MEDIAMATH USER POLICY
Last updated 1 March 2023
Your use of any services (“Services”) provided by MediaMath, Inc. (“MediaMath”, “we”, “us”) is subject to the following policies (“Policies”). We reserve the right to change or modify any portion of these Policies at any time without notice and this User Policy is intended to be updated over time as legislation is updated, and legal requirements, regulatory practice, business practices, business needs and other relevant factors change.
Please periodically visit this page to review the current Policies so you are aware of any revisions to which you are bound.
- Your use of the Services must comply with all applicable laws, regulations, and self-regulatory group guidelines, including but not limited to, the Network Advertising Initiative (“NAI”) Code of Conduct, the Digital Advertising Alliance (“DAA”)’s Self-Regulatory Principles for Online Behavioral Advertising and Application of Self-Regulatory Principles to the Mobile Environment (“DAA Principles”), the DAA’s Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, the DAA’s Application of the Self-Regulatory Principles of Transparency & Accountability to Political Advertising, European Interactive Digital Advertising Alliance (“EDAA”) guiding principles set out in the European Industry Self-Regulatory Framework for Data-Driven Advertising and the Best Practice Recommendation for Online Behavioural Advertising of the European Advertising Standards Alliance (“EASA”), the Digital Advertising Alliance of Canada (DAAC) Self-Regulatory Principles of Online Behavioural Advertising and Transparency for Political Advertising, the Interactive Advertising Bureau (“IAB”) Europe EU Framework for Online Behavioral Advertising, the Australian Digital Advertising Alliance’s (“ADAA”) Best Practice Guideline for Interest Based Advertising, and the Asia-Pacific Economic Cooperation (“APEC”) Privacy Framework, regardless of your membership status with any of these organizations.
2.Your use of the Services must comply with all applicable requirements and guidelines provided by the exchanges or media supply sources from which you purchase media inventory through the Services. For examples of such polices, please visit the Knowledge Base.
MediaMath Creative Policy
The following categories of Creative are prohibited when using the Services, and MediaMath in its sole discretion may pause and/or require immediate removal of any creatives not in full compliance with these prohibitions and requirements. “Creative” refers to ad units, landing pages, or any other content related to or used in connection with the serving of ads using the Services.
|Category||Description and Examples|
|Ad Fraud||Creative associated with any activity designed to sell advertising under fraudulent pretenses, including but not limited to non-human traffic, tag hijacking, hidden ads, domain spoofing, cookie stuffing, generating fake impressions or clicks, misrepresenting advertiser characteristics (such as the landing page URL, advertiser vertical, etc.), reselling of ads under false pretenses, (e.g., misrepresenting the publisher or the type of ad unit), etc. MediaMath reserves the right to identify novel categories and types of Ad Fraud as they emerge.|
|Auto-audio||Creative that automatically initiates audio without the user’s explicit engagement or action.|
|Auto-downloads||Creative that contains, or provides access to, any files that execute or download software without intentional user interaction. Other than expected behavior that follows industry ad quality standards, such as direction to a landing page, clicking on, scrolling over, or otherwise interacting with an ad must also not initiate a download or display of any type of file or other content. Compliance-related ad content or features that may include any automatic elements (e.g. mandated pharmaceutical disclosures, etc.) may require review and assessment by MediaMath to ensure conformity to both compliance needs and ad quality standards. MediaMath at its sole discretion may pause and/or remove any creatives that it determines are not acceptable.|
|Auto-redirects||Creative that automatically redirects a user to other sites or applications, without the user’s explicit engagement or action.|
|Deceptive or Misleading||Creative that attempts to trick or deceive a user into taking some action (e.g., “click bait” Creative, Creative that resemble user interface elements, Creative that displays fake errors or warnings, such as warnings about viruses, missing codecs, or corrupt disks, etc.) or markets false or unrealistic promises such as extreme weight loss, anti-aging, etc.|
|Defamation||Creative that depicts, contains, or provides access to material that is damaging to the reputation of another.|
|Delayed Load||Creative consistently taking more than two seconds to initiate the user ad experience.|
|False Claims, Misinformation, and Disinformation||Creative that makes verifiably false or otherwise misleading claims or that otherwise facilitates the dissemination and/or propagation or promotion of verifiably false or misleading information or content is strictly prohibited. MediaMath at its sole discretion may pause and/or remove any creative that it determines violates this policy, whether or not such violation is determined to be intentional. MediaMath may additionally at its sole discretion prevent ad delivery on content determined to promote false claims, misinformation, and disinformation.|
|Government Forms or Services||Creative that depicts, contains, or provides access to offers that charge for government forms or services that are available for a lesser charge or free from the government.|
|Hate Speech||Creative that depicts, contains, or provides access to content that incites violence or prejudicial action towards a protected individual or group; or content that disparages or intimidates a protected individual or group.|
|Illegal||Creative that is, or that MediaMath reasonably believes is, likely to be in violation of any applicable law, regulation or court order.|
|Illegal Drugs||Creative featuring or promoting the sale of illegal drugs, pharmaceuticals, or drug paraphernalia. Select creative featuring cannabis-related products may be acceptable where compliant with local law and the “Cannabis Products” section of this User Policy.|
|Implied Knowledge||Creative that implies knowledge of personally identifiable information or any of the following sensitive characteristics about the user to whom the Ad was targeted:
§ Adult activities (including alcohol, gambling, adult dating, etc.)
§ Commission or alleged commission of any crime
§ Divorce or marital separation
§ Health (including mental health) or medical information
§ Negative financial status or situation
§ Political affiliation (other than the public registration information of United States voters)
§ Precise location of the user at that moment or at any time in the past
§ Racial or ethnic information
§ Religion or religious belief
§ Sexual behavior or orientation
§ Status as a child (“Child) under the age defined in that jurisdiction. Trade union membership or affiliation. For example regarding racial, ethnic, or religious information, an Ad may not state “Explore your Jewish heritage” because this implies knowledge of the user’s religion or ethnic background. An Ad stating “Learn about Judaism” would be allowed. For an example related to health or mental health, an ad may not state “your bipolar disorder” or “your heart condition.” An ad stating “this product helps with bipolar disorder” or “this medication helps with heart conditions” would be allowed. A generic phrase such as “Ask your doctor about this medication” would not necessarily be problematic. The key question is whether or not the phrasing implies specific information about the individual’s own condition. Similarly, an Ad for coffee may be delivered when a consumer is near a coffee shop, but the Ad may not state “Coffee is just a few steps away” because this implies knowledge of the user’s precise location at that moment.
Ad creatives including implied knowledge of any sensitive characteristics are strictly prohibited, and MediaMath in its sole discretion may require immediate removal of any offending creatives.
|Interferes with User Navigation||Creative that disrupts the user’s ability to navigate their experience, e.g., by preventing a user from leaving a page by opening modal dialogs or pop-up windows.|
|Interferes with Another Party’s Content||Creative that obscures, replaces, or modifies another party’s ads or content.|
|Invalid or Improper Classification||Creative that is improperly classified and/or missing classification with respect to its characteristics, including but not limited to:
§ Improper classification of Creative that cycles through multiple advertisers
§ Improper classification of Creative running in-banner video (i.e., video ads running within standard display units)
§ Improper classification of a Creative’s landing page URL
§ Improper classification of Creative that auto-plays (i.e., Creative that initiates video play without the user’s explicit engagement or action)
§ Improper classification of Creative action, such as expandable or pop-up action
§ Improper classification of Creative descriptors, such as the advertiser vertical, language, etc.
