Nielsen Marketing Cloud Services Privacy Statement
Updated: November 29, 2018
Nielsen Marketing Cloud (“Nielsen,” “we,” or “us”) is committed to protecting users’ privacy and handling their data in an open and transparent manner. This Privacy Statement describes the services that we provide to our clients and how we use, share, and protect the data that we gather about users in connection with our services. This Privacy Statement also describes users’ choices and legal rights in relation to their personal data.
The practices described in this Privacy Statement are undertaken by Nielsen companies providing Nielsen Marketing Cloud Services around the world. Learn more about Nielsen’s family of companies or contact Nielsen’s Privacy Department (see the “Contact Us” section below for our contact details) for more information.
This Privacy Statement does not apply to the data handling practices of website publishers and other parties who share data with Nielsen or those parties’ use of users’ data for interest-based advertising and other purposes. We encourage users to review the privacy statements of each platform, website, and mobile application (“mobile app”) that they access or use to learn how these parties may use their data.
Nielsen collects data from multiple sources about users’ online activity across websites, mobile apps, and devices (including laptops, smartphones, and televisions); sorts it into categories based on users’ demographics, interests, and preferences; and makes it available to advertisers, website publishers, and content providers (collectively, our “Clients”) in order to facilitate interest-based advertising and provide a more relevant advertising experience to consumers. We do not collect directly-identifiable data, such as names, email addresses, phone numbers, or social media user names from users in connection with our services.
We collect data from our own sources and from third parties, such as website publishers, mobile app developers, smart TV operators, and other providers of advertising technology and services in a variety of ways, including through the use of browser cookies, pixel tags, application software development kits (“SDKs”), and server-to-server connections with our partners. Additional details about our data collection practices and the different technologies we use to facilitate these activities can be found below.
- Pixel Tags. Pixel tags are small strings of code that provide a method for delivering an image on a web page or other document. Pixel tags allow the operator of the web page or other document (or a third party who serves the pixel tag) to set, read, and modify certain cookies. Pixel tags may also be used to gather data about the device being used to view that web page, such as the time a tag was sent, the user’s operating system and browser type, and similar data.
- SDKs. An SDK is a piece of code within a mobile app that provides functionality for the app. We use SDKs to collect data and transmit it to the Nielsen Marketing Cloud. This data includes a mobile advertising identifier (i.e., an Apple IDFA or Google Advertising ID), IP address, timestamp, general (not precise) location information derived from the device’s IP address, and data regarding the use of mobile apps on the device from which we make inferences about the demographics, interests, and/or preferences of users. We also receive data (such as user agent data and device ID) collected by or from users’ mobile devices.
- Server-to-Server Connections. We may obtain data, such as user agent header, IP address, or unique device ID, that relates to users’ browsers, mobile devices, and television use from other online and offline third-party sources directly through connections to their servers and various secure data transfer methods.
As part of our efforts to comply with the EU General Data Protection Regulation (&lquo;GDPR”) when processing personal data or accessing and/storing data on users’ devices using cookies and similar technologies (e.g., pixel tags and device identifiers), the Nielsen Marketing Cloud signed up as a vendor under the IAB Europe’s Transparency & Consent Framework in May 2018. For additional information about the Framework, please visit http://advertisingconsent.eu. (http://advertisingconsent.eu/vendor-list/).
Generally, we and our Clients use the data collected in order to gain better insights on users and allow our Clients to deliver more effective and relevant advertising and content to users. For example, data about a user’s visits to different websites may be used to make inferences about the types of ads and content that may interest the user. We and our Clients also may use the data collected in browsers for advertising, analytics, or ad reporting purposes or to improve our services.
We may use and combine data collected from different sources, including data from third-party sources, to help our Clients create a more personalized advertising and online experience for users.
We may also use data about a user’s activity across multiple, unaffiliated third-party mobile apps to predict the types of ads that may interest the user. We share this data and data about a user’s visits to different websites with our Clients to identify an ad, a group of ads, or content to be displayed on a particular computer or device. We may combine the data collected with a user’s mobile device advertising identifier and retain it for up to 120 days from the date of the user’s last online activity.
We may receive and create non-sensitive health/lifestyle-related segments (i.e., categories of users grouped by common traits or preferences) to enable our Clients to deliver interest-based ads to users in web browsers and mobile apps. Examples of such segments include: Cycling, Diet and Fitness, Diet and Weight Loss, Digestive Health-Yogurt, Fitness and Exercise, Health and Beauty, Health Food, Running, Skin Care, and Yoga.
We may use data we collect or receive from advertising technology partners and our Clients, including smart television providers, website publishers, and mobile app providers, to make a deterministic or statistical match of mobile device advertising identifiers and cookie identifiers. For example, we or our partners may match a user’s devices if the user logs in to the same online service on multiple devices or web browsers or if the user’s devices share similar attributes that support an inference that they belong to the same user. We also may use such data to match a user’s interests across devices, as well as for analytics, ad reporting, or to improve our services.
