With IAB's recent changes to the consent framework for GDPR, Sortable is transitioning publishers using our hosted CMP to a hosted Quantcast CMP. This and other articles will be updated in coming weeks to reflect these changes.
This information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this page as legal advice, nor as a recommendation of any particular legal understanding.
Controller vs processor
For the purposes of the General Data Protection Regulation (GDPR), Sortable acts as a controller of the data we collect for the container product. Sortable does not pass personal data on to HB partners, but they may collect additional data and act as controllers or processors of that data on behalf of the publisher.
Sortable acts as a controller of the data we collect for the S2S product. Some of this data is passed on to the S2S partner for processing during an ad request.
This is because data related to ad calls is tied to a unique Sortable user ID. Those unique IDs and data related to ad calls are logged into our event logs and used to optimize the sale of advertising inventory for our publishers. While we do not optimize for specific unique users, we do use certain event log data that could be tied to a unique user to train our models and feed our algorithms (we can only tell if a user is unique based on our cookie ID for that user, which is the same for that user across all of our clients). We also use certain data collected across users, sites, and apps for the detection of invalid inventory and security.
We understand that some publishers can be uncomfortable with technology partners like Sortable arguing that they are controllers of user data, as that can be taken to be a bid to claim to "own" the user or data about the user. We do not claim controller status in order to establish ownership of any user's or publisher's data. We have reached the conclusion that we are a controller in relation to these categories of data because we independently make decisions on how the data is used and we believe that pursuant to the text of the GDPR and the existing EU guidance, this makes us a controller of the data with respect to those purposes.
Legal basis for processing personal data
The GDPR requires that processors have a valid legal reason for processing personal information. Reasons may include consent (with notice), or what is termed legitimate interests.
Sortable relies on legitimate interests to process personal data for security purposes, for the detection and prevention of fraud and invalid inventory, and to optimize the real-time sale of advertising inventory (e.g., by using certain historical data about advertising impression to predict the best floor to use to optimize the selling price).
All of the personal data we use is pseudonymous data and we are undertaking an initiative to further pseudonymize the personal data that we collect.
Although the legal basis we rely on under the GDPR to process the personal data we control is legitimate interests, we recognize that not all partners and publishers will use this same legal basis. We are working with the advertising industry to implement a flexible, but standardized consent management framework.
For our container product, we provide an API for a publisher to pass along consent status of the user to advertising partners. We implement IAB EU’s proposed standard for this API.
For our S2S product, we provide an API for publishers to pass along consent to S2S partners. We implement the OpenRTB proposal as a method to pass consent to S2S partners we connect with via OpenRTB.
Data transfer outside the EU
Personal data is collected and stored in Amazon's US-EAST data centers. Since we are a Canadian company, the US Privacy Shield does not apply. However, we are following Canadian privacy law (PIPEDA) and best practices. For the purposes of GDPR, Amazon AWS acts as a sub-processor of personal data we control.
Access and deletion of personal data
The personal data we store is pseudonymous and as such isn't encrypted, although access is restricted to employees who require access. We're working to evaluate industry standard practices around data encryption, authorization, authentication, and auditing to see how they would apply to our products.