An ad tech contract, or advertising technology contract seeks to regulate the relationship between parties wishing to use technology and software platforms to facilitate the buying, selling, and delivery of digital advertising.
This article introduces several heavily negotiated areas of ad tech contracts namely: data, fraud and cyber security.
As a publisher or advertiser, if you’re unsure on how to approach a deal or overcome key negotiation points, then our technology solicitors can help. Drawing on yeas of experience, we can guide you through the contract considerations in ad tech.
- Who are the parties to an ad tech contract?
- Why is it important to focus on data within an ad tech contract?
- What data is typically collected in ad tech contracts?
- How is that data owned, used and shared? Why do you need to know?
- Take down mechanisms
- Ad fraud protections
- Cyber security – what does it mean?
Who are the parties to an ad tech contract?
The parties to an ad tech contract can vary, depending on the specific arrangement and the nature of the services being provided, but typically will include:
- Ad tech provider: the person or organisation offering the advertising technology services.
- Advertiser/Client: the person or organisation seeking to promote their products, services, or brand through digital advertising.
- Publisher/App developer: the person or organisation, which owns and operates websites, apps, or other digital properties where advertising is displayed.
Why is it important to focus on data within an ad tech contract?
The ad tech industry is based on data-driven advertising strategies.
As a result, data is a valuable asset and the treatment of that data is not only protected in a variety of jurisdictions by a raft of legal regulations and bodies as outlined in our article, legal considerations for digital advertising, but it will also be protected against theft and other illegal use by sophisticated cyber security measures.
An ad tech contract will typically provide clarity on data ownership, usage, compliance and who does what in terms of data governance, privacy and data protection. Additionally, the contract will provide clarity in terms of measures to combat data breaches, hacks and fraudulent activity.
What data is typically collected in ad tech contracts?
Ad tech contracts typically involve the collection and processing of a high volume of sensitive and personal data, including the following:
- Audience data: including demographics, user interests, behaviour, location, devices used and preferences.
- Ad performance data: such as impressions, clicks, conversions, and engagement rates.
- Website/App data: including information about page views, session duration, navigation patterns, and user interactions.
- Data collected directly from the advertiser such as customer profiles, purchase history, loyalty program data, or other proprietary information.
- Cookie and tracking data: such as user behaviour across websites and apps.
As a result, data privacy is a crucial consideration in ad tech contracts, which will set out rights and obligations to ensure responsible data handling, compliance with laws, mitigation of risks and the appropriate management of any data breaches.
How is that data owned, used and shared? Why do you need to know?
An ad tech contract will clearly define who owns the valuable data generated through the performance of the ad tech services. This is typically the advertiser. Ownership allows them to control how the data is used, shared and analysed, supporting brand and reputation protection and providing data monetisation and licensing opportunities. Equally, the data owner is often responsible for ensuring that the data is collected and processed in accordance with any data protection and privacy laws.
Data usage and sharing
In addition to ownership, an ad tech contract will typically outline how any generated data can be used and shared and for what purposes. For example, the contract may specify that the ad tech provider may only use the data to provide the contracted services and for a specified period, after which the data must be deleted. These limitations protect the advertiser’s data and brand and ensure that the ad tech provider gives appropriate undertakings around data protection, privacy and confidentiality.
If an ad tech provider wishes to share the data with another party, then consent from the advertiser to do this must be provided in the ad tech contract together with any restrictions on the use of the data by the third party.
Cookies enable the delivery of personalised and targeted ads based on a user’s browsing history.
For further reading see our guide to GDPR and cookie consent.
Data processing agreement
A data processing agreement (DPA) governs the processing of personal data. It is typically used when a data controller (the entity that determines the purposes and means of data processing) engages a data processor (a person or organisation that processes personal data) to process personal data.
Whilst an ad tech contract may include some provisions related to data processing, a separate DPA is often necessary to address the specific requirements imposed by specific data protection and privacy laws, including an outline of the responsibilities and obligations of both the ad tech provider (the data processor) and the client/advertiser (the data controller). These responsibilities will typically include details of the purpose, scope and duration of the data processing; measures to be implemented to ensure the security and confidentiality of personal data and procedures for handling data subject rights requests, such as access, rectification, or erasure of personal data.
Take down mechanisms
Take down mechanisms in ad tech contracts govern the removal or ‘take down’ of certain content or ads. These are needed in situations of legal non-compliance, infringement of intellectual property rights or data privacy issues or breach of contract.
The process for take down will include notice requirements, protection of data and of intellectual property rights and details of how the parties will deal with any alleged breach of contract.
Ad fraud protections
Ad fraud occurs when ads are not seen by real but by fake users, inflating impressions, clicks and conversion data.
Any ad tech contract will contain provisions to safeguard against ad fraud including requiring the ad tech provider to employ sophisticated tools and technologies to filter out illegitimate sources and to place any adverts on trusted platforms in viewable positions.
By including these, advertisers attempt to mitigate the risks associated with ad fraud, enhance the transparency and effectiveness of their campaigns, and establish a framework for cooperation with the ad tech provider in combating fraudulent activities so that the advertiser only pays for genuine user interactions. In the event of breach of these obligations by the ad tech provider, the advertiser may well be able to terminate the contract and seek damages.
Cyber security – what does it mean?
The parties to ad tech contracts will seek to employ cyber security in order to protect data, systems, and infrastructure from cyber threats. As well as ensuring compliance with any relevant cyber security regulations, they adopt measures such as data encryption, security systems and regular security assessments and audit to mitigate the risk of data breaches, unauthorized access, and other cyber security incidents.
If a breach occurs, the contract will provide for notification and remedial action and will establish any applicable remedies between the parties.