AdTech Dictionary

California Consumer Privacy Act 2018 (CCPA)

A California state privacy statute responsible for enhancing privacy rights and consumer protection for California residents. It will only apply to companies if certain thresholds are met in terms of revenues and/or numbers of users in California.

California Privacy Rights Act (CPRA)

A California state statute to protect the rights of residents of California by tightening Business regulations on the use of Personal Information. The CPRA established the CPPA and also amends some provisions of the CCPA. The CPRA is now fully effective, and enforcement will be able to look back as far as January 1, 2022.

California Privacy Protection Agency

A new agency, created by the CPRA, which has “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA. The role was previously held by the California Attorney General.

Campaign

A group of advertisements across different mediums, all with the same shared message and desire to achieve the same overall outcome.

Campaign Optimization

Campaign Optimization encompasses actions by an organization to improve their performance across various digital marketing channels. Using key performance indicators like (i) return on ad spend; (ii) cost per click; and (iii) conversion rates, organizations ensure that they are getting the most out of the marketing efforts while increasing return on investment.

Clean Rooms

Secure environments built to allow parties to share and access insights from another party’s data sets in a privacy enhanced way since raw data does not leave the clean room and only aggregated data is shared.

Click-Through Rate (CTR)

A metric that will often be seen in advertising agreements and may help determine success or payment criteria. The CTR measures the success of online advertisements by determining the percentage of people that actually click on the advertisement, for example, to arrive at the hyperlinked website. Note, a CTR does not go as far as a Conversion Rate.

Colorado Privacy Act (CPA)

A Colorado state statute to protect the data privacy rights of Colorado residents by imposing obligations and restrictions on qualifying Businesses’ collection, use and sharing of Personal Data about Colorado residents. The CPA is very similar to the VCDPA in Virginia. Both laws employ terminology and principles that reflect the GDPR more than California’s CCPA – for example, the terms Personal Data (rather than Personal Information), Controllers and Processors are used.

Consent

The precise definition varies depending on the applicable law. Under the GDPR, consent must be freely given, specific, informed and unambiguous, and as easy to withdraw as it is to give. In the U.S., consent standards vary depending on the context of the data Processing, as well as the type and sensitivity of the data which is Processed. Under the recently enacted CPRA and similar comprehensive privacy statutes in Virginia and Colorado (VCDPA and CPA, respectively), the definition of Consent will generally align with the GDPR’s freely given, specific, informed and unambiguous standard.

Content Optimisation System (COS)

A software platform that acts as a content management system and provides users with a personalised website interaction experience.

Conversion

A defined action showing the success of an advertisement. For example, signing up to a newsletter or making a purchase.

Conversion Rate

Similar to a CTR, the Conversion Rate is another metric for looking at the success or Conversion of advertisements.

Cookie

A Cookie is a text file of data that is placed on a user’s device when they are browsing a website. They may have various purposes (see, for example, Analytic Cookie or Advertising Cookie) but have in common that they identify individual behaviour. Even though Cookies will not generally directly identify an individual, the data is treated as Personal Data for the purposes of GDPR and is subject to PECR. Other laws may specify that Cookies are only subject to them if they collect Personal Data. Care is needed with the term “Cookie” since it can be used quite broadly to cover other similar technologies which aren’t strictly Cookies – for example, Pixels.

Cookie or Consent Management Platform (CMP)

Most commonly CMP stands for a Consent Management Platform but sometimes more narrowly relating to a Cookie Management Platform. Essentially, it is a means to collect Consents for Cookies or similar technologies under PECR or GDPR, or other comprehensive privacy legislation. Typically, companies will licence a CMP and there are various vendors who provide these, although there is nothing to stop a company creating and operating its own CMP. CMPs come in different forms – for example, some may specifically be IAB and TCF compliant. They are most commonly seen on websites but can also be engaged for the collection and management of permissions in mobile apps and even in CTV environments.