§ Missing entire or partial classification
|Lost Video Impression Opportunities||Video creatives where an auction is won but the impression does not serve / creative does not load (e.g., because the VAST is blank or the ad server opts out after winning the impression).|
|Malware and Malvertising||Creative that contains, installs, links to, or prompts the download of any malware, Trojan horse, virus, or any other malicious code. MediaMath reserves the right to identify novel malware types as they emerge. Creative that in any way includes malvertising instances as defined by the TAG (Trustworthy Accountability Group) Malvertising Taxonomy is also strictly prohibited. MediaMath in its sole discretion may require immediate removal of any offending creatives.|
|Morally Reprehensible||Creative that MediaMath reasonably deems to be morally reprehensible or patently offensive, and without redeeming social value.|
|Phishing||Creative designed to obtain information from a user under false pretenses (e.g., attempting to extract financial information by posing as a legitimate company, etc.).|
|Piracy||Creative that MediaMath reasonably believes (a) contains content that does, or is likely to, infringe or misappropriate a copyright, trademark, trade secret, or patent of a third party or (b) promotes or induces infringement or misappropriation of a copyright, trademark, trade secret, or patent of a third party. Creative which in any way facilitates the above is strictly prohibited.|
|Pornography and Adult Content||Creative that depicts, contains or otherwise advertises pornography, nudity, obscenity, and other material of a sexual nature.
Materials of a sexual nature may include, but are not limited to:
§ Escort services and prostitution
§ Sexual encounters or dating sites which focus on facilitating sexual encounters
§ Full and partial nudity, where the latter exposes an intimate body part
§ Cosmetic procedures and products focusing on intimate body parts
§ Lewd images and language
§ Sexual entertainment, e.g., strip clubs, adult movies, sexually suggestive live streaming and chat
This policy may be applied along additional factors that may vary by jurisdiction, context and cultural sensitivities, and MediaMath at its sole discretion may permit or prohibit creative on this basis.
|Reselling||Creative involved in any transaction in which the buyer of an impression triggers a subsequent external auction or creative where the original restrictions and constraints of the seller/publisher are not respected (e.g., buying a display creative and reselling as video creative).|
|Violence||Creative that depicts, contains, or provides access to violent content or content that glorifies human suffering, death, self-harm, violence against animals, or contains graphic or violent images.|
|Weapons||Creative that primarily features the sale of, or instructions to create, bombs, guns, firearms, ammunition or other weapons or weapons accessories.
Examples of weapons and weapon accessories include, but are not limited to:
§ Guns, including airsoft guns, air guns, blow guns, paintball guns, antique guns, replica guns, and imitation guns
§ Gun parts and accessories, including gun mounts, grips, magazines, safes, racks and ammunition
§ Rental of guns (other than from shooting ranges)
§ Stun guns, taser guns, mace, pepper spray, or other similar self-defense weapons
§ Swords, machetes, and other edged or bladed weapons
§ Explosives, bombs, and bomb making supplies or equipment
§ Fireworks, flamethrowers, and other pyrotechnic devices
§ Knives, including butterfly knives, fighting knives, switchblades, disguised knives, and throwing stars
The following categories of Creative are restricted when using the Services. MediaMath in its sole discretion may require immediate removal of any creatives which fail to adhere to these guidelines:
|Cannabis||Cannabis-related advertising (advertising products derived from the cannabis plant, including the compounds THC or cannabidiol, as well as any other hemp-derived products; hereafter “Cannabis Ads”) is permitted in select jurisdictions, only.
Advertisers who wish to serve Cannabis Ads must complete an intake questionnaire and submit their creative to MediaMath for approval. Only approved advertisers and their approved campaigns may serve Cannabis Ads, provided they and their creative comply with the Advertising Standards published by the National Association of Cannabis Businesses, available at https://www.nacb.com/advertising in addition to the remainder of the MediaMath User Policy and any Cannabis-specific setup guidelines. Where local Cannabis laws and regulations may differ from NACB guidelines, deference is given to the local legal and regulatory framework. Due to the evolving nature of the regulatory landscape around cannabis products, MediaMath reserves the right to reject advertisers or creative for any reason. Please contact your MediaMath representative for details on the approval process.
Regardless of jurisdiction, targeted audiences for cannabis products may not include users based on any knowledge or inferences about substance abuse, rehab, depression, or other sensitive factors. This prohibition includes geofencing locations associated with sensitive health conditions, such as drug rehabilitation services. Before retargeting based on site visits, clients must receive confirmation that users are above the legal age in the applicable jurisdiction. This can take the form of a dialogue box where a user must indicate their age before entering the site.
Advertisers may only run cannabis ads on MediaMath-approved publishers and exchanges. Not all website and app publishers or exchanges accept Cannabis Ads. Publishers and exchanges may further restrict Cannabis Ads beyond this policy. If you are unsure whether a publisher or exchange will accept Cannabis Ads, please contact your MediaMath account representative.
|Downloads||Where Creative links directly or indirectly to a site that contain software, the software must:
§ Not contain malware;
§ Provide the user with clear and conspicuous notice about all material functionality;
§ Obtain informed consent from the user prior to download or installation;
§ Provide an easy-to-use uninstall to the user; and
§ Allow the user to maintain control over his or her computing environment.
|Political||For the purpose of this Policy, Political Ads shall include any paid-for communications that promote or oppose a political party, a candidate at any level of government for public office, or a ballot initiative, or that attempt to influence political opinion or actions including advertising that takes a position on an issue associated with a registered party or candidate, even if the name of that party, candidate, or initiative is not explicitly mentioned.
The following requirements apply to Clients using the Services to run Political Ads:
1. Clients running Political Ads must do so in MediaMath platform advertiser and campaign entities dedicated to political advertising and separate from any nonpolitical advertising. No MediaMath platform advertiser or campaign should contain both political and nonpolitical ads.
2. Clients must flag as political all MediaMath platform advertiser and campaign entities via which Political Ads are run.
§ Advertisers must be flagged as political by enabling the “Political Advertiser” toggle on the Admin > New/Edit Advertiser screen.
§ Campaigns must be flagged as political by checking the “Political Campaign” checkbox on the New/Edit Campaign screen under Advanced Settings.
3. As noted above, clients may not run Creative (political or nonpolitical) that makes a demonstrably false claim. Given the importance of a robust political dialogue to democracy and the challenges in evaluating the truth of every political claim, we expect to enforce this requirement in a very limited number of instances and for clear violations. Examples of such violations include but are not limited to creative:
§ That indicates or implies that people should vote on the wrong day or by text message, that or a candidate has died
§ That makes misleading claims about the census process
§ That includes doctored media (“deep fakes”)
§ That otherwise makes demonstrably false claims that could significantly undermine voter participation or trust in an electoral or democratic process
4. Clients running Political Ads in the United States must adhere to the DAA’s Application of the Self-Regulatory Principles of Transparency & Accountability to Political Advertising. Clients are responsible for inserting the purple Political Ads icon into their Creative. The client may elect to insert the icon themselves or leverage MediaMath’s in-platform capabilities to do so. Additional setup may be required.
5. Clients running Political Ads in Canada must adhere to the DAAC Self-Regulatory Principle of Transparency for Political Advertising. Clients are responsible for inserting the purple Political Ads icon into their Creative. MediaMath does not provide this service.
6. Political Ads are subject to review by MediaMath and may require additional screening and intake requirements.
7. Clients interested in running Political Ads in non-US or non-Canadian jurisdictions should contact their MediaMath representative. Local rules regarding paid political advertising vary significantly such that MediaMath’s services may be limited or unavailable, and MediaMath at its sole discretion will assess whether to permit or reject such requests on a case by case basis.
8. Clients are responsible prior to submitting a request for non-US or non-Canadian advertising for being fully versed in the local laws, regulations, rules and requirements and must provide evidence of their research and knowledge regarding the same to MediaMath upon request. If such advertising is permitted by MediaMath, advertisers must strictly adhere to all such local laws, regulations, rules, and requirements.
9. MediaMath at its sole discretion may permit or prohibit political advertising in any given jurisdiction based on its assessment whether such advertising may be reasonably expected to pose potential liabilities or business, reputational, or security risk to MediaMath or its partners or where political advertising in the given jurisdiction cannot be assured to otherwise follow MediaMath policies regarding political advertising or advertising generally.
|Tobacco, E-Cigarettes, and Related Products||MediaMath clients must comply with all applicable laws and industry self-regulations related to tobacco or e-cigarette advertising in the jurisdictions that they operate, collect data, and serve ads. This includes any laws or regulations related to creative content and the minimum age of targeted or prospected users.
