GDPR: What Steps should Publishers take to be Compliant in APAC?

With GDPR compliance deadline taking effect on 25th May 2018, we feel it is crucial for Publishers in the APAC region to understand how this affect them and make sure they are compliant. This is a summary of what DFP clients should be aware of and a few steps to make sure they play safe with the GDPR compliance required when using personal data from European citizens.

How GDPR affects Publishers in APAC? (1)
General Data Protection Regulation (GDPR) is a European law with extraterritorial impact. It means that it will impact companies beyond the European border. In this context, it is a requirement to make certain disclosures to your users in the European Economic Area (EEA) and obtain their consent for the use of cookies or other local storage, and for the use of personalised ads.
Here’s a diagram helping you answer how you are impacted by GDPR.

GDPR Complliance.png
Now that we explained GDPR and why it is important for Publisher to comply, let’s see what the setup process looks like when using DFP.

How should Publishers implement it in DoubleClick For Publishers? (2)
Whether you’re a small business or a premium user on DFP, Google provides guidance to publishers in meeting their duties under the EU User Consent Policy which is accessible in the Admin section, under “EU user consent”.
We’ve crunched the steps to give an overview of the key steps to follow in order for Publishers to meet their duties under this policy, which reflects the requirements of the EU ePrivacy Directive and the GDPR.

DFP – Step-by-step Process for AdOps

1 – Select the type of ads you want to show

2 – Select ad technology providers (for personalised ads)

3 – Select a line item serving option

4 – Set up consent gathering

What should Publishers be aware of through this process?

1 – Personalised or non-personalised ads, that is the question
Personalised ads reach users based on their interests, demographics, and other criteria. Because ad technology providers may collect, receive, and use personal data from users in personalized ads,
If you wish to continue showing personalised ads to users in the EEA, it is a requirement to clearly identify all ad technology providers when you obtain user consent for the collection, sharing, and use of personal data for ads personalisation.Screen Shot 2018-05-15 at 8.53.03 AM.png
As a result, Publishers can choose the option that suits best to their needs in their DFP set-up.

2 – Challenging limitation on Ad Technology providers (3 & 4)
Publishers who use Google’s consent-gathering tool, Funding Choices, can only use 12 ad tech vendors, according to an update on Google’s support blog. The ad tech vendors publishers can get user consent for have been largely limited should they choose to use Google’s consent manager provider, or CMP, under the GDPR, as first reported by AdExchanger.

What is Google CMP?

The Google consent interface greets site visitors with a request to use data to tailor advertising, with equally prominent “no” and “yes” buttons. If a reader declines to be tracked, he or she sees a notice saying the ads will be less relevant and asking to “agree” or go back to the previous page. According to a source, one research study on this type of opt-out mechanism led to opt-out rates of more than 70%.

Google’s and other consent-gathering solutions are basically a series of pop-up notifications that provide a mechanism for publishers to provide clear disclosure and consent in accordance with data regulations.

Another point worth your attention is the use of personalised ads through programmatic transactions (DFP/AdX), here’s what Google says:

Screen Shot 2018-05-15 at 9.02.01 AM.png

3 – Consent across Mobile apps & AMP (5)
Since GDPR applies across all devices and platforms, Publishers also need to carefully add user consent options in their mobile apps. On this matter, Google provides the following process set-up recommendations using their Consent SDK.

What is Consent SDK?

The Consent SDK is an open-source library that provides utility functions for collecting consent from your users.

3.1 – Update consent status

When using the Consent SDK, it is recommended that you determine the state of a user’s consent at every app launch.
Google’s Consent SDK provides two ways to collect consent from a user:

Remember to provide users with the option to Change or revoke consent.

What is Google-rendered consent dialog?

The Google-rendered consent dialog is a full-screen configurable dialog that displays over your app content. You can configure the dialog to present the user with combinations of the following options:

  • Consent to view personalized ads
  • Consent to view non-personalized ads
  • Use a paid version of the app instead of viewing ads

If you use Google to monetise your app, it is the Publisher’s responsibility to review the consent text carefully, as they do not provide any legal advice on the consent text that is appropriate.

3.2 – Forwarding user consent status to the Google Mobile Ads SDK

  • Use the open-source Consent SDK to obtain consent from users. Once collected, consent state will be shared automatically with the Google Mobile Ads SDK.
  • Forward consent without the Consent SDK to the Google Mobile Ads SDK. This option is for publishers who implement their own consent collection or are a third-party building a consent solution for publishers using the Google Mobile Ads SDK.

3.3 Forward consent without the Consent SDK

The default behavior of the Google Mobile Ads SDK is to serve personalized ads. If a user has consented to receive only non-personalized ads, you can configure an DFPRequest object with the following code to specify that only non-personalized ads should be returned.

3.4 Ads personalisation settings for AMP pages

Ad requests from AMP pages offer the same ads personalisation settings as the non-AMP pages previously described: publishers may choose to serve personalised ads to all users located in the European Economic Activity (EEA), or they may choose to serve personalised/non-personalised ads selectively based on consent.

Despite a majority of Publishers in the APAC region deciding to simplify block all traffic coming from from EEA in order to avoid any fines by the regulators, we believe it is still core for Publishers to understand the ins and out of such regulation for the future of their business.
For the ones targeting European audiences, this is an amazing opportunity to lift up their game and become a true international leader. For further advice, feel free to contact us for consulting and training services on GDPR data compliance and DFP implementation.
Disclaimer: this guide is based on public resources available on DFP at the time the article was written. We do not take any responsibility for any Publisher’s compliance nor legal liability in relation to user consent under GDPR. Please speak with your existing ad technology providers, as well as your internal teams for bespoke set-up and legal compliance.

About T-Shape Consulting
T-Shape Consulting is fast-growing strategic consultancy firm in digital advertising and marketing. We provide consulting and training services to support companies in successfully leveraging their digital properties through tailor-made strategies using data, media and creative solutions. For more information, visit our website


  1. Tools to help publishers comply with the GDPR
  2. Comply with EU user consent policy
  3. Google’s GDPR Consent Tool Will Limit Publishers To 12 Ad Tech Vendors
  4. The media industry scrambles to understand Google’s latest GDPR update
  5. Requesting Consent from European Users


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.