaches

We require advertisers to notify The Trade Desk in a timely manner of any personal data breach involving an EUID. In the event that an advertiser believes that a data breach must be notified to any appropriate authorities or data subject, we ask that the advertiser first consult with The Trade Desk.

7. Data Transfers

The Trade Desk processes data for EUID in the EU and UK. EUID systems do not transfer or store emails or their derivatives outside of EU/UK. EUID private operators are available on AWS in EU, UK, Switzerland.

The Trade Desk CRM for EUID is set up in UK. It stores emails/hashes in UK and maps them to EUID using EUID public operator also in UK.

Where raw EUIDs may potentially be stored or processed by The Trade Desk outside of the EU/UK in the US, there is a valid transfer mechanism (EU and UK Standard Contractual Clauses) for these transfers and the appropriate technical and organizational measures are in place.

8. Accountability

Advertisers should ensure that they have taken all necessary actions to comply with their wider GDPR obligations. This includes, for example, ensuring that they have carried out their own assessment of participation in EUID, ensuring the security of their processing connected with EUID, and ensuring that their record of processing activities is up to date.