MediaMath’s supply sources may have their own policies and may be more restrictive than this Policy. Clients are responsible for ensuring their ads are compliant with suppliers’ policies.
This Policy also applies to non-tobacco products or products that only contain nicotine. MediaMath considers these types of products as tobacco products and thus subject to all laws and regulations applicable to the jurisdictions in which the client will be operating.
Clients are responsible for ensuring that they target this content properly, including any necessary targeting to avoid underage users. Please reach out to your MediaMath account representative with any questions.
MediaMath Pixeling Policy
The following policies apply to your placement of MediaMath pixels on digital properties, including on Web sites, in emails, and in mobile applications (“Digital Properties”). MediaMath in its sole discretion may remove pixels that do not comply with this policy.
|General Requirements||1. You may place MediaMath pixels only on those Digital Properties for which you have the necessary rights and authorizations to do so.
2. Where data is collected by a third party from your Digital Properties for Interest-Based Advertising (“IBA”), Cross-App Advertising (“CAA”), or Retargeting (“Retargeting”), you must provide notice of this data collection and the choices available to users, as specified by relevant regional privacy regulations. IBA refers to the collection of data across web domains owned and operated by different entities for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. CAA refers to the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. Retargeting is the practice of collecting data about a user’s activity on one Digital Property for the purpose of delivering an ad based on that data on a different, unaffiliated Digital Property.
3. Consistent with the DAA Principles, you may not place MediaMath pixels in toolbars or other locations such that data may be collected from all or substantially all URLs traversed by a web browser across Web sites or all or substantially all applications on a device for IBA, CAA, or Retargeting without MediaMath’s prior review and approval of your consent mechanism. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.
4. Sites and creatives on which you place MediaMath pixels must comply with all other aspects of this User Policy.
|Children||MediaMath pixels may not be placed on Digital Properties directed at Children (“Child-Directed Digital Properties”).|
|Sensitive Health Conditions||MediaMath pixels may not be placed on Digital Properties related to sensitive health conditions for IBA, CAA, or Retargeting purposes without the user’s specific opt-in consent. MediaMath must review and approve your consent mechanism before you place MediaMath pixels for such purposes.
Clients may place MediaMath pixels on Digital Properties related to sensitive health conditions for other purposes, such as Ad Delivery and Reporting (“ADR”) without the user’s opt-in consent. ADR is separate and distinct from IBA, CAA, and Retargeting and refers to the collection of data from a computer or device to (i) facilitate the delivery of an ad, or (ii) provide advertising-related services that are not tied to the end user’s known or inferred interests (e.g., frequency capping).
For more information on what constitutes a sensitive health condition, please see MediaMath’s Targeting Policy below.
Note regarding Health Data Targeting: new federal legal restrictions mean some conditions may be reclassified as sensitive and the above NAI guidelines may be revised.
Please consult your own legal counsel before proceeding.
MediaMath Targeting Policy
The following policies apply to your targeting of ad units (“Ads”) to users through the Services. The policies listed below apply whether you are targeting users based on data collected from Digital Properties (IBA, CAA, or Retargeting) or through data collected about the user offline (“User-Matched Ads”). MediaMath in its sole discretion may require immediate removal and/or pause ad delivery of any targeting that fails to adhere to these policies.
|General Requirements||1. You must provide notice of IBA, CAA, and Retargeting data collection and use practices, and the choices available to users, in or around Ads that are informed by IBA (“IBA Ads”), CAA (“CAA Ads”), or Retargeting (“Retargeting Ads”). You can meet your notice and choice obligations by placing the AdChoices Icon on each such Ad you serve using the Services. MediaMath will add the AdChoices icon on behalf of any client who does not opt out of this service and provide written confirmation of their compliance via an alternate mechanism. A small fee will apply.|
|Alcohol||Ads that promote alcohol or alcoholic beverages are restricted by region and may only be targeted to users that (i) reside in a jurisdiction where alcohol advertising is permitted, and (ii) are of the legal age to purchase alcohol within that jurisdiction. Alcohol-related Ads must not be designed, or appear to be designed, to appeal to underage purchasers.|
|Brand Safety and Brand Suitability||Brand Safety and Brand Suitability protections are the client’s sole responsibility when using the Services, with the exception of platform-wide protections which MediaMath may choose to enforce based on its own assessment of needs through tools such as its proprietary Universal Block List. Brand Safety and Brand Suitability tools are available via selective options available for users in the MediaMath Platform, including but not limited to third party contextual Brand Safety and Brand Suitability segments, exclusion and inclusion lists, and post-bid tagging solutions. MediaMath makes no warranties regarding the effectiveness of third party solutions that may be available within the MediaMath Platform. Any assessment of the effectiveness of these solutions is left to the client to determine, and MediaMath makes no guarantees with respect to these solutions.|
|Buying Power||You may not target Ads on the basis of negative aspects of that user’s financial status. Examples of prohibited practices include targeting:
§ Credit card Ads to users on the basis of their low credit ratings
§ Debt consolidation services Ads to users with high debt loads
§ Legal service Ads to users on the basis of financial information showing that they are at a higher risk of bankruptcy
You are also not permitted to use data collected from IBA, CAA, or Retargeting to determine a user’s credit eligibility.
|Children||In connection with your use of the Service, you may not:
§ Serve targeted ads on Child-Directed Digital Properties
§ Target an Ad based on the prior online activity of a user of Child-Directed Digital Properties
§ Create segments that target or are intended to target Children
|Criminal Actions||You may not target Ads on the basis of knowledge or inference of the user’s commission or alleged commission of any crime, such as information indicating that a user has a criminal record.|
|Gambling||For purposes of this Targeting Policy, a gambling-related Ad (“Gambling Ad”) means the following:
§ Any Ad that promotes, directly or indirectly, online (Web or mobile) and offline (land-based or “brick and mortar” casinos, betting shops, card rooms or other gambling establishments) gambling, gaming, betting or wagering of any kind, whether for cash prizes or other things of value, including but not limited to casino games, poker, sports betting (whether individual or parlay wagering), pari-mutuel wagering or “betting pools” (including horse racing, dog racing, and jai alai), lotteries, raffles, sweepstakes, penny auctions, and fantasy sports.
§ Any Ad that otherwise relates in any way to the foregoing activities, including Ads for promotional products, services or materials, including education, “learn to play,” “practice” and other free simulation Digital Properties affiliated with online or offline gambling or wagering sites or facilities.
Gambling Ads may be targeted to users in jurisdictions where such Ads are not prohibited so long as you comply with the following requirements:
§ You and, if you are an advertising agency, the end advertiser currently hold all required licenses, permits, registrations, waivers, consents or other governmental approvals (collectively, “Licenses”) to operate in the jurisdictions in which the Gambling Ad is served and in any other jurisdictions in which you and the advertiser operate.
§ You and, if you are an advertising agency, the end advertiser are in compliance with and agree to remain in compliance with all applicable laws and the terms of all applicable Licenses.
§ You and, if you are an advertising agency, the end advertiser agree not to serve Gambling Ads in any jurisdiction specifically prohibited by this Targeting Policy, as such may be updated from time to time.
|Health||Note regarding Health Data Targeting: new federal legal restrictions mean some conditions may be reclassified as sensitive and the above NAI guidelines may be revised.
Please consult your own legal counsel before proceeding.
