The General Data Protection Regulation (GDPR) is a new privacy measure established in the EU that went into effect May 25th, 2018. It has significant implications on personal data and privacy rights.

It gives EU citizens a clearer understanding and greater control of what personal data companies have access to and how those companies use it. Any US brand that interacts with or could interact with an EU citizen is subject to GDPR.

The Basics

1. GDPR regulates the collection and usage of personal data. It gives users control over how their data is used by companies, if it’s collected in the first place, the right to be forgotten, and more. Get the full story here.

2. Users have a right to know who is using their data. This means they need to have the ability to see everywhere their data is sent and to have the option to opt out by vendor.

3. Currently, two important compliance components are consent mechanisms and data portals. Both are needed for EU IP addresses.

4. Consent partners will help you establish your consent mechanism, often through a Consent Management Platform (CMP). If you need a consent partner, you can find a verified list here.

5. A separate, easily navigable data portal is what facilitates users’ access to and control of their data.

6. Every brand/agency partner should review the IAB technical specs on consent and notice.

7. Data minimization is a key part of GDPR. It keeps data lean without holding onto bloated data sets that could be GDPR non-compliant. Untapped New York regularly flushes all irrelevant data.

8. If you’re currently operating under “legitimate interest” as a legal basis for consent, outlined documentation is needed to justify that interest.

9. For advertisers who don’t have a consent mechanism in place, all Untapped New York specific tags will be blocked from firing on users with EU specific IP addresses via a IP lookup implemented in GTM.

Types of Data GDPR Regulates

GDPR regulates the collection and usage of personal data. Personal data includes any information that can be used to identify an individual. Data factors include anything pertaining to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Examples include: name, email address, location data, IP address, cookie data, and much more

Data Subject Rights

Under the GDPR, data subjects will have several rights that need to be accommodated. All brands need to ensure these rights can be exercised easily via a ‘My Data Management’ page or data portal on their website(s), which can then be easily linked to in all communications.

1. The right to access information about how personal data is used.

2. The right to access personal data held by any organization.

3. The right to have incorrect personal data deleted or corrected.

4. The right to have personal data rectified/erased. (often referred to as the “Right to Be Forgotten”)

5. The right to restrict or object to automated processing of personal data.

6. The right to receive a copy of their personal data.


No part of this page constitutes official legal advice. Do not use this as an official guide for compliance.

All parties should seek independent legal advice in relation to GDPR compliance and all applicable data privacy laws.