Privacy & Data Protection

Privacy and data protection rules play an important role for the digital advertising industry as delivering relevant advertising and measuring its effectiveness requires the processing of data. Processing data is crucial for digital advertising to be efficient in funding digital content, services, and applications, making them widely available at little or no cost, as well as driving growth within the digital economy.


On 27 April 2016, the European Union adopted the General Data Protection Regulation (“GDPR”).

The  GDPR  will  become  directly  applicable  law  in  the  European  Union  (“EU”)  and European  Economic  Area  (“EEA”)  on  25  May  2018,  superseding  national  data  protection  laws currently in place.

The GDPR will not only apply to companies based in the EU but also to companies all over the globe offering goods and services to people based in the territory of the Union, or monitor the behaviour of  individuals  located  within  it.  Data  protection  law  regulates  the  processing  of  personal  data, defined broadly as any information that relates to an identified or identifiable natural person, which may include amongst others online identifiers that can be used to single out a natural person, for example for digital advertising purposes.

The  GDPR  grants  data  protection  authorities  the  power  to  levy  significant  administrative  fines against businesses found in breach of the law. Depending on the severity of the infringement fines can go up to € 20,000,000 or 4 per cent of a company’s annual global turnover – whichever is higher. 

GDPR – 10  Actions to take now (Dec 2017)

IAB Ireland is delighted to have partnered with Mason Hayes & Curran to prepare a practical information booklet on GDPR tailored to the digital advertising industry – GDPR 10 Actions to take now

The IAB Europe Working Paper on GDPR Consent (Nov 2017)

The GDPR Consent Working Paper has been developed by the IAB Europe GDPR Implementation Working Group.

The GDPR Compliance Primer (May 2017)

The GDPR Compliance Primer Working Paper has been developed by the IAB Europe GDPR Implementation Working Group.

IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector.

We would like to extend a special thank you to IAB Europe and Improve Digital for taking the initiative on this working paper.

Other Resources:

IAB Ireland Member: Mason, Hayes & Curran produced the following very useful Guide:

Getting Ready for the GDPR

The office of the Data Protection Commissioner in Ireland has developed the website: which has guidance also for different sectors on how to plan for compliance.


The ePrivacy Directive (Directive 2002/58/EC), also nicknamed the “Cookie Directive” because of its rules on storing and accessing data on a users’ device, such as so-called Internet cookies, is a directive primarily regulating the processing of personal data in the electronic communications sector, i.e. by telecommunications providers.

The ePrivacy Directive is of importance to the digital advertising industry because of the aforementioned rules on cookies, which are of general application and not limited to the electronic communications sector. Cookies play an important role in websites delivering a personalized experience, including relevant advertising. The ePrivacy Directive stipulates that member states must create rules that require website operators to inform the user concerned about the use of cookies and obtain their consent for the use of (most) cookies.

The European Union is currently considering a proposed regulation on ePrivacy that, will replace the ePrivacy Directive . As a matter of EU law, Regulations can be relied upon directly by citizens, meaning that EU Member States no longer have a role in interpreting its application to fit within their national legal order. In its current form, the Regulation would require the consent of users in line with the rules of the General Data Protection Regulation for the lawful use of cookies, advertising identifiers (e.g. IDFA and AAID), device fingerprinting, etc. to collect information (not just personal data) and to deliver targeted advertising.

The proposed Regulation would also mandate browsers and other software to provide the option to actively prevent data collection through cookies et al., and to force users to make a choice as to their preference during set up. This would be the case not just for web browsers, but for any application or device which can connect to the internet.

For more information on the political and legal aspects of the proposal, check out IAB Europe’s ‘Cookie Regulation FAQ’.