Health-related advertising (advertising health-related products and services or targeting advertisements based on health-related data) is highly regulated by government and industry. Given the large number of jurisdictions in which MediaMath operates and the myriad of health products and services that exist, it is beyond the scope of this Targeting Policy to define on a jurisdiction-by-jurisdiction basis what constitutes acceptable health advertising. Rather, the guidelines below should be considered a US baseline for use of the Services, with other jurisdictions generally being more restrictive. In particular, please note that under the IAB UK’s “Digital advertising guidance: special category data under the GDPR”, a company seeking to create or use such OBA segments relying on use of special category personal data as defined under Article 9.2 of GDPR must ensure it has “met all other relevant requirements for processing special category data including having a process for obtaining explicit consent (in addition to any consent you may need to obtain to process personal data under Article 6 of the GDPR, and/or to meet the requirements in PECR) before doing so”. As always, clients assume all responsibility for ensuring their advertising is legal in all jurisdictions and acceptable on all exchanges where they intend to advertise. You may not target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of sensitive health information (“Sensitive Health Data”) without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads to those users on the basis of Sensitive Health Data. Per the NAI Code, Sensitive Health Data includes: (i) information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history, based on, obtained, or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment (the source is sensitive) and (ii) information, including inferences, about sensitive health or medical conditions or treatments (the condition or treatment is sensitive regardless of the source). The relevant factors in determining whether a health condition is sensitive include:
§ The seriousness of the condition
§ How narrowly the condition is defined
§ Its prevalence
§ Whether it is something that an average person would consider to be particularly private in nature
§ Whether it is treated by over-the-counter or prescription medications
§ Whether it can be treated by modifications in lifestyle as opposed to medical intervention
Examples of sensitive health conditions include:
§ Drug addiction
§ Mental health related conditions, including:
§ Generalized anxiety disorder
§ Pregnancy termination
§ Sexual dysfunction
§ Sexually transmitted diseases
You may target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred interest in a non-sensitive health condition. Per the NAI Code, examples of non-sensitive health conditions include:
§ Back pain
§ Cholesterol management
§ Cold and flu
§ First aid
§ General interest segments, including:
§ Men’s health
§ Women’s health
§ Senior health needs
§ Children’s health
§ Hair removal
§ Health and fitness
§ High blood pressure
§ Sore throat
§ Vitamins and supplements
You may target IBA, CAA, Retargeting, or User-Matched Ads concerning all health conditions to users on the basis of demographic data (e.g., age, gender).
You may also serve Contextual Ads concerning all health conditions. Contextual Ads are Ads that are targeted on the basis of the content of the digital property the user is currently visiting.
If you are unsure of whether a particular health condition or treatment is sensitive, contact your MediaMath account representative before targeting users on the basis of their interest in that condition or treatment.
MediaMath clients may not serve ads in any jurisdictions where sanctions imposed by the US Office of Foreign Assets Control (OFAC) would prohibit such advertising.Precise Location
Precise Location Data (“Precise Location Data”) is information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of a person or device. Examples of Precise Location Data include:§ A user’s GPS-level latitude/longitude coordinates (often based on information received from a user’s mobile device)§ Location-based Wi-Fi triangulation§ A user’s presence at a specific location or shop (e.g., received from a Bluetooth beacon associated with a specific location)Geofencing
Consistent with the NAI Code, you are permitted to target Ads based on the precise location of the device at the time the Ad is served (“geofence”) so long as you do not store the precise location once the ad is served or delivered. Such geofencing may not target:§ A geographic area smaller than 785,398 meters² (the area of a circle with a radius of 500 meters). For example, you may not place a 100-meter circular geofence around one individual coffee shop. However, you may geofence all coffee shops in New York City, because the total area geofenced would be greater than 785,398 meters².§ Exception: You may target a smaller geographic area provided the location is a very high-density venue. For example, you may target a 100-meter radius around Yankee Stadium during a game because the stadium has a seating capacity of over 50,000.§ A personal address. Only business addresses (e.g., Disneyworld, or 4 World Trade Center) or public locations (e.g., Central Park) may be used as the locations around which ads are targeted.§ Locations designed for children, including locations such as:§ Day care centers§ Playgrounds
§ Schools below the college level (preschools, primary schools, and secondary schools)
§ Tutoring and educational services
§ Youth organizations
§ Locations designed for survivors of abuse, including locations such as:
§ Rape crisis centers
§ Women’s shelters
§ Locations associated with pregnancy, sexual health, sexual orientation, or sensitive health conditions, such as:
§ Abortion clinics
§ Alcohol and drug services
§ Healthcare or other facilities with an emphasis on pregnancy, sexual health, or sensitive health conditions. Clients may geofence locations such as primary care and other facilities which are beyond a shadow of a doubt “general” and which would contain patients or consumers representing a wide variety of health conditions.
§ LGBT centers and venues
§ In the EU: Any locations which reveal information about health or sex life
§ Locations that imply negative financial status, such as check cashing facilities
§ Locations that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, such as:
§ Trade union offices
The above limitations do not apply to more general targeting that includes sensitive locations by nature of its breadth. For example, clients may target New York City, even though there are sensitive health facilities in New York City.
MediaMath reserves the right to require a client to broaden or discontinue its targeting if MediaMath in its sole discretion determines that the targeting may create a negative user experience or is otherwise inappropriate.
Targeting Ads Based on Historic Precise Location Data
For jurisdictions outside the US, you must contact your MediaMath representative before serving IBA, CAA, Retargeting, or User-Matched Ads on the basis of Precise Location Data.
|Piracy||Clients may not knowingly target content MediaMath reasonably believes (a) contains content that does, or is likely to, infringe or misappropriate a copyright, trademark, trade secret, or patent of a third party or (b) promotes or induces infringement or misappropriation of a copyright, trademark, trade secret, or patent of a third party. MediaMath reserves the right to immediately remove and prevent any targeting of such content whether intentional or not.|
|Political Affiliation or Beliefs||Political Ads in the United States may not be targeted at audiences smaller than the following number of devices according to the scope of the applicable candidate or initiative:
o National (e.g., general presidential elections) – 500,000
o State-level (e.g., presidential primaries, the election of federal senators or state governors, and state ballot initiatives) – 500,000 or 10% of the state population, whichever is lower
o Local-level (e.g., the election of state senators or local officials, local ballot initiatives) – 10,000
o Notwithstanding the foregoing, targeting based on geographic location down to and including ZIP code-level targeting (but not ZIP+4 or radius around a location) is allowed even though the target population may be considerably less than the above.
o Exceptions to any of the above may be requested via your account manager and must be approved in advance by MediaMath’s Data Policy & Governance team.
Political Ads in other countries must not be targeted at audiences smaller than comparably sized audiences relative to the population.
Political Ads in other countries must not be targeted at audiences smaller than comparably sized audiences relative to the population. For the purposes of this Targeting Policy, Ads related to a user’s political affiliation or beliefs (“User-Targeted Political Ads”) shall include IBA, CAA, Retargeting, or User-Matched Ads that promote: (i) political figures, opinions, or issues, such as Digital Properties for political candidates, (ii) political groups, (iii) political cause awareness, (iv) advocacy groups, or (v) union memberships.
You may not target User-Targeted Political Ads to users that reside in the European Union or the United Kingdom. You must contact your MediaMath representative before serving User-Targeted Political Ads to users that reside in other non-US jurisdictions.
User-Targeted Political Ads are generally permissible in the US. MediaMath reserves the right to limit or prohibit User-Targeted Political Ads involving particularly sensitive issues (e.g., abortion, sexual orientation, etc.). MediaMath reserves the right to review, request modifications to, or reject any User-Targeted Political Ad at its sole discretion. However, such discretion will not be exercised with the intent to favor or disfavor any particular candidate or political party.
|Race & Ethnicity||In the US generally, unless prohibited by applicable US State laws, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred race or ethnic origin.
In the European Union and the United Kingdom, you may not serve such Ads to users.
|Religion||In the US generally, unless prohibited by applicable US State laws, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred religion or religious beliefs.
In the European Union and the United Kingdom, you may not serve such Ads to users.
|Sexual Orientation||You are not permitted to target IBA, CAA, Retargeting, or User-Matched Ads to users based on their known or inferred sexual orientation, including indirect inference (e.g., donation to LGBT advocacy groups), without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.|
Thank you for your interest in the MediaMath Beta Program. Participation in a Beta Program is voluntary and allows you to test and provide feedback on developing/pre-release features, products, and services which shall be designated as “beta” (the “Beta Services”). Participation in the Beta Program includes early access to beta product functionality, the opportunity to gain knowledge of performance impact and develop best practices ahead of others and the ability to influence the early development and direction of a product. By accessing or using Beta Services, you agree to be bound all of the terms and conditions described in this Beta Policy and to actively engage in the testing and feedback process.