Cost per Click (CPC)

Used to determine the price paid each time a user has clicked on the relevant advertisement.

Cost per Mille / Cost per Thousand (CPM)

The cost an Advertiser pays for one thousand views or Impressions of an advertisement.

Cross- Context Behavioural Advertising (CCBA)

A California-specific legal term referring to the targeting of advertising to a consumer based on the consumer’s Personal Information obtained from the consumer’s activity across Businesses, distinctly-branded websites, applications, or services, other than the Business, distinctly-branded website, application, or service with which the consumer intentionally interacts. See also Targeted Advertising.

Custom Audience

An advertising technique to target advertisements at a particular defined audience or audience segment. It generally involves an Advertiser providing certain data of its customers – for example, an email, postcode or IP address, to a third party which, via a matching process, then determines which of those customers are also users of the third party and should then be targeted with the advertisement. For example, an Advertiser may provide data to a social media platform so that the social media platform can serve a promotional advertisement in the feed of customers that the Advertiser knows will likely be interested to see it. Sometimes an independent third party entity may be used for the matching service.

Customer Data Platforms (CDPs)

A collection of software which help companies stitch together data from different sources to create a unified, persistent customer profile that provides data transparency and granularity at the known, individual level.

Dark Pattern

A user interface designed or manipulated with the intention of subverting or impairing user autonomy, decision making or choice. There are multiple regulations that discuss Dark Patterns, including under consumer law, GDPR, DSA and DMA. In particular, the use of Dark Patterns can prevent effective Consent if it is not deemed to be freely given.

Data Aggregation

The combination of sets of data for the purpose of statistically analysing data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. According to the IAPP, effective Data Aggregation requires: (i) use of a large population of individuals; (ii) categories of data that create broad sets of individuals; and (iii) not including data that would be unique to a single individual in the data set.

Data Analytics

The exercise of examining large raw data sets to unearth patterns and user preferences to draw a conclusion or insights. It may enable Advertisers to target their advertisements to the right user or to draw insights as to what techniques or Campaigns are the most successful.

Data Broker

Legal definitions may vary, but a Data Broker is generally an entity that collects, aggregates and/or sells individuals’ Personal Data, derivatives and inferences from disparate public or private sources, often without a direct relationship to the affected individuals. As of February 2022, two US states, Vermont and California, have enacted laws requiring qualifying Data Brokers to register with state regulators.

Data Controller

A term under the GDPR and UK GDPR and other data protection legislation, including Virginia’s VCDPA and Colorado’s CPA, which means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Management Platform (DMP)

A data platform used to collect and organise data, which is made available to other platforms such as DSPs, SSPs, and Ad Exchanges, to be used for Targeted Advertising, personalisation and content customisation.

Data Processor

A term under the GDPR and UK GDPR and other data protection legislation, including Virginia’s VCDPA and Colorado’s CPA, which means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

Data Protection Act 2018 (DPA)

The UK legislation embodying GDPR which regulates how Personal Data is used by businesses, organisations and the government.

Data Protection and Digital Information (No. 2) Bill

The UK’s draft bill aims to introduce certain changes to the UK GDPR, DPA and PECR, in particular with updates to the Cookie requirements, exempting so-called lower risk Cookies from requiring a banner or Consent mechanism. Consent, however, will still be necessary to carry out Targeted Advertising.

Data Protection Impact Assessment (DPIA)

A DPIA is required in some circumstances under GDPR (notably where Processing is high risk) and under other international privacy legislation to assess the potential risks of Processing individuals’ Personal Data. It is an important part of the GDPR’s and other data protection legislation’s accountability requirements and is often used in the context of extensive Profiling and targeted marketing.

Data Sharing Code

The UK data protection regulator’s statutory Data Sharing Code of practice which came into force on 5 October 2021 as updated or amended from time to time. It sets out guidelines and expectations around data sharing which is particularly relevant in the context of adtech, where Personal Data may be shared between multiple different stakeholders.

