EU General Data Protection Regulation


We work closely with leading brand name advertisers all over the world. We have a track record of achieving effective performance for those advertisers by applying innovative technology against what used to be regarded as anonymous data.

The EU General Data Protection Regulation now views any user-unique data as personal data, which means we need to restate and formalize why and how we use it to benefit our clients and their customers, the end user. We already request advertisers who work with us to host a visible and clear privacy policy, as part of our commitment to NAI, but that is now a mandatory legal requirement under GDPR.

We have updated our user notification guidance, please review and update your privacy policy or other user info pages accordingly.


Regarding the second area, legal basis, there are two fundamental aspects of the GDPR that mean we all have to take stock and adapt what we do. Firstly, any unique (or potentially unique) data is now regarded as “personal data”, including IP address and cookie id. And as with the existing law, anyone using such data must have a legal basis for doing so. There are only two legal bases which are relevant for AdTech – consent and legitimate interest.

It is our opinion, along with the DPN’s, that direct relationships such as ours constitute a legitimate interest. We have carried out the necessary balancing assessment, weighing the rights of users with our (and your) legitimate interest to provide them an improved advertising experience. That balancing assessment is available for your review.

If you agree with our assessment on legitimate interest, please use the form below to let us know. This will maintain our relationship in its current form in a way that satisfies GDPR.

Of course, we realize many of our publishers work with other parties, perhaps not all via direct relationships, and thus may choose to implement IAB Europe’s consent mechanism (as consent is the other legal basis mentioned above). We are also going to be integrated with that mechanism for the transactions we carry out programmatically where there is no direct contact, and therefore legitimate interest carries less weight. 

If you are planning to use the IAB Europe consent mechanism, please let us know by filling out the form below.

Please let us know your GDPR stance by filling out the form below.

If you’d like a follow-up discussion with our Data Protection Officer please email us at privacy@exponential.com.