NO OBLIGATIONS: You acknowledge and agree that a Beta Service may contain features that will be altered in the final release of the same or similar Service and that availability of any Beta Services during the course of a Beta Program shall not create any obligation for MediaMath to continue to develop, productize, support, repair, offer for sale or in any other way continue to provide or develop any Beta Service. While we may intend to release a final version of a certain Beta Service, we reserve the right to never make any particular Beta Service generally available. You further acknowledge the duration of the beta phase and any features and functions of a Beta Service are subject to change at any time at MediaMath’s discretion.
FEEDBACK: An essential function of the Beta Program is to gather feedback from participants. We value all input from all participants in the Beta Program. You agree that you will use reasonable commercial efforts to use the Beta Services, notify MediaMath of all errors and problems you identify through your use of any Beta Services and that you will attempt to ascertain steps leading to reproduction of any such errors. You also agree that you will communicate to MediaMath any suggestions or requests for enhancements relating to the operation or further development of a Beta Service and that by doing so you assign all right, title and interest in and to any resulting intellectual property based upon such suggestions or requests, including without limitation all patent, copyright, trade secret, trademark or other intellectual property rights. You acknowledge that MediaMath is not obligated to accept and implement any feedback provided by you and that the use of such feedback is solely in MediaMath’s discretion.
OWNERSHIP: Subject to the limited rights expressly granted hereunder, MediaMath reserves all rights, title and interest in and to the Beta Services and any anonymized aggregated data resulting from your use of the Beta Services, including all related intellectual property rights therein and thereto. No rights are granted to you other than the right to access and use the Beta Services for the purposes of testing and evaluation. You may not create any derivative works from the Beta Services or modify, reuse, disassemble, decompile, reverse engineer or otherwise translate any Beta Services or any portion thereof. You also may not access Beta Services in order to build a competitive product or service.
MARKETING: You agree that MediaMath may use your name and associated marks in its marketing materials solely with respect to marketing Beta Services used by you, which shall include white papers, case studies and press releases.
PAYMENTS & PRICING: Certain Beta Services may incur a fee, which will be invoiced to you in accordance with your Master Services Agreement with MediaMath. You agree and acknowledge that you shall be liable for all fees incurred in connection with your use of a Beta Service even in the event of an error in the Beta Services affecting the performance of the Beta Service (other than a billing error), or Other than a billing error or tracking error resulting in an erroneous fee, you shall remain liable for all fees incurred with your usage of the Beta Service, including in the event of an error in the Beta Services that affects the performance or outcome of the Beta Service. Unless otherwise agreed to by you and MediaMath, fees for any Beta Service are subject to change during the beta period and after such beta period.
CONFIDENTIALITY: You agree to treat all Beta Services, as well as the nature and content of the Beta Program, as confidential information and will not without our express written authorization: (i) demonstrate, copy, market, sell or otherwise commercially exploit any features or functions of any Beta Services to any third party; (ii) publish or otherwise disclose information relating to performance or quality of any Beta Services to any third party; or (iii) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Beta Services.
NO WARRANTY: THE BETA SERVICES BEING ACCESSED BY YOU CONSIST OF PRE-RELEASE CODE, MAY CONTAIN ERRORS, BUGS OR DEFECTS AFFECTING PROPER OPERATION OR FULL FUNCTIONALITY, MAY EXPERIENCE PERFORMANCE ISSUES, CRASHES, OR DATA LOSS, AND IS NOT AT THE LEVEL OF PERFORMANCE OF A GENERALLY AVAILABLE SERVICE. BY USING BETA SERVICES, YOU ACKNOWLEDGE YOUR UNDERSTANDING THAT A PRIMARY PURPOSE OF THIS BETA PROGRAM IS TO OBTAIN FEEDBACK ON PERFORMANCE AND IDENTIFY DEFECTS. YOU ARE ADVISED TO SAFEGUARD IMPORTANT DATA, AND NOT TO RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF BETA SERVICES. BETA SERVICES ARE provided “AS IS” without warranty of any kind AND ANY WARRANTIES TO THE EXTENT AUTHORIZED BY LAW, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall MEDIAMATH be liable for any damage whatsoever arising out of the use of or inability to use THE BETA SERVICES, even if YOU HAVE been advised of the possibility of such damages.
DATA PROTECTION POLICY
This policy takes effect on the Effective Date below and shall be incorporated by reference into and form an integral part of your agreement with MediaMath, Inc. or any of its Affiliates (“MediaMath”) (the “Agreement”) unless a separate data processing agreement has been agreed between the parties. In the event of any conflict, ambiguity or inconsistency between the terms of this Policy including its Schedule A and the Agreement, Schedule A then this Policy then the Agreement shall take precedence with respect to the subject matter herein.
1. Definitions: The following terms shall have the following meanings in this Policy:
“Ad(s)” means the advertising content, including text, graphics, rich media, video and/or audio material (and combination thereof), that is displayed on digital media inventory.
“Ad Tag” means software code (e.g., HTML5) or a web beacon (e.g., pixel tag, clear GIF) that (i) collects data regarding a user’s actions in or on a Site or a user’s interaction with an Ad or (ii) requests the delivery of an Ad to a Site.
“Advertiser Data” means Client Data.
“Affiliate” means, with respect to a party, an entity that directly or indirectly controls, is controlled by or is under common control with such party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the economic or voting interest of an entity.
“Applicable Laws” means all laws and regulations which apply to each party in connection with the Agreement, the performance and receipt of the Services, the use of the Service Platform and the processing of Client Data, MediaMath Data and any related personal data, to include without limitation European Law, Section 5 of the FTC Act, California Consumer Privacy Act (“CCPA”) and any applicable industry self-regulatory regulations, to include without limitation the NAI Code and the DAA Code.
“Client Data” means all electronic data which is provided to MediaMath by Client as part of the Services or which is provided or made available to Client by MediaMath or its Affiliates through Client’s use of the Services, including personal data contained therein (including any data which is specific to Client), but excluding the MediaMath Data.
“Client DSR” means a DSR which is received direct by MediaMath and refers explicitly to Client.
“Controller Purposes” means Client Controller Purposes or MediaMath Controller Purposes as defined in Schedule A.
“DAA Code” means the set of Digital Advertising Alliance Self-Regulatory Principles for Multi-Site Data posted at http://www.aboutads.info/msdprinciples (or any successor site) such as the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, and its applicable regional counterpart, if any.
“Data Subject Request or DSR” means a request from an individual exercising a Data Subject Right.
“Data Subject Right” means subject access rights, the right to rectify, port personal data, object to the processing and automated processing of personal data and restrict the processing of personal data to the extent allowed under Applicable Laws.
“Europe” means the European Economic Area (which shall be deemed to include the United Kingdom throughout the term of the Agreement).
“Effective Date” means the 27 June 2021.
“European Law” means Regulation 2016/679 (GDPR); (iii) Directive 2002/58/EC (as amended or replaced from time to time) and applicable laws implementing that directive in Member States; and, (iv) any data protection and privacy laws in the United Kingdom from time to time. References in this Policy to “controller“, “data subject“, “personal data“, “process“/”processed“/processing“, “processor” and “special categories of personal data” shall have the meanings given in European Law.
“Licensee Data” means Client Data.
“MediaMath Controller Purposes” means as defined in Schedule A.
“MediaMath Data” means all data generated from Client’s use of the Services (and other clients and partners of MediaMath and its Affiliates) (including any MMUIDs) that does not specifically identify or relate to Client; any data made available by MediaMath for targeting users; the data relating to any error by, issue with, or enhancement to the operation of the Services and the data that MediaMath would have regardless of Client’s use of the Services.
“MediaMath DSR” means a DSR which is received direct by MediaMath and does not explicitly refer to Client.
“MMUID” means any unique identifier which is created, assigned or retained by MediaMath in respect of each user who interacts with a Site.