Data Visualisation Platform

Software that collates numerous data outputs from systems – for example, advertising performance and website analytics. The collated data is analysed into a graphical representation, which highlights patterns, trends and correlations.

Demand-side platform (DSP)

A technology platform that enables Advertisers to buy Ad Inventory from Publishers. The platform utilises many real-time bidding (RTB) capabilities.

Deterministic Matching

Deterministic Matching is the process of identifying an exact match of records. In media, this is often used to identify the same consumer across different devices by matching the same user profiles together.

Device Fingerprinting

A tracking technique to identify devices and therefore user interactions and behaviours. This is often used for Targeted Advertising. Even where Cookies are not used, Device Fingerprinting may still fall under the requirements for Consent under privacy legislation such as the PECR and GDPR in the EU and UK depending on the configuration and set up.

Device ID

A unique, string of numbers and letters that identifies individual smartphones or tablets, such as the Google Advertising ID (GAID).

Digital Advertising Alliance (DAA)

An adtech industry self-regulatory association that maintains and enforces the principle-based AdChoices program and publishes a series of self-regulatory principles related to several forms of online advertising, including mobile advertising, political advertising, and online Behavioural Advertising.

Digital Markets Act (DMA)

A new piece of EU legislation that is now in force. The DMA places a ban on tracking end users outside of a qualifying gatekeeper’s core platform service for the purpose of Targeted Advertising, without effective Consent having been given. Gatekeepers must also perform an independent audit covering all the Profiling methods used across core platform services and send this to the European Commission, as well as making an overview of the audit report publicly available.

Digital Services Act (DSA)

A new EU regulation that becomes fully effective in February 2024. The DSA introduces a strict prohibition on carrying out Profiling based on special categories of personal data (such as health, religion, sexuality or ethnicity data) or the personal data of those aged under 18 for the purposes of Targeted Advertising. The DSA also introduces several advertising-specific obligations which relate to information provision, ad transparency, content reporting, illegal ads and repositories, as well as a ban on the use of Dark Patterns on online interfaces.

Dynamic Ad Insertion (DAI)

A technology that allows the insertion of advertisements into linear, live or video-on-demand content in a way that is targeted – i.e. a viewer in one household won’t necessarily see the same advertisement as a viewer in another.

Editorial Adjacency Guidelines

Advertisers can impose contractual Editorial Adjacency Guidelines to control what content is placed adjacent to their advertisement – for example, to prevent against harmful or inappropriate content. The IAB publish model guidelines from time to time. It can be challenging to monitor the implementation of such content restrictions.

Federal Trade Commission (FTC)

An independent US government agency responsible for enforcement of civil US antitrust law and the promotion of consumer protection.

Federated Learning of Cohorts (FLoC)

This concept used to be a key component of the GPS proposals, the ideal being to group people into “cohorts” based on their browsing history and then Advertisers are able to advertise to their chosen cohorts. The cohorts change regularly. The concept has now been replaced with Topics.

Frequency Capping

A software that limits how many times a given advertisement will be shown to the same person during a session or within a specified time period.

First Party Cookies

Cookies set directly by the host, i.e. the first website that is visited by the user, to help understand users’ online behaviours. They are sometimes seen as less invasive for users since they don’t automatically involve data sharing as the website may only use them for its own purposes.

First Party Data

Data that an organisation collects directly from a user usually from direct interactions – for example, customers who have registered with them. The data could be anything and does not have to be specific to Cookies.

FLEDGE

A component of the GPS proposals that relates to Remarketing / Retargeting and is designed so that it “cannot be used by third parties to track user browsing behaviour across sites”.

Functional Cookies

Cookies used to provide a personalised experience and to make the website easier to use. For example, remembering log-in details to make it easier to log-in next time the user accesses the website.

