Publisher Information

This guidance is provided to participating publishers to explain how The Trade Desk has developed EUID with European data protection law in mind. This does not constitute legal advice, and publishers should seek their own advice on their participation in EUID and compliance with applicable law.

1. Data processing in the EUID ecosystem

EUID starts from the premise that the creation and use of an EUID to serve targeted advertising involves the processing of personal data by EUID publishers. Under European data protection laws, each publisher or advertiser that submits an email address or phone number to be converted into an EUID will be considered a “controller” for that data and for any subsequent use they make of that EUID.

The rule owner of the EUID ecosystem—currently The Trade Desk—is also a controller for the creation of an EUID and its subsequent return to the applicable publisher or advertiser. This is because the rule owner plays an important role in the decision to facilitate the creation of consistent EUID identifiers and create the EUID ecosystem.

The GDPR explains that where there are two or more controllers, they are joint controllers where they jointly determine the purposes and means of processing. In the EUID ecosystem, the rule owner is a joint controller with each publisher that submits an identifier for conversion into an EUID. The rule owner’s responsibility as a controller is limited and does not extend to the subsequent use of an EUID by the publisher for advertising purposes.

2. What does this mean for the EUID Agreement?

Joint controllers are required under the GDPR to set out clearly how they are each responsible for data protection compliance. In the EUID Agreements, the responsibilities are set out in the Exhibit headed "Allocation of Responsibility." It is set out in this section that:

• The publisher and The Trade Desk must let each other know if they receive requests from individuals or supervisory authorities that relate to EUID.

• The publisher must provide a point of contact for its own consumers. Individuals will be able to use this point of contact to opt out of EUID processing carried out by a publisher.

• The Trade Desk, as the rule owner, will provide a central portal. This will allow individuals to opt out of the use of EUIDs across the entire EUID ecosystem. This is important to help publishers demonstrate that EUID provides individuals with an easy way to exercise their rights.

3. Notice and EUID

The EUID Agreement asks each publisher and advertiser to provide certain minimum information about EUID to individuals, including information about the role of the joint controllers, and to provide a link to the EUID Privacy Notice from The Trade Desk. Publishers may find this easier to supply alongside their consent language.

Otherwise, we recommend that this is included within your privacy notice.

Short sample language that we provide as an example of language that could be included in a privacy notice is available at Consent Examples.

4. Consent and EUID

4.1. Why do publishers need to obtain consent?

In order to succeed, we believe that EUID will need to meet—or, if possible, exceed—the standards for privacy met by online advertising today. Third-party cookie-based advertising depends on publishers obtaining GDPR-compliant individual consent. Accordingly, this standard should apply to those participating in EUID.

4.2. What are the requirements for valid consent for EUID?

We request that publishers meet the requirements set out in the GDPR. In particular, consent to create an EUID should meet the following requirements:

• It must be freely given (that is, no cookie-walls).

• It must be specific and informed, including providing the following:

  • Information about the use of email or phone numbers to create the EUID.

  • Information about the identity of the relevant controllers (including The Trade Desk).

  • A link to the privacy notice from The Trade Desk, which provides more information about EUID.

• It must be unambiguous.

• It must be demonstrated by clear and affirmative action (it cannot be included in small print or in the Terms and Conditions).

• It must explain that individuals can withdraw their consent.

Publishers relying on consent must also be able to provide proof of this consent, if required. We ask that this evidence records the following:

• The identifier in relation to which consent has been obtained.

• The timestamp indicating when consent was obtained.

• The action taken by the individual to indicate consent.

• A copy of the language presented to the individual to request consent.

Sample consent language is available: see Consent Examples.

4.3. Why can’t publishers use existing consents?

The legal position of The Trade Desk, with regard to the consent requirements specific for EUID, is that consent has to be specifically obtained for the conversion of the user’s email address to an EUID. Requests for consent through cookie consent management platforms are designed to obtain specific consent for purposes described in the IAB EU's Transparency and Consent Framework Policies, and they will most likely not have included the use of email addresses in this way. Similarly, consents given for use of email addresses to send email marketing may not have described the creation of a consistent, unique ID for targeted online advertising.

4.3. How long will consent last?

This is a matter for each publisher to independently determine, depending on the particular situation and on guidance from data protection authorities relevant to that publisher. You should ensure that you only share email addresses or phone numbers for conversion to an EUID where you are confident that the consent on which they rely remains valid, and you must not continue to use or share an EUID where any underlying consent is no longer valid.

5. Restrictions on the use of EUID

There are strict protections in place when special category data is processed. Special category data, as provided for in the GDPR, includes, for example, personal data that concerns health or reveals political opinions. EUID is not designed for use with special category data, and our EUID Agreements require that publishers do not associate an EUID with special category data.

Publishers are also required to prevent the creation of an EUID for an individual under the age of 18.

6. Reporting data breaches

We require publishers to notify The Trade Desk in a timely manner of any personal data breach involving an EUID. In the event that a publisher believes that a data breach must be notified to any appropriate authorities or data subject, we ask that the publisher first consult with The Trade Desk.

7. Data Transfers

The Trade Desk processes data for EUID in the EU. Where there are international transfers, we ensure that there is a valid transfer mechanism for these transfers with the appropriate technical and organizational measures in place.

8. Accountability

We recommend that publishers ensure that they have taken all necessary actions to comply with their wider GDPR obligations. This includes, for example, ensuring that they have carried out their own assessment of participation in EUID, ensuring the security of their processing connected with EUID, and ensuring that their record of processing activities is up to date.

9. Options to "Consent or Pay"

We recommend seeking independent legal advice prior to the implementation of any options for the user to either consent to the use of trackers or identity solutions, or to pay, in order to access content.

Our assessment is that such arrangements may be possible under data protection law (including the ePrivacy Directive), provided that certain requirements are met: for example, the user has a choice between EUID and payment.

We recommend that the same consent requirements, as outlined above, should be considered for providing consent for their email to be used to create an EUID through a pay for access option.