“NAI Code” means the Code of Conduct promulgated by the Network Advertising Initiative (“NAI”), located at the following website, or any successor website: https://thenai.org/wp-content/uploads/2021/07/nai_code2020.pdf including any official guidance provided by the NAI such as the NAI 2015 Guidance on Determining Whether Location is Imprecise.
“PII” means information that identifies or could be used to identify a particular individual as compared to a particular device such as name, address, telephone number, email address, financial account number, government-issued identifier or date of birth.
“Processing Activities” means as defined in Schedule A.
“Security Incident” means in relation to Client Data or MediaMath Data a breach of security resulting in (i) accidental or unlawful destruction or loss, or (ii) unauthorized disclosure or access.
“Sensitive Information” means: (i) any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic data; (iii) biometric data for the purposes of uniquely identifying a natural person; (iv) data concerning sensitive health conditions; (v) data concerning a natural person’s sex life or sexual orientation; (vi) any personal data about a minor under the age of 13; (vii) any financial account numbers or insurance plan numbers that can be used to identify an individual; (viii) any government-issued identifiers; or (ix) characteristics deemed sensitive under the NAI Code. In Schedule A the definition of Sensitive Information shall be as above, except that it will also include any personal data about minors between the ages of 13 and 16.
“Service Platform” means MediaMath’s proprietary software known as Future Proofed Platform™ or any other software platform MediaMath may make available to Client.
“Services” means all services available on the Service Platform or otherwise agreed to by MediaMath pursuant to an applicable Order Form or SOW.
“Site” means a digital property that is accessible by users (including websites, mobile sites and software applications).
- Client Security.Client shall be responsible for maintaining the confidentiality of any login credentials, of appropriately limiting dissemination of the login credentials to its employees, contractors or agents, and for using commercially reasonable efforts and appropriate technological and organizational measures to prevent unauthorized access to the Service Platform. Client shall maintain current records of all individuals to whom it allows access to the Service Platform and shall provide identifying information regarding such individuals to MediaMath upon request.
- This Policy shall be governed, construed and enforced in accordance with the laws of the Agreement.
European Law Requirements
- As used in this Schedule A, the following terms shall have the following meanings:
“Client Controller Purposes” means for the purposes of receiving the Services; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“Model Clauses” means the EU SCCs populated with the information described in the Annex to this Schedule A. References to “Module One” and “Module Two” have the meaning outlined in the Model Clauses.
“MediaMath Controller Purposes” means improving and enhancing the Services, including identifying, blocking and removing data considered to be unlawful or fraudulent; the bidding process; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“Privacy Shield” means the EU-US Privacy Shield and the Swiss-US Privacy Shield as applicable.
“Processing Activities” means processing Ad Tags placed by or on behalf of Client and as more particularly described at www.mediamath.com/legal/processingpurposes.
“SCCs” means: (i) the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto (the “EU SCCs”) and (ii) standard data protection clauses issued by the UK Information Commissioner under section 119A(1) of the 2018 Data Protection Act referred to as the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 as may be updated from time to time (the “UK IDTA”).
2. The rights and obligations in this Schedule A apply to the collection, processing and sharing of personal data originating in the EEA by and between MediaMath, Client and certain third parties (e.g. subprocessors including Affiliates of MediaMath). For the purposes of this Schedule A references to Client Data shall mean any personal data incorporated in Client Data and references to MediaMath Data shall mean any personal data incorporated in MediaMath Data.
3. General Obligations.
a. Both parties will comply with all applicable requirements of European Law.
b. Client will ensure that it has all necessary and appropriate consents and notices in place to enable the lawful transfer of Client Data to MediaMath for the duration and purposes of this Agreement.
4. Appointment of MediaMath as Client’s Processor.
a) The parties acknowledge that for the purposes of European Law, Client is the data controller of Client Data and appoints MediaMath as its data processor for the Processing Activities.
b) MediaMath shall, in relation to any Client Data processed for the Processing Activities in connection with the performance by MediaMath of its obligations under this Agreement:
i) process that Client Data only in accordance with the Processing Activities (or as otherwise agreed in writing);
ii) ensure that all personnel who have access to and/or process Client Data are obliged to keep Client Data confidential;
iii) process Client Data transferred out of Europe in accordance with the Privacy Shield principles;
iv) assist Client, at Client’s cost, in responding to any DSR from a data subject received directly by the Client and in ensuring compliance with its obligations under European Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
v) notify Client without undue delay upon becoming aware of any confirmed Security Incident relating to Client Data;
vi) upon written request of Client, delete or return Client Data and copies thereof to Client on termination of the Agreement unless required by a judicial or other governmental order or by applicable law to retain some or all Client Data. This requirement shall not apply to Client Data MediaMath has archived on back-up systems; and
vii) maintain accurate records and information to demonstrate its compliance with this clause 4(b) of this Schedule A.
c. Client consents to MediaMath appointing subprocessors to process Client Data, such subprocessors will be listed at mediamath.com/legal/subprocessorswhich MediaMath shall update with any details of any changes at least 10 days prior to the change. MediaMath confirms that it has entered or (as the case may be) will enter with the subprocessor into a written agreement requiring it to protect Client Data to the standard required by European Law. As between Client and MediaMath, MediaMath shall remain fully liable for all acts or omissions of any subprocessor appointed by it pursuant to this clause 4(c) of this Schedule A. Client may object to the replacement of a subprocessor provided such objection is on reasonable grounds. If Client objects to such appointment and is unable to select an alternative subprocessor then Client may terminate the applicable Services provided in the EEA without prejudice to Client’s obligations to pay any fees under this Agreement due up to the date of termination of such Services (or subsequent pro-rated fees).
d. MediaMath uses external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which the Services are provided. The audit: (a) will be performed at least annually; (b) will be performed according to SSAE 16 audit standard or such other alternative standard that is substantially equivalent to SSAE 16; (c) will be performed by independent third party security professionals at MediaMath’s selection and expense; and (d) will result in the generation of an audit report which will be MediaMath’s Confidential Information. MediaMath shall provide Client with a copy of the report upon written request.
e. Notwithstanding the commitment provided by MediaMath in clause 4(b)(iii) above, MediaMath and Client agree that for the purposes of any transfer of Client Data out of Europe, to MediaMath to process for the Processing Activities:
- the Module Two Model Clauses shall be incorporated into this Agreement between them, and;
- the Module Two Model Clauses shall be interpreted in accordance with the details provided in Annex 1 to this Schedule A; and
- the Module Two Model Clauses shall be amended by the UK IDTA, as interpreted with the details provided in Annex 2 to this Schedule A for the purpose of transfers from the UK.
- the Module Two Model Clauses shall be incorporated into this Agreement between them, and;
5. Sharing of Personal Data between Client and MediaMath as Controller.
a. Client shall disclose Client Data to MediaMath on an independent controller to controller basis for the MediaMath Controller Purposes.
b. MediaMath shall, in relation to any Client Data processed for MediaMath Controller Purposes:
i) process Client Data only for the MediaMath Controller Purposes (or as otherwise agreed in writing) and in respect of any Client Data transferred out of the EEA, in accordance with the Privacy Shield principles;
ii) ensure that all personnel who have access to and/or process Client Data are obliged to keep Client Data confidential;
iii) promptly inform Client of any request from a supervisory authority or regulator related to the processing of Client Data conducted by MediaMath and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
iv) notify Client without undue delay on becoming aware of any confirmed Security Incident relating to Client Data; and
v) maintain accurate records and information to demonstrate its compliance with this clause 5(b) of this Schedule A.
vi) Notwithstanding the commitment provided by MediaMath in clause 5(b)(i) above, MediaMath and Client agree that for the purposes of the transfer of Client Data outside of Europe, to MediaMath to process for the MediaMath Controller Purposes:
vii) the Module One Model Clauses shall be incorporated into this Agreement between them;
viii) the Module One Model Clauses shall be interpreted in accordance with the details provided in Annex 1 to this Schedule A; and
ix) the Module One Model Clauses shall be amended by the UK IDTA, as interpreted with the details provided in Annex 2 to this Schedule A for the purpose of transfers from the UK.