General Data Protection Regulation (GDPR)

The primary piece of legislation relating to privacy in the EU and also implemented in the UK. It came into force in May 2018. Where adtech involves Personal Data, it will be caught by and needs to comply with GDPR.

General Invalid Traffic (GIVT)

Traffic that is generated by known industry crawlers or that is otherwise readily-detectible – for example, activities like switching websites every five seconds for twelve straight hours.

Global Privacy Control (GPC)

A proposed specification initiated by various stake- holders in the US to enable individuals to notify online services of their privacy preferences. It can take the form of a setting within a browser or an extension that an individual can install. When enabled, it sends a signal communicating the individual’s preferences about the sale or sharing of their data to each site. The current legal status of GPCs in the US is unclear. The technical specifications of a universally enforceable GPC remain undefined, but this has not stopped the California Attorney General’s Office from stating its intention to require Businesses to honor GPCs as valid opt out signals, and the CPRA seeks to give Businesses the option of honoring GPCs in lieu of providing other opt out functionality.

Google Privacy Sandbox (GPS)

An initiative led by Google to create website standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising without the use of Third Party Cookies.

Identifier For Advertisers (IDFA)

Created by Apple for iOS devices. IDFA is similar to a standard Cookie but IDFA is linked to the device rather than the browser. It enables Advertisers to be notified when a user clicks on an advertisement, installs, uses or interacts with the advertisement within the app.

Identity Graph

Database that houses all the known identifiers that correlate with individual customers. An identity graph collects personal identifiers such as email addresses, physical addresses, mobile phone numbers, device IDs, and account usernames and connects them to a customer’s profile and any related data points, including behavioral data like browsing activity or purchase history.

Identity Resolution

The process of integrating identifiers across available touchpoints and devices with behavior, transaction, and contextual information into a cohesive and addressable consumer profile.

Identifier-Based Protocols

Using an identifier to collect an individual’s preference and transmit it to other market participants. Depending on the specific solution, once an individual provides their data, they can then set their preferences about its use. The identifier may be further Processed and also shared with other organisations.

Impression

The number of times an advertisement is displayed – for example, an advertisement appearing in a user’s social media feed. It is not the same as an active click or view.

Insertion Order

An agreement between a Publisher and Advertiser to run a Campaign.

Interactive Advertising Bureau (IAB)

The industry body for digital advertising, with offices in the UK, Europe, North America, and Southeast Asia and India. The IAB promotes industry collaboration to develop standards, best practices, and critical research and provide educational resources.

International Association of Privacy Professionals (IAPP)

A non-profit membership association for professionals with access to resources on global privacy information. Founded in 2000 in the US with an office in Belgium and an Asia-Pacific support line.

Interim Measures on Administration of Internet Advertisements

A major piece of legislation relating to online advertisements and supplemental to the China Advertisement Law. It was adopted on 4 July 2016 and came into effect on 1 September 2016. It sets out the controls attached to online advertising. Where adtech involves the carrying out of advertising activities via the Internet, it will be caught by and need to comply with the regulation. A draft amendment has been published and the amended legislation is expected to be promulgated in 2022.

Location Data

Definitions may vary under applicable law but, generally, Location Data indicates the geographical position of a device (or device user), including data relating to the latitude, longitude, or altitude of the device, the direction of travel of the user, or the time the location information was recorded.

Lookalike Audience

A tool that dissects followers and user characteristics – for example, interests, how they look and actions taken. The tool looks for commonalities within users to create a Lookalike Audience. This enables Advertisers to target Lookalike Audiences that they would not normally have been able to reach.

Media Trading Desk

A service provided by an agency or a third party software solution. It is situated between the advertiser and the supply and demand platforms, and networks to purchase media to provide planning, management, and optimization of programmatic advertising campaigns.

