NextRoll Legitimate Interest Assessment

1.0

Purpose of processing

To provide performance digital advertising services to our business clients. The main service is to enable a relevant ad based on a prior website visit to a specific web page or category of website through the use of cookies stored within the visitors browser. (ie; ‘interest-based’ or ‘behavioral’ advertising.).

1.1

Benefit to NextRoll

To show more relevant ads that help our customers optimize their digital marketing efforts and continue to use NextRoll’s services.

1.2

Benefits to data subjects

Website visitors (data subjects) benefit by seeing ads on publisher websites that are more relevant to them as a result of optimization by NextRoll. By optimizing advertising spending, client advertisers can save money against wasted advertising spending, and pass along product or service cost-savings to their customers.

1.3

Benefits to public

The current ad ecosystem is the underpinning of a free internet. Publishers can continue to provide high quality news and journalism without charging visitors for website access.

1.4

Benefits to other parties

NextRoll’s client advertisers benefit because their ads reach existing and potential customers who may want to purchase their goods or services in a more cost and time efficient manner.

Publishers can provide free online content and continue to operate their services without the need to charge visitors for access.

Advertising targeting also benefits many other companies who provide ancillary services, such as creative agencies, e-commerce platforms, and market research providers.

1.5

Importance of benefit should it be unavailable

NextRoll’s technology is specifically designed to support optimized, relevant advertising, and without it NextRoll would have to provide a quite different set of products and services. In addition, website publishers who are supported by advertising would likely need to charge customers for the services and content they provide.

1.6

Is the processing required by law, or guided by self-regulation?

There is no law specifically requiring this type of service, albeit Directive 2002/58/EC, ePrivacy Directive, and respective member country-specific implementations have specific requirements regarding the use of cookies which NextRoll complies with. In addition, NextRoll complies with member country-specific advertising, e-commerce and competition laws.

With respect to self-regulation or codes of conduct, NextRoll participates in a number of self-regulatory efforts including the Digital Advertising Alliance (DAA) and their respective EU and Canadian programs, as well as the Interactive Advertising Bureau (IAB) and their respective UK/EU programs, and Network Advertising Initiative (NAI).

2.1

Will this processing actually help you achieve your purpose?

Yes, processing is critical to providing NextRoll’s services.

2.2

Is the processing proportionate to that purpose?

Yes, NextRoll limits what data is collected, how it is processed, and stored to what is necessary to facilitate our client campaigns.

2.3

Can you achieve the same purpose without the processing?

No, NextRoll would no longer be able to provide these types of advertising services.

2.4

Can you achieve the same purpose by processing less data, or by processing the data in another more obvious or less intrusive way?

No. However, through the Digital Advertising Alliance (DAA) ‘Adchoices’ program, NextRoll requires that the types of ads it engages in include a visible icon and mechanism to provide viewers with the means to learn more about how and why the ad was served to the viewer. NextRoll is engaged in the DAA and other organizations’ processes to improve transparency and control with these types of ads.

3.1

Does the processing involve special categories of personal data under Articles 9-10 GDPR, i.e.: (a) criminal history; (b) collection from minors; (c) information regarding race, religion, ethnicity, sexual preference or identity, or individuals' health?

No. NextRoll’s Terms of Service specifically prohibits collection and use of these categories of data, in addition to self-regulatory commitments made through our participation in the NAI and DAA/EDAA.

CLIENT/ADVERTISER TERMS: NextRoll specifically states in Section 8.2 of our TOS that we are not intended for use by advertisers who are targeting minors. In order to adhere to COPPA and special interest requirements, every client advertiser is reviewed, either via the NextRoll Policy team or via an automated tagging system, when they launch new ads or a new campaign. Campaigns or ads that are reviewed manually via the Policy team will be rejected if they contain prohibited content. The automated tagging system will only automatically approve campaigns that are classified as eligible to run based on their zvelo category. All other categories will be reviewed by the NextRoll Policy team. Gray areas are escalated through a policy escalation team in Dublin and then to Legal. Our partner ad networks will also be consulted in order to ascertain their requirements and if publishers would run such content.

SUPPLY/PUBLISHER TERMS: NextRoll receives and process data from its supply partners according to the OpenRTB protocol which does not include objects, or parameters, for special categories of personal data included under Articles 9-10 of the GDPR.

3.2

Expectations of data subject (e.g., has the data subject been informed and/or is the processing reasonably anticipated by data subject)

Yes. NextRoll Terms of Services specifically require its client advertisers to disclose that information will be collected and used for relevant advertising on other websites.

3.3

Do you have an existing relationship with the individual?

No. NextRoll is a B2B company that relies on client advertisers to provide notice and obtain consent from end users when using our services. However, through the DAA Adchoices program, it may be apparent to individuals that NextRoll is one of the advertising services utilizing cookies, and with whom they may learn more or opt-out.

