The GDPR Preparedness Kit - May 2018 is Coming

According to Gartner, Inc., more than 50% of companies affected by the General Data Protection Regulation (GDPR) will not be in full compliance with its requirements when it goes into effect on May 25, 2018.[1] Here is a comScore FAQ to help you with your GDPR compliance.[2]

What is the GDPR?

  • The General Data Protection Regulation (GDPR) is a new European Union (EU) law that will update and replace all existing national data protection legislation in Europe. It will apply and be enforced across all EU and European Economic Area (EEA) markets from May 25, 2018.
  • The GDPR is a comprehensive reform because it applies directly to all EU and EEA markets and therefore represents one data protection law applicable across all of the EU. However, the GDPR does allow EU countries to issue their own data protection laws on some topics.  
  • The GDPR will have a global impact: it imposes new rules on companies – regardless of their location - that offer goods and services directly to people in the EU, or that ‘monitor’ their behavior (e.g. for analytics or behavioral targeting purposes).
  • The GDPR introduces new rules for the governance of personal data, building upon existing EU data protection laws. It broadens the scope of personal data to include scenarios where an individual is both “identified” and “identifiable” and specifically includes the use of online identifiers (e.g. cookies).

 

What does comScore do?

comScore is a recognized global leader in cross-platform measurement of audiences, advertising and consumer behavior.  Built on precision and innovation, comScore combines proprietary TV, digital and movie viewing data with vast demographic details to measure consumers’ multiscreen behavior at scale.  With more than 3,200 clients and a global footprint that spans more than 70 countries, comScore is delivering the future of media measurement.

Our Products and Services
comScore products and services help our customers measure audiences and consumer behavior across media platforms, while also providing a validation of advertising delivery and its effectiveness. 

Our products and services are organized around four major offerings:

  • Digital Audience Measurement: provides the size, behavior and characteristics of online audiences across multiple digital platforms including computers, tablets, smartphones, game consoles and other connected devices.
  • Advertising Measurement:  provides end-to end solutions for planning, optimization and evaluation of advertising campaigns.
  • TV and Cross-Platform Measurement: measures consumer viewership of television content for both linear and on-demand viewing in the U.S. at the national level and in [all 210] local markets.  Provides an unduplicated view of cross-platform consumer behavior when integrated with our Digital Audience and Advertising Measurement products and services.
  • Movie Measurement: precisely measures movie viewership, uses social media and exit polling to capture audience demographics and sentiment and provides tools to the largest movie studios and movie theater customers around the world.

Third Party Accreditation, Certification and Review
comScore is committed to providing the market with transparency into the methods, methodologies, practices and techniques we use in our measurement. To do so, we continuously engage with third-party auditors around the world to prove the soundness of our measurement methods. Learn more at https://www.comscore.com/About-comScore/Third-Party-Review.

 

Does the GDPR apply to comScore?

  • Yes. ‘Processing’ means any operation performed on personal data, such as collection, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destructing. As comScore collects, stores and uses personal data it is ‘processing’ personal data and subject to the rules under the GDPR.

The following are examples of our data sourcing:

  • Digital Audience Measurement: We have created an opt-in Total Home Panel® which can capture all forms of data that run through a home’s internet connection.  This expands our intelligence to include OTT and IOT behavior and is captured in an aggregate form.
  • Advertising Measurement:  We integrate many of our services with ad serving platforms.
    We collect data from our census digital network implementing software code, referred to as "tagging".
  • TV: We obtain television viewership information from satellite, telecommunications and cable operators covering set top boxes and Video OnDemand (VOD) viewership.
  • Movie Measurement: We measure gross receipts and attendance information from movie theaters.  

 

What ‘personal data’ does comScore collect?

As you can see from above, comScore collects personal data through a variety of ways, including directly from individuals who are panelists, from publishers or third parties that comScore may partner with. 

  • The types of personal data collected about individuals may include, for example, user demographic data (i.e. region, language, age group, gender, etc.), the types of cookies deployed to an individual’s device, URLs/websites and webpages visited and other web browsing activity data, device identifiers and information included in online forms the individual may have completed. 

 

What is the ePrivacy Regulation (ePR)?

  • The ePrivacy Regulation is a draft piece of legislation being discussed in the EU with the aim of reforming the existing ePrivacy Directive (aka ‘cookie directive’) which requires the user’s informed consent for the storing of information of a device or accessing that information (e.g. via a cookie or Advertising ID). It aims to align with the GDPR but as a sector-specific regulation for electronic communications, ComScore will need to comply with it as well as the GDPR. The ePrivacy Regulation has not yet been agreed upon and although there were suggestions that it would be finalized by May 2018, it is still in draft form. We will continue to monitor updates on the ePrivacy Regulation as necessary but it will not distract us from preparing for the GDPR.

 

What is comScore doing to comply with GDPR?

  • comScore has significant experience in protecting data, championing privacy, and complying with complex regulations. We believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. 
  • comScore is in the process of taking all necessary steps to comply with the GDPR, including evaluating all our data processing activities and reviewing contracts as well as privacy and security policies, and procedures, to ensure that they are in line with the GDPR in advance of the May 25, 2018 deadline.
  • We are also reviewing how we communicate our data processing activities and privacy policies in our ‘Privacy Notice’. The GDPR outlines very clear transparency requirements for organizations and we will be setting out the “who, how, what, why, where and what” of comScore’s data processing activities in clear and plain language.
  • comScore complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area and Switzerland to the United States. To learn more, please view our EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Statement
  • comScore has been actively engaged in several key industry and legal organizations to better understand the GDPR requirements.  These organizations include: ESOMAR, IAB GDRP Implementation Working Group, Association of Corporate Counsel (ACC), International Association of Privacy Professionals (IAPP).  

 

Can you provide some insight on your data security?

  • Our Information Security team has implemented a number of security controls pertaining to comScore’s business, including:
    • SSAE16 SOC 1 and SOC 2 compliant data centers
    • DDOS prevention service
    • Intrusion detection/prevention services
    • Encryption of data in transit and at rest
    • Disaster recovery plan and failover site
    • Security and privacy awareness training for employees and vendors

If you have additional questions, please contact us at privacy@comscore.com.

[1] https://www.gartner.com/newsroom/id/3701117
[2] Legal disclaimer: This should not be construed as legal advice nor is intended to be a complete listing of GDPR obligations.  comScore recommends that entities subject to legislation seek legal counsel from qualified sources.