Network Advertising Initiative (NAI)

A self-regulatory organisation in the US whose members agree to adhere to higher than-legally- mandated standards of consumer choice and consumer knowledge in online advertising. The NAI publishes a code of conduct that members agree to adhere to and which covers interest based advertising, advertisement delivery and reporting, and Retargeting / Remarketing, among other topics. The NAI monitors its member’s compliance, works with allegedly non-complaint members to suggest recommended improvements, and reserves the right to refer matters to the FTC.

NOYB – European Centre for Digital Rights

Based in Austria, NOYB promotes public awareness of freedom, democracy and consumer protection in the digital sphere with a focus on consumer rights, privacy rights, self-determination, data protection, freedom of expression, freedom of information, human rights and the fundamental right to an effective remedy.

Non-Human Traffic (NHT) Online Tracking

NHT generally refers to Bot traffic and other visits to a website that are not generated by a human being. Bot traffic accounts for a substantial percentage of all web- site traffic, and many forms of NHT are non-fraudulent and serve benign purposes like indexing pages for search engines or testing website functionality and performance. In the advertisement measurement context, however, NHT is at best a form of statistical “noise” and in many instances refers to intentional, fraudulent efforts to generate false ad Impressions or clicks that inflate apparent site traffic or ad click rates. Fraudulent forms of NHT include both GIVT and SIVT.

Online Safety Bill (OSB)

A draft bill by the UK government, which is expected to receive royal assent later this year. The OSB includes provisions for criminalizing fraudulent advertisements, as well as obligations to remove content that is illegal (or prohibited by the terms of use) and content that is harmful to children. The OSB will also give adult users the ability to tailor the types of legal but harmful content they are offered by an online service.

Online Tracking

The practice by which operators of websites and third parties collect, store and share data about users and their interactions online.

Performance Marketing

A type of digital marketing where brands only pay marketing service providers once their business goals are met or when specific actions are completed, such as a click, sale, or lead.

Personal Data

Defined in the GDPR and under other international privacy legislation to cover information relating to an identified or identifiable living individual. Under the GDPR, specifically, it includes obvious data such as a name, email address, identification number, and Location Data, but in the specific context of adtech also covers identifiers such as IP address, Cookie or advertising ID.

Personal Data Breach

Defined in the GDPR, it covers a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data or unavailability of Personal Data. Materially similar definitions appear in the laws of jurisdictions in Asia that have enacted mandatory data breach notification laws, for example Singapore, the Philippines and Australia.

Personal Data Privacy Ordinance (PDPO)

The primary piece of legislation relating to data protection in Hong Kong. It was passed in 1995 and took effect in December 1996 save for certain provisions. Where adtech involves Personal Data, it will be caught by and need to comply with the PDPO.

Personal Data Protection Act 2012 (2020 Rev. Edition) (PDPA)

The primary piece of legislation relating to data protection in Singapore. It was passed in 2012 and came into full force in July 2014. The PDPA was revised substantially in 2021 to include new and expanded exceptions to Consent, enhance restrictions on direct marketing, and introduce mandatory breach notifications (among others). Where adtech involves Personal Data, it will be caught by and need to comply with the PDPA.

Personal Information

Under California’s CCPA and CPRA, Personal Information is broadly defined as any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal Information is similar in breadth and scope to Personal Data as defined in other comprehensive privacy laws in other US states (e.g. Virginia and Colorado), as well as under the GDPR in Europe and the UK.

Personal Information Protection Law (PIPL)

The primary piece of legislation relating to personal information protection and privacy in the People’s Republic of China. It was adopted on 20 August 2021 and came into effect on 1 November 2021. Where adtech involves Personal Data, it will be caught by and need to comply with the PIPL.

Personalisation Engine

A software that powers an Advertiser’s website, mobile app, email to enable them to deliver customised experiences for users based on the users previous activity. This allows data to be tailored to the user.

Pixel

A graphic embedded in banner advertisements, emails, and website to track user behavior and interactions with the website, similar to a Cookie.

Predictive Analytics

This uses marketing and advertising data to preempt what users are most likely to do next. It enables the ability to gain a more informed view of users to customise future advertisements.