6. Sharing of Personal Data between MediaMath and Client as Controller.
a. MediaMath will through performance of the Services make available MediaMath Data to Client on an independent controller to controller basis for Client Controller Purposes.
b. Client shall, in relation to any MediaMath Data processed for Client Controller Purposes:
i) process MediaMath Data only for Client Controller Purposes (or as otherwise agreed in writing) and in accordance with the level of protection required by European Law (and if Client fails to do so, it will promptly notify MediaMath in writing and remedy the breach or MediaMath will have the right to suspend the Services and/or terminate the Agreement);
ii) maintain appropriate technical and organizational measures and commercially reasonable and appropriate administrative and physical, measures for the security and confidentiality of MediaMath Data from a Security Incident;
iii) ensure that all personnel who have access to and/or process MediaMath Data are obliged to keep such MediaMath Data confidential;
iv) not process any MediaMath Data in a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Law;
v) promptly inform MediaMath of any request from a data subject, supervisory authority or regulator related to the processing conducted by Client and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
vi) notify MediaMath without undue delay on becoming aware of any confirmed Security Incident involving MediaMath Data; and
vii) maintain accurate records and information to demonstrate its compliance with this clause 6(b) of this Schedule A.
c. MediaMath and Client agree that for the purposes of any processing of MediaMath Data outside of Europe, by Client for Client Controller Purposes:
i) The Module One Model Clauses shall be incorporated into this Schedule A between them;
ii) The Module One Model Clauses shall be interpreted in accordance with the details provided in Annex 1 to this Schedule A; and
iii) the Module One Model Clauses shall be amended by the UK IDTA, as interpreted with the details provided in Annex 2 to this Schedule A for the purpose of transfers from the UK.
7. Disclosures to Authorities.
MediaMath shall be entitled to provide a copy of this Schedule A and any other provisions of this Agreement to the US Department of Commerce, the Federal Trade Commission, any supervisory authority or regulator on their request (notwithstanding any other provision of this Agreement).
Annex 1 to Schedule A
Interpretation of Model Clauses
- This Annex sets out the parties agreed interpretation of their respective obligations under the applicable Module One and Module Two Model Clauses for transfers incorporated between them by Schedule A (together the “Model Clauses”).
- In the event that a competent supervisory authority or court of competent jurisdiction determines that any provision of this Annex conflicts with the requirements of the applicable Model Clauses, then the terms of the applicable Model Clauses shall prevail.
- As between MediaMath and Client, any claims brought under the applicable Model Clauses or Schedule A shall be subject to the terms of the Agreement, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall either MediaMath or Client limit or exclude its liability with respect to any data subject rights under the applicable Model Clauses.
- The parties agree that for the purposes of transfers of Client Data to MediaMath under the Module One and Module Two transfers, in particular Annex I, Annex II and Annex III, the following details shall apply:
|Data exporter:||Client, Contact details: as specified in an Order Form or SOW|
|Data exporter role:||Controller – as specified in the Processing Purposes Table.|
|Data importer:||MediaMath, Contact: DPO, Contact Details: 4 World Trade Center, New York, New York 10007, USA, +1 646-840-4200; firstname.lastname@example.org|
|Data importer role:||Controller and Processor – as specified in the Processing Purposes Table.|
|Categories of data subjects:||Individuals who visit Client’s digital properties (websites or mobile advertising platforms) or are served with digital advertising on behalf of the data exporter through the use of MediaMath’s advertising technology platform.|
|Categories of data transferred:||As described in Column 3 of MediaMath’s processing purposes table https://www.mediamath.com/legal/processingpurposes/ (the “Processing Purposes Table”) (no special category or sensitive data).|
|Purposes of the transfer(s):||The activities undertaken by MediaMath on behalf of the Client are set out in column 4 and 5 of the Processing Purposes Table.|
|Frequency||Daily in response to Client site and impression events.|
|Retention||Retained in accordance with Client and MediaMath’s respective data retention policies.|
|Governing law and Competent Supervisory Authority:||The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Berlin Commissioner for Data Protection and Freedom of Information of the German Data Protection Authorities (German DPAs) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK data, the competent supervisory authority is the Information Commissioners Office (the “ICO”).|
|Technical and organisational security measures:||A description of the technical and organisational security measures implemented by the MediaMath are set out at https://www.mediamath.com/legal/terms/information-security/|
|Recipients and Subprocessors||MediaMath, its affiliates and its subprocessors engaged by the data importer to support its digital advertising services in accordance with Article 28 GDPR and its partners where necessary in connection with its digital advertising services. Additional subprocessors as listed at https://www.mediamath.com/legal/subprocessors/|
- The parties agree that for the purposes of transfers of MediaMath Data to Client under the Module One Model Clauses, in particular Annex I, Annex II and Annex III, the following details shall apply:
|Data exporter:||MediaMath, Contact: DPO, Contact Details: 4 World Trade Center, New York, New York 10007, USA, +1 646-840-4200;
|Data exporter role:||Controller – as specified in the Processing Purposes Table.|
|Data importer:||Client, Contact details: as specified in an Order Form or SOW|
|Data importer role:||Controller – as specified in the Processing Purposes Table.|
|Categories of data subjects:||Individuals who visit the digital properties (websites or mobile advertising platforms) of MediaMath’s clients or served ads through the data exporter’s advertising technology platform.|
|Categories of data transferred:||As described in Column 6 of the Processing Purposes Table (no sensitive or special category data).|
|Purposes of the transfer(s):||For Client to process the MediaMath Data as an independent controller for certain Client Controller Purposes as more particularly described in Column 7 of the Processing Purposes Table.|
|Retention||Retained in accordance with Client and MediaMath’s respective data retention policies.|
|Competent Supervisory Authority:||The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Berlin Commissioner for Data Protection and Freedom of Information of the German Data Protection Authorities (German DPAs) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK data, the competent supervisory authority is the ICO.|
|Recipients and Subprocessors||Client, its affiliates and its subprocessors engaged by the Client to support its digital advertising services in accordance with Article 28 GDPR and its partners where necessary in connection with its digital advertising services.|
6. Model Clauses
In addition to the above, the parties agree that the Model Clauses for Module One and Module Two transfers will be interpreted as follows:
a) In Clause 7, the optional docking clause will apply;
b) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 10 days;
c) in Clause 11, the optional language will not apply;
d) in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Berlin, Germany;
e) in Clause 18(b), disputes shall be resolved before the courts of Berlin, Germany;
f) For the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in the relevant table above;
g) For the purposes Clause 8.6(a), as well as Annex II of the EU SCCs, the parties agree to the security provisions contained in the relevant table above.
h) For the purposes of Clause 8.5 (d), (e) and (f), where MediaMath is required by a respective clause in the EU SCCs or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, MediaMath will first provide Client with the details of the notification permitting Client to have prior written input into the respective notification, where Client desires to do, and without delaying the timing of the notification unduly.
7. In relation to MediaMath Data or Client Data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with Schedule A above shall apply as amended by the UK IDTA and interpreted in accordance with Annex 2 to Schedule A.
8. In relation to Data that is protected by the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”), the EU SCCs as implemented in accordance with Schedule A above will apply provided that references in the EU SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA, references to “EU”, “Union” and “Member State law” shall be interpreted as references to Swiss law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland.
9.Transfer Impact Assessment between the EU and the UK to the USA. MediaMath are not subject to EO 12333, because EO12333 only applies to US federal agencies. However, like all businesses that provide computer processing services anywhere in the world and that are subject to the jurisdiction of the United States, MediaMath is subject to FISA Section 702, which the US government relies upon to access data related to national security issues without regard to the physical location of the data (for example, data stored in the EU is subject to disclosure under FISA Section 702). Although the US government in theory could seek access to data by serving a FISA warrant on MediaMath, the US government typically serves FISA warrants on telecommunications companies or providers of services or equipment designed specifically to facilitate communications (for example, AT&T, Verizon, Facebook, Twitter, etc.). To that point, MediaMath have never received a FISA warrant and does not anticipate being compelled to disclose any data pursuant to FISA Section 702. MediaMath hereby confirms that due to the nature and architecture of its Platform, it is not feasible to limit processing services to a data centre located in the EU. MediaMath will monitor updated guidance from data protection authorities and incorporate such guidance as appropriate into a robust privacy and security program that evolves with the changing legal and regulatory landscape.
