Tinuiti Data Processing Position

Tinuiti is proud to offer its audience planning, media activation, and advanced measurement offerings to its customers in the service of maximizing the realization of their business objectives. As part of offering our services, we may both process personal information on our customers’ behalf, as well as store the information that is provided to us onto our network and servers. We take our obligations as a data steward seriously and are providing you with information in this communication about how we safeguard the information we process on our customers’ behalf. 

Data Privacy Compliance

1. Tinuiti’s Role

Tinuiti collects, stores, discloses, and processes personal information on behalf of our customers to offer the marketing and analytics services requested by our customers. In this role, Tinuiti operates as a “processor” or “service provider” and our customers are the “controllers” or “businesses” in relation to the personal information they provide Tinuiti. Tinuiti’s customers determine the purposes and means of processing the information they provide to Tinuiti. Tinuiti has agreed to a data processing agreement (DPA) with our customers that identifies both parties’ roles and responsibilities with regard to such data. Tinuiti’s obligations under the DPA include assisting our customers with their compliance requirements under applicable data protection laws, such as by adhering to any data subject requests that are passed down to us.  

Importantly, to the extent Tinuiti processes personal information as a processor or service provider (or processes PHI as a business associate), we do not use such information for our own commercial purposes. To the extent that Tinuiti is a controller with respect to any personal information we process in the ordinary course of business, we take steps to comply with all applicable legal obligations. To learn more about Tinuiti’s data processing activities, please review our Privacy Policy. 

2. Data Processing Roles in the Advertising Data Ecosystem

While Tinuiti acts as a processor or service provider, other participants in the process of delivering advertising to consumers may take other processing roles. These broadly include:

• Tinuiti’s Sub-Processors.  Tinuiti engages platform and tooling providers, such as public cloud infrastructure providers, to aid in hosting and managing our services. Tinuiti conducts due diligence on the privacy and security maturity of these providers, and enters into appropriate data processing agreements and information security terms to ensure that our customers’ data is protected from unauthorized use or disclosure.  These providers act only as a processor or service provider, and are subject to obligations no less protective of our customers than are reflected in our customer agreements.
• Publishers. “Publishers” provide the capability and inventory that allows advertisers to run ads in their apps, sites, or other content delivered to consumers. Publishers typically have a direct relationship with the consumers who make up their audience, and accordingly typically act as a data controller or business under applicable privacy laws. Depending on the nature of the advertising activity, publishers may disclose or receive personal information from advertisers and other participants in the advertising data ecosystem. That exchange of information is regulated under applicable privacy laws, particularly those limiting sale or sharing of personal information.
• Other Technology Providers. Providers of other technologies, such as advertising pixels, advertising networks, DSPs and other advertising and technology tools may take varying roles depending on the nature of the services they provide.  For example, providers of cross-contextual behavioral advertising (as described below) cannot be categorized as service providers. Tinuiti’s customers may direct us to engage with these providers and disclose their personal information. 
• Blended Roles.  In some circumstances the same party may take different roles for different activities it undertakes. For example, a provider may take a processor or service provider role for services related to measurement, but a controller or third party for services related to targeting or cross-contextual behavioral advertising.

These roles have significant implications for privacy compliance, and the roles taken can be determined by a blend of contractual requirements, data and system design and configurations, and policies related to data use and disclosure. Some of the compliance considerations associated with these roles are detailed below.

3. Emerging Regulatory Compliance Considerations

In recent years the advertising industry has faced an increasingly complicated and stringent data privacy regulatory environment. Multiple states within the US have introduced new compliance requirements specifically targeted at the advertising industry, and regulators in the European Union and elsewhere have increased their scrutiny of advertising activities.  These requirements include data collection limitations and requirements, use and sharing restrictions, new consent requirements, new risk assessment requirements, and other new obligations and guidelines. A few key impacts on Tinuiti’s services to our clients include the below.

• “Third Parties” and Independent Data Controllers. While Tinuiti acts as a processor or service provider for its customers, where a customer directs Tinuiti to perform certain services such as targeting, the services may involve disclosing data to publishing platforms acting as a “third party” or independent data controller. This kind of disclosure may be subject to restrictions on selling/sharing personal data, or may require consent from the individual. To manage these disclosures in a compliant manner Tinuiti will work with our customers to effectively implement user opt outs and consents, such as by removing opted out individuals from advertising data sets on the customer’s request.
• Combination of Personal Information from Multiple Sources. Certain privacy regulations impose restrictions on combining personal information from multiple sources. For example, the California Consumer Privacy Act (CCPA) restricts service providers from combining personal data of opted-out consumers with data collected from another source except in limited circumstances.  Additionally, combining personal data from multiple sources can be considered an elevated-risk processing activity, subject to additional analysis requirements. Tinuiti is committed to working with our customers to navigate the complicated data management challenges posed by these requirements.
• Cross-Contextual Behavioral Advertising. Performance of cross-contextual behavioral advertising, which means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across multiple businesses, automatically results in its provider being considered a “third party” under the CCPA. This designation makes a transfer of personal information to that provider to be considered sale or sharing of personal information, subject to the opt-out provisions of the CCPA. Tinuiti itself does not provide cross-contextual behavioral advertising, but rather we may engage cross-contextual behavioral advertising providers on our customers’ behalf. Engagements with these providers are managed as a disclosure to a third party as described above.
• Targeted Advertising. In numerous states and under certain non-US privacy laws, targeted advertising may require express individual consent or additional risk assessments. Tinuiti is prepared to assist our customers in managing data in Tinuiti’s control, and in providing information about our activities as needed to support these additional compliance requirements.

Tinuiti is happy to discuss how we can help our customers in managing these compliance issues, as well as any other applicable requirements, within our services.

Data Security

Tinuiti also takes its obligations seriously with regard to safeguarding the personal information it processes and stores on behalf of its customers. The specific security measures we implement include: 

• Strict data access controls to prevent unauthorized use or disclosure of customer data
• Encryption of customer data in transit and at rest
• Privacy and security-by-design, including using hashed or anonymous data when feasible
• SOC2 certification 
• Regular SEIM monitoring and penetration tests 
• Ongoing use of static code analysis tools, security training and best practices 

We also regularly conduct security risk assessments to ensure that our processes, policies, and procedures are up to date.  

How to Learn More

If you have any questions about how we protect your data, please do not hesitate to reach out to your client contact directly or email us at [email protected].