Privacy and Electronic Communications Regulations (PECR) / ePrivacy Directive

PECR is sometimes also referred to as the ePrivacy Directive. This is old EU legislation dating back to 2012 but it is still valid (although currently under review) and sets out the privacy rights of individuals in relation to electronic communication including, in the context of adtech, key rules around direct marketing and Cookies. The EU Directive was implemented into EU Member State laws and therefore there are variations between countries. The UK, despite having left the EU now, continues to enforce through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003.

Processing, Processes, Processed, Process

Any activity that involves the use of Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.

Probabilistic Data

A group of users that have been accurately Profiled so that they can be correctly targeted.

Probabilistic Matching

The process of identifying what is likely a match of records through the use of models and other statistical methods.

Profiling

Defined in the GDPR as any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability behavior and location of movements. However, outside of the GDPR, the term is widely used with this general meaning in the industry.

Programmatic Buying

Automatic process of buying and selling of digital advertisement placements. Sometimes, but not always, this is through RTB.

Reach & Frequency

Publisher An owner and supplier of digital advertisement space online. They provide Advertisers with the ability to purchase and display their advertisements on the Publisher’s website or other content mediums.

Real -Time Bidding (RTB)

The number of people an advertiser reached with an ad. Frequency is the number of times an ad reaches a particular consumer. Advertising buyers bid for advertising space for a defined audience and, if the bid is won (i.e. the price is highest), the buyer’s advertisement is (nearly) instantly displayed on the Publisher’s site, without the user being aware of the auction.

Retargeting / Remarketing

A digital marketing tactic serving advertisements to consumers who have previously engaged via site visits or email sign-ups, where the prior engagement did not result in a sale or Conversion. For example, a user may have been browsing holidays on one site and then, moving to a new site, they see advertisements for holidays from that original site there.

Second Party Data

One organisation’s First Party Data that another organisation purchases/licences.

Sell, Selling, Sale of Personal Information

A California-specific term under the CCPA and CPRA referring to the sharing of consumer Personal Information in exchange for money “or other valuable consideration”. The scope of application of the definition has been debated in the adtech industry since the enactment of the CCPA due to disagreement about many species of Third Party Data transfers: some have maintained that virtually any transfer of data that permits a Third Party to use consumer Personal Information for its own commercial purposes constitutes a “sale” under the CCPA; others have drawn the line more narrowly, depending on the nature of the contractual consideration. CPRA attempts to moot this debate in the adtech context by introducing a complementary definition for “sharing” that covers most Third Party exchanges of data for CCBA purposes, irrespective of whether there is monetary or other valuable consideration.

Service Provider (and Contractor)

Under the CCPA and CPRA, a Service Provider is an entity that receives consumer Personal Information from a Business and Processes that data on the Business’s behalf for specific, contractually enumerated purposes. Like Contractors, consumers cannot opt out of a Business’s transmission of data to a Service Provider, so long as appropriate contractual controls are in place between the Service Provider and Business. The primary difference between Contractors and Service Providers is that a Contractor is an entity to which a Business makes consumer data available (though not for the Contractor’s own commercial purposes), while a Service Provider is an entity that Processes data on the Business’s behalf. Additionally, Businesses’ agreements with Contractors must contain some additional terms to certify and ensure Contractors’ ongoing compliance with applicable law.

Sophisticated Invalid Traffic (SIVT)

Fraudulent traffic patterns that are designed to avoid simple, detectible patterns and which often require advanced analysis and significant human intervention to detect.

Strictly Necessary Cookies

Cookies that are necessary to enable the basic features of the website to function. For example, providing secure log-in or remembering how far a user is through an online order. In the UK and EU, Consent is not required for Strictly Necessary.