10. The Model Clauses shall be treated as Confidential Information for the purposes of this Agreement, and may not be disclosed by MediaMath or Client to any third party except where and to the extent permitted by the Agreement. This shall not prevent disclosure of the Model Clauses to a data subject or a supervisory authority pursuant to the Model Clauses.
11. In the event that Client wishes to terminate the Model Clauses, then Client shall endeavour to provide notice to MediaMath and provide MediaMath with thirty (30) days to cure the non-compliance (“Cure Period”). If after the Cure Period, MediaMath has not or cannot cure the non-compliance, then Client may terminate the Agreement immediately in accordance with the termination provisions of this Agreement. Client shall not be required to provide such notice in circumstances where it considers there is a material risk of harm to data subjects or their personal data.
12. The audit provisions at section 4(d) of Schedule A (“Audit Provisions”), shall also govern audit rights under the Model Clauses. In the event that Client wishes to exercise its audit rights under the Model Clauses, provided that this section does not conflict with Clause 13(b) of the Model Clauses for Module One and Module Two, then the Audit Provisions will exclusively govern Clients’ and MediaMath’s obligations with respect to such audits
13. The sub-contracting provisions set out in Schedule A (“Sub-Contracting Provisions”), shall also govern subcontracting rights under the Model Clauses. In the event that MediaMath wishes to engage a sub-processor under the Model Clauses then, provided that MediaMath complies with the requirements of the Sub-Contracting Provisions, Client shall deem MediaMath to have complied with its sub-processing obligations of the Model Clauses.
14. MediaMath shall be deemed to have complied with the Model Clauses to the extent that it shall (on a confidential basis), if requested by Client, provide to Client all information it reasonably can in connection with any onward subprocessing agreement it concludes under the Model Clauses.
15. For the purposes of the Model Clauses, the parties acknowledge that Client Data may be archived by MediaMath on back-up systems for security and business continuity purposes. Deletion of such archived Client Data shall be in accordance with MediaMath’s standard archival procedures, provided that MediaMath warrants that it will guarantee the confidentiality of the relevant Client Data and will not actively process it anymore.
Annex 2 to Schedule A
Interpretation of UK IDTA
- This Annex 2 sets out the parties agreed interpretation of the UK IDTA, and its amendments to the operation of the EU SCCs for transfers of personal data to and from the United Kingdom.
- In the event that the UK Information Commissioner or courts of England and Wales determines that any provision of this Annex 2 conflicts with the requirements of the UK IDTA, then the terms of the UK IDTA shall prevail.
- As between MediaMath and Client, any claims brought under the UK IDTA or Schedule A shall be subject to the terms of the Agreement, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall either MediaMath or Client limit or exclude its liability with respect to any data subject rights under the UK IDTA.
- The parties agree that for the purposes of Table 1 of the UK IDTA, the parties and their operation as either Controller or Processor shall be as set out in Annex 1.
- The parties agree that for the purposes of Table 1 of the UK IDTA, the nominated contacts shall be:
a) For MediaMath, the Data Protection Officer with email address email@example.com; and
b) For Client, as specified in an Order Form or SOW.
- The parties agree that Table 2 of the UK IDTA shall be interpreted as set out in paragraphs 6(a) and 6(b) of Annex 1, and that personal data received from the Exporter may be combined with personal data collected by the Importer limited to the extent required for the provision of the Services and as further described at http://www.mediamath.com/legal/processingpurposes/.
- The parties agree that for the purposes of Table 3 of the UK IDTA the “Appendix Information” shall be interpreted as set out in paragraphs 4 and 5 of Annex 1.
- The parties agree that Part 2 “Mandatory Clauses” of the UK IDTA shall apply and that the “Alternative Mandatory Clauses” shall be disregarded.
DPA – US States Privacy Law Requirements
This Schedule B supersedes and replaces the existing Schedule B to the Agreement, and supplements and forms part of any existing, current, or future agreement between Client and MediaMath. This Schedule B will be effective as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent (i) Personal Data is subject to the Applicable State Privacy Laws; and (ii) an Applicable State Privacy Law has taken effect.
“Advertising Purposes” means all Restricted Data Processing Purposes in addition to (i) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under State Privacy Laws, including any processing that involves displaying ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, (ii) creating or supplementing user profiles for such purposes.
“Applicable State Privacy Laws” means CCPA as amended and Applicable State Privacy Laws (EC).
“Applicable State Privacy Laws (EC)” means, as applicable, the (i) CAPDP; (ii) CPA; (iii) UCPA; or (iv) VCDPA, depending on which law applies pursuant to Section 3.1, but excluding the CPRA.
“Business/Third Party Purposes” means any use or processing of Personal Information by MediaMath for Advertising Purposes as a Business, or Third Party, as more particularly described at, www.mediamath.com/legal/CCPA/
“CCPA as amended” means the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any statute, regulation, order, decree, or other legal requirement that is or has been enacted, promulgated, issued, or taken by any governmental entity, including judicial bodies, in connection with the same.
“CTDPA” means the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022 as changed, supplemented, amended, or replaced.
“Choice Mechanisms” means as applicable Choice Mechanism (EC) or Choice Mechanism (CCPA as amended).
“Choice Mechanism (EC)” means, with respect to a Consumer that Client determines is a resident of an applicable jurisdiction (EC), a clear and conspicuous method (e.g., a link) that enables the Consumer to Opt-Out of the Sale of Personal Information and Opt-Out of the Processing of Personal Information for the purpose of Targeted Advertising, and that complies with Applicable State Privacy Laws (EC).
“Choice Mechanisms (CCPA as amended)” means a “Do Not Sell or Share My Personal Information” link or alternate Opt-Out link that enables the Consumer to Opt-Out of both Selling and Sharing Personal Information, and that complies with CCPA as amended.
“CPA” means the Colorado Privacy Act and any regulations promulgated thereunder, as changed, supplemented, amended, or replaced.
“Impression Data” means data related to an impression delivered on a site for Client.
“Joint Service Provider” means a Service Provider jointly contractually engaged by a Client and one or more Businesses that jointly determine the purposes and means of the Processing of Personal Information to in a manner that requires combining Personal Information collected across such Businesses, such as for certain measurement activities or capping the frequency of ads shown to a Consumer across sites or services not owned or controlled by the same Business.
“MSPA” means the IAB Multi-State Privacy Agreement available at https://www.iabprivacy.com/mspa.html or any successor site.
“Opt Out” means a Consumer’s election (either directly or through the Consumer’s authorized representative) to opt out of the Sale or Sharing of such Consumer’s Personal Information as set forth in CCPA as amended.
“Opted-Out Impression Data” means Personal Information related to the delivery of an impression for Client on a Site for which the Consumer has exercised an Opt-Out.
“Publisher” means the owner of a digital property where an impression is served an advertisement.
“Restricted Data Processing Purposes” means advertising-related Processing that qualifies as a Business Purpose, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Data Processing Purposes includes first-party advertising, contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity (i) is permissible for a Processor/ Service Provider to perform under the Applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Information or constitute Processing of Personal Information for Targeted Advertising purposes and includes any use or processing of Personal Information by MediaMath as (1) a Processor under Applicable State Privacy Laws (EC) as more particularly described at www.mediamath.com/legal/processingpurposes; (2) or as a Service Provider or Joint Service Provider under CCPA as amended each as more particularly described at, www.mediamath.com/legal/CCPA/
“UCPA” means the Utah Consumer Privacy Act of 2022 and any regulations promulgated thereunder, as changed, supplemented, amended, or replaced.
“VCDPA” means the Virginia Consumer Data Protection Act and any regulations promulgated thereunder, as changed, supplemented, amended, or replaced.
References in