The General Data Protection Regulation (GDPR)


Getting Started

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its core aim is to protect the rights of the end-consumer, including protecting the end consumer’s right to understand what, why, how data is collected. 

The GDPR is the largest update to be made to data privacy legislation in Europe in more than 30 years. The law replaces the Data Protection Regulation, which was enacted in 1988 but fails to cover the types and uses of data that have developed as digital technology has expanded.

Choozle has a long-standing commitment to using quality data sources, providing transparency and supporting our partner’s responsible use of data. We commissioned an independent audit, completed by the independent UK-based consultancy The Programmatic Advisory, in anticipation of the enforcement deadline. The results validated our product, partnerships, policies, and processes, are in compliance with the General Data Protection Regulation (GDPR). We're committed to the underlying goal of the GDPR to improve the collection and management of data used in digital advertising.

We are pleased to provide a FAQ Sheet that breaks down the nuances of the GDPR, available here. We will make available the final documentation of our audit once available, and look forward to incorporating additional features into our platform that support a responsible collection, management, and usage of personal data. We're looking forward to being part of the solution with you and welcome you to reach out to the Choozle Support Center with any additional questions, or email with any concerns.

What Makes the GDPR Unique

  1. The GDPR regulates all personal data - the definition of personal data is broader under the GDPR and includes cookies, advertiser IDs, race, ethnicity, origin, political affiliation, genetics, demographic and financial information, as well as basic identifiers like name, email or phone number.

  2. The GDPR impacts where you operate, not where you’re based - The GDPR impacts companies who interact with European residents and covers any engagement with the end-user. It is important to note that the GDPR covers residents of the European Economic Area (EEA), which may or may not be residents of the EU (ie - the United Kingdom).
  3. Companies need to justify the personal data collection - There are six ways under the GDPR to justify legally processing data. "Consent" and "legitimate interest" are the two ways that are most likely to cover data usage in digital advertising. How these terms will be interpreted remains to be seen and legal precedent will clarify how far these justifications can be stretched.
  4. The rights of the individual are the focus + extended - The GDPR is drafted to protect the end consumer first, with the interests and conveniences of businesses coming secondarily. Under the GDPR, individuals have the right to:
    • Be informed of the data collection occurrence + extent
    • Have access to the data collected + access to why
    • Rectify/change the collection
    • Object or refuse the collection
    • Erase the collected data
    • Restrict the processing/collection of the data
    • Port out their data
  5. There are different types of responsibility parties - Controllers are entities that collect data and manage how the data is used. Processors may merely be facilitating a specific use of the data on behalf of the controller.

How Choozle Prepared for the GDPR

  • A large part of the Choozle platform was built after the GDPR was adopted (April 2016) so the tenants of the legislation were part of our minimum build requirements.
  • We have been a compliant partner of the Network Advertising Initiative (NAI), who also manages our cookie-based opt-out.
  • Most of our technical partners were already Privacy Shield-compliant, which is the closest accreditation in effect prior to the GDPR.
  • Choozle leveraged added capabilities from our Smart Container tag partner, Ensighten, to create a more intelligent cookie collection protocol in Choozle's Smart Container tag which will inhibit North American advertiser accounts from collecting EU cookie profiles.
  • Commissioned an independent audit by UK-based Programmatic Advisory consultancy, which included:
    • Assessment of all data flows within our workflows - from the external website to first-party data management

    • Review of Choozle's technical partners including their policies and processes

    • Thorough interview and research process of Choozle's product, policies and processes

    • Review of our communication protocols at every type and stage of interaction

  • GDPR and the results of our audit have validated our commitment to using quality data sources, providing transparency, and supporting our partners' responsible use of data.

  • In 2018, Choozle was confirmed as being Privacy Shield compliant under both the European and Swiss Frameworks.

What You Can Do to Be GDPR Compliant

  • Confirm your clients have a Privacy Policy on their website that explicitly states the use of and reason for utilizing Choozle’s Smart Container tag and data-targeting features. That statement to garner the user’s consent can read something like:
    We collect and use your information to help understand our customer needs, and provide a tailored experience for how you interact with our brand. The information is only distributed to the services we use to help us execute this unique content experience for you.
  • Review your CRM lists to ensure no emails exist for residents of Europe, and that you have permission from your brand to continue using old first-party data sets within Choozle.
  • Assess the processes, platforms, and partners you work with to confirm how data is collected, stored, and utilized is GDPR compliant.
  • If you need assistance running campaigns targeting Europe, create a new advertiser account whose region type is the European Region, set up your campaign using European-specific data sets, and reach out to the Choozle Support team for any assistance.


  • Is there a certificate? - While there is no "certificate" to show you are GDPR compliant, the third-party audit of our platforms, processes, and partnerships validates our commitment to data privacy and that we are GDPR compliant.

  • How do you know you are compliant? - We commissioned an independent audit from a UK-based consultancy, The Programmatic Advisory to validate that we process data lawfully.

  • What will happen after GDPR goes into effect? - Your Choozle account and its campaigns will continue to run as normal.

  • NOTE: Due to data privacy compliance, we do not allow or accept the transfer of any PII, including CRM lists.