Supply-side platform (SSP)

A technology platform that helps Publishers manage their Ad Inventory while maximising potential revenue. SSPs allow Publishers to manage their inventory in real-time, prioritising their own direct buys first (which net them more money), and then uploading their unsold inventory to the Ad Exchanges. SSP reporting capabilities also provide insight into what inventory is selling best and at what price point.

Tag

A piece of code inserted within a webpage that triggers an http(s) request to an Advertising Server, providing information such as the Cookie, page URL, screen resolution, and browser information, and allows for an advertisement to load.

Targeted Advertising

A Colorado and Virginia-specific term referring to the display of advertisements to a consumer where the advertisement is selected based on Personal Data obtained from that consumer’s activities over time and across non-affiliated web- sites or online applications to predict such consumer’s preferences or interests. See also CCBA.

Taxonomy

A way of organising and classifying data into categories and subcategories to enable greater segmentation and filtering.

Third Party

Under the CCPA and CPRA, a Third Party is a catch- all term for entities that receive consumer Personal Information from a Business, but which do not meet the definitions of Contractor (CPRA only) or Service Provider (both CCPA and CPRA). Third Parties are typically entities that receive consumer Personal Information with the intention of using or onward sharing that data for their own commercial purposes, rather than to perform discrete, contractually limited services on behalf of the Business (e.g. a Data Broker or aggregator, rather than a cloud storage provider). Under the CCPA, Businesses are not required to have specific agreements in place with Third Parties. However, under the CPRA, Businesses will be required to enter agreements with all Third Party partners specifying, among other things, the specific, limited purposes for which data is Sold or otherwise disclosed.

Third Party Cookies

Cookies set by a separate company through the website being visited by the user.

Third Party Data

Data purchased from organisations that were not the original collectors of the data, such as Data Brokers or aggregators.

The Trade Desk

An independent media buying platform (DSP) where Advertisers can purchase digital advertisements. Founded in 2009 in the US, with offices across the US and also in London, Asia, Australia and Europe.

Topics

A key concept of GPS, a proposed new system for interest based advertisements with 5 key ‘Topics’ used to identify user interests based on web browsing activity from participating websites each week.

Transparency and Consent Framework (TCF)

The TCF for digital marketing and advertising, developed by IAB Europe, aims to communicate an individual’s preferences between online services and other participants within the advertising data supply chain. It provides a means of transmitting signals of Consent from a user to vendors working with Publishers using a CMP.

Trust Tokens

A GPS proposal that intends to enable websites to convey a limited amount of information from one browsing context to another to help combat Ad Fraud.

Unified ID 2.0 (UID 2.0)

A universal Cookie ID proposal developed by The Trade Desk that utilises a user’s email address to create an encrypted, rotating, randomised numerical ID as a substitute for Third Party Cookies that is intended to work across all mobile operating systems.

User-Agent Reduction

A GPS proposal that intends to limit browser data shared to remove sensitive information and reduce Device Fingerprinting.

Unique User / Device ID (UDID)

An identifier assigned to a device or user that lasts until the device is reset or the account is deleted.

Unique Visitor

A Unique Visitor is someone who visits a site more than once within a period of time.

Video Ad Serving Template (VAST)

A standardised set of specifications developed by the IAB that define the requirements for serving advertisements to video playback sources online. The specifications are delivered in the form of a script which allows video players to interpret information about the advertisement being served.

Video Player Ad Serving Interface Definition (VPAID)

An advertisement template that allows a rich interactive user experience within stream video advertisements.

Virginia Consumer Data Protection Act (VCDPA)

A Virginia state statute to protect the data privacy rights of Virginia residents by imposing obligations and restrictions on qualifying Businesses’ collection, use and sharing of Personal Data about Virginia residents. The VCDPA is very similar to the CPA in Colorado. Both laws employ terminology and principles that reflect the GDPR more than California’s CCPA – for example, the terms Personal Data (rather than Personal Information), Controllers and Processors are used.

Walled Garden

A closed platform or closed ecosystem where the technology provider has significant control over the hardware, applications, or content.