We may retain information about device matches for up to 13 months from a user’s last online activity.
BASIS FOR PROCESSING USERS’ PERSONAL DATA
Applicable law in certain countries requires us to set out in this Privacy Statement the legal basis upon which we rely in order to process users’ personal data.
For personal data collected about users in the European Union (“EU”)/European Economic Area (“EEA”), we rely on one of the legal bases below in order to process such data.
- Consent: We rely on the consent that we or our data providers obtain from users in order to perform our services and help our Clients deliver more effective and relevant advertising and content to users.
- Legitimate interests: We may rely on our legitimate interests to process users’ personal data, provided that such interests are not overridden by users’ interests, fundamental rights, or freedoms. In particular, we may process users’ personal data in reliance on a legitimate interest in the effective and lawful operation of our business as well as the effective delivery and improvement of our products, services, and websites.
- Compliance with legal obligations: We may process users’ personal data if necessary for us to comply with a legal obligation arising under an applicable law to which we are subject.
Users that have questions or concerns about the legal basis upon which we collect and use their personal data can contact us at email@example.com.
USERS’ ABILITY TO OPT OUT AND OTHER CHOICES & LEGAL RIGHTS
We are committed to providing users with choices with respect to how we process their personal data. This section describes how users can exercise these choices.
OPTING OUT AND OBJECTING TO OUR USE OF PERSONAL DATA
We provide users with multiple ways to opt out of our use of their data, as described below.
WEB BROWSERS OR SMART TELEVISIONS
After opting out, users will no longer be included in the ad and content targeting activities that are conducted online or via smart television platforms via our services. Users will still receive online and television ads and content, but these ads and content may not be as personalized or relevant to the users. Nielsen makes efforts to work with different ad platforms to ensure opt out requests are communicated and addressed in a timely manner, but changes may not take immediate effect, depending on the platform.
If a user changes devices or browsers, uses multiple devices or browsers, or deletes their cookies, they will need to repeat the opt-out process for each device and each browser. Users may download a browser plugin that will help them maintain their opt-out choices even if they delete certain cookies from their browser by visiting http://www.aboutads.info/PMC. Please note that ongoing changes by browser manufacturers to their default settings may interfere with our opt-out functionality.
Nielsen Marketing Cloud is a member of several interest-based advertising self-regulatory groups, including the Digital Advertising Alliance (“DAA”), European Interactive Digital Advertising Alliance (“EDAA”), and Network Advertising Initiative (“NAI”), and adheres to the self-regulatory principles and/or codes of conduct of each organization. Users may opt out of our processing of their data by using the opt-out tools and consumer choice mechanisms provided by each of these interest-based advertising self-regulatory groups by following the links below:
Please note that Nielsen Marketing Cloud’s participation in these organizations may appear under the “eXelate” name.
We honor “Do Not Track” signals set in certain browsers by not tracking a user’s web viewing data while “Do Not Track” is turned on in the user’s browser settings. We currently honor signals set in Chrome, Firefox, Safari, and certain versions of Internet Explorer.
Because mobile app environments do not accept cookies, the opt-out methods described above may not work when a user is in the mobile app environment. Users who would like to exercise opt-out control while in the mobile app environment, may, therefore, want to download the AppChoices App provided by the DAA relevant for their mobile platform using the links below on each of their mobile devices and by setting their preferences within each app.
Note: Users that have reset their mobile device advertising identifiers will also need to reset their preferences within the AppChoices App.
CROSS-DEVICE MATCHING OPT OUT
Users who wish to opt out of our cross-device matching, may do so by using the tools identified in each of the “Web Browsers” and “Mobile Apps” sub-sections above.
Once a user has opted out using the tools for web browsers and mobile apps, we will disassociate the data collected on the user’s browser or device from which the user has opted out from the other browsers or devices that we may have matched to it. Similarly, we will disassociate the data collected on other browsers or devices from the device from which the user has opted out. In order to opt out on all browsers and devices that we may have matched, the user will need to opt out separately on each device and each browser that they use.
ADDITIONAL CHOICES & LEGAL RIGHTS
Depending on their country of residence, under applicable law users may also have the right to:
- request confirmation as to whether or not we are processing personal data about them;
- request access to or copies of the personal data we hold about them and request that we update or correct such data (where applicable);
- request that their personal data be transferred to another organization in a structured, commonly used, and machine-readable format (to the extent applicable);
- request that we delete the personal data we hold about them; and
- lodge a complaint with the data protection or privacy authority in their country of residence regarding our processing of their personal data.
Users that are interested in exercising one or more of the rights described above should fill out a form here.
Note: We may require proof of an individual’s identity before we can give effect to the above-listed rights.
Additional information for users residing in the EU/EEA
Users that have questions or concerns about our collection or use of their personal data can contact our EU Data Protection Officer at firstname.lastname@example.org.