3.4

What’s the nature of the relationship and how have you used data in the past?

When an individual visits one of our client advertiser’s websites where the client advertiser has placed an NextRoll tag, once the client advertiser has provided adequate notice and choice for cookie use, we attempt to associate a cookie and unique identifier with the visitor’s browser. If the browser has previously received a cookie, we will recollect the identifier and associate the new website visit with the previous cookie, or otherwise will place a new cookie and identifier within the browser for future recollection, and associate information from that website visit with the cookie on our server.

The individual always has complete control over whether to accept the NextRoll cookie through the client advertiserconsent request, through their browser settings, or they can accept and subsequently delete NextRoll cookies from their browser storage at any time.

We use the data associated with the tag and cookie to (1) recollect the visitor and any associated information we maintain in order to serve them with a more relevant ad, (2) for fraud and security purposes to limit advertising exposure where it could result in a risk of harm to NextRoll or client advertisers, and (3) to provide insights to our customers on the performance of their advertising/marketing campaigns.

3.5

Did you collect the data directly from the individual? What did you tell them at the time?

Yes. The NextRolltag and cookie collect information directly from the individual upon their website visit.

Our terms of service requires our client advertisers to provide adequate notice and collect any legally required consent prior to our cookie being enabled. In addition, NextRoll has developed a proprietary consent interface that discloses our data use at the point of data collection. We have released this consent interface at no charge to customers, and as of December 11, 2018, more than 2000 customers have chosen to deploy the interface on their site or are using a similar consent management tool.

3.6

If you obtained the data from a third party, what did they tell the individuals about reuse by third parties for other purposes and does this cover you?

In some instances we synchronize our cookies with third parties who may provide us with additional insights on that particular visitor. Any such synchronizations will either occur at the client advertiser’s direction as part of an agreement they have with the data provider, or our terms will require that the provider has provided visitors with adequate notice and choice about their use of the associated data.

3.7

How long ago did you collect the data? Are there any changes in technology or context since then that would affect expectations?

NextRoll’s advertising service has been in existence since 2008. Our cookies are set to expire within 13-months, and we purge inactive data from our servers within 13 months.

Since we launched this service, we have implemented the DAA Adchoices icon and program to provide more transparency and choices for visitors when they see our ads.

3.8

Is your intended purpose and method widely understood?

Yes. We expect most users to understand the correlation of cookies and relevant advertising, especially in the recent months following the GDPR coming into effect and most websites informing visitors of this correlation.

3.9

Are you intending to do anything new or innovative?

We are continuously enhancing our products and services, but are not creating any new tools or technologies related to our retargeting services that are novel enough to warrant inclusion in this LIA.

3.10

Do you have any evidence about expectations – eg from market research, focus groups or other forms of consultation?

Yes. Industry organizations such as the Interactive Advertising Bureau (IAB), Data & Marketing Association (DMA) and others have published numerous materials showing how advertising and marketing subsidizes the free and open Internet to the benefit of all users, as well as improves cost-efficiencies for advertisers. According to the IAB, 85% of consumers prefer the ad-supported free internet over an ad-free internet in which they would have to pay for content.

3.11

Are there any other factors in the particular circumstances that mean they would or would not expect the processing?

Yes. Many website visitors may not understand the scope of the advertising ecosystem, namely how cookies are synchronized with multiple services in order to enable a ‘bid’ based on their browser history by many advertisers in a fraction of a second to determine the most optimal ad. More simply, many advertising services get to see if they ‘know’ that visitor before determining whether or how much they will spend to target the visitor with an ad.

3.12

Anticipated threats or harms to the rights and freedoms of data subjects?

NextRoll is a part of a broad ecosystem that involves synchronizing the visitor data with many other services. These services could independently use the data for other types of advertising, or to sell it to other parties. While this type of disclosure may not rise to the level of a reportable security incident, it does pose a privacy risk of misuse of data by unrelated third parties.

Customers could use NextRoll’s technology to infer sensitive segments for targeting based on a data subject browsing sensitive subject matter on their website. We explicitly prohibit the targeting of sensitive categories by contract and take additional steps to audit client implementations on a rolling and periodic basis.

A final point is that some individuals have raised concerns about the scope and breadth of data collected across websites for profiling and advertising purposes. NextRoll acknowledges that data minimization is an important aspect of the GDPR and is working towards a more streamlined effort to optimize relevant ads.

NextRoll Legal and Compliance teams discuss and review the data retention periods set for all personal data regularly as new products are released and existing products are re-evaluated.

3.13

May the data subject opt-out of the processing?

Yes. NextRoll cookies can be blocked before they are associated with the browser, deleted from the browser storage, or the visitor can opt-out online at NextRoll.com/privacy or through the DAA or NAI industry opt-out tools at optout.aboutads.info