Users that are unsatisfied with the way in which we have handled their personal data or any privacy query or request that they have raised to us have the right to complain to the Data Protection Authority (“DPA”) in their country of residence or the location where the issue that is the subject of their complaint occurred. Users can find the contact details of all national DPAs by visiting: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
DATA DISCLOSURES AND TRANSFERS
We may disclose data collected through or in connection with our services with various parties for certain purposes, as described below.
- We share data within the Nielsen group of companies to allow Nielsen’s media measurement business to provide more detailed reports for Nielsen’s other customers. For example, Nielsen Marketing Cloud cookie data allows Nielsen to let its advertising customers know whether consumers who clicked on an ad tend to fit into segments of inferred commercial interests, such as an interest in sports, gardening, or cars. This helps Nielsen’s customers refine their advertising and other marketing-related communications.
- We may share aggregate, anonymized data with our Clients and other third parties in connection with reporting and accounting needs as well as with other unaffiliated third parties for various purposes, such as advertising and statistical or educational analysis.
- We use data obtained (as described in the “Data Collection” section above) about different websites a user has visited, content a user has viewed on a television, and/or mobile apps a user has used over time in order to group cookie identifiers or mobile device advertising identifiers into various categories based on demographics, interests, and/or preferences. For example, a particular browser or device may be identified as a member of one or more interest categories (e.g., an interest in green living, golf, or action movies) when the browser or device visits certain web pages or mobile apps that are operated by our Clients. The particular categories that a cookie identifier or mobile device advertising identifier might fall into are dynamic and change based on a user’s ongoing browsing history or mobile app use. We also create custom categories for our Clients based on demographics and interests (e.g., females aged 26-40 who are interested in sports, clothing, and travel and live in a certain region). Our Clients identify the categories of individuals to whom they wish to target specific ads, and we provide them with cookie identifiers, IP addresses, or mobile device advertising identifiers that match those categories, which they or their partners (e.g., advertising agencies) can then use to deliver ads. Any time a user deletes their cookies or resets their mobile device advertising identifier, we stop associating new data to those identifiers. As described above in the “Users’ Ability to Opt Out and Other Choices & Legal Rights” section, a user who clears their cookies and/or resets their mobile device advertising identifier is treated as a new user, and new data will be collected and associated with the new cookie identifier or mobile device advertising identifier.
- We share data with third parties that provide services to us, such as system hosting, management, and support; data analysis; data backup; and security and storage services.
- We may share data if we have a legal obligation to do so or where we believe it is necessary to protect the rights, property, or safety of any person. In the event of a corporate transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with a bankruptcy or similar proceeding), all data collected or maintained by us may be shared with relevant third parties.
All of these disclosures may result in the transfer of personal data to countries or regions with data protection laws that differ from those in a user’s country of residence. In cases where users’ personal data is transferred outside of their country of residence, we will ensure that there are adequate safeguards in place to protect their data.
Additional information for users residing in the EU/EEA
Where EU/EEA-based users’ personal data will be transferred to a country that has not been recognized by the European Commission as providing an adequate level of protection, the safeguards put in place by us might include a data transfer agreement with the data recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to countries not providing an adequate level of protection. Further details relating to the transfers described above and the safeguards used with respect to such transfers can be requested by contacting us at email@example.com.
DATA RETENTION AND SECURITY
We retain pseudonymized log file data, including cookie data, web browsing data, and mobile browsing and app usage data for up to 120 days from the date of a user’s last online activity for ad targeting purposes. Aggregated data may be retained for other purposes, including analytics, for up to 13 months.
We use generally-accepted industry security standards including physical, electronic, and administrative safeguards that are designed to help protect the data that we collect, use, and retain. However, please note that no security measures are perfect, and there can be no absolute assurance of security.
We understand the importance of protecting the privacy of children, especially in the online environment. Our products and services are not designed for or directed at children under the age of 13. We do not knowingly solicit, collect, or maintain personal data from children under the age of 13. Similarly, we prohibit our third-party data providers from providing us with personal data from websites and mobile apps directed at children under the age of 13 or from knowingly sharing with us data relating to children under the age of 13. If we become aware that we have collected or received personal data relating to a child, we will take reasonable steps to delete it.
CHANGES TO THIS PRIVACY STATEMENT
We may update or revise this Privacy Statement as needed from time to time in light of, for example, changing business or personal data processing practices, technology, or legal requirements. When we make changes to this Privacy Statement, we will amend the “Last updated” date at the bottom of this page. We encourage users to visit this page periodically to review any updates and remain informed about how we are processing and protecting personal data.
Should you have questions relating to this Privacy Statement or Nielsen Marketing Cloud’s privacy practices, please email us at: firstname.lastname@example.org or write us at:
For EEA residents:
Oxford Business Park South
John Smith Drive
Oxford OX4 2WB
Attn.: Legal Dept.
For residents in all other countries:
85 Broad Street
New York, NY 10004
Attn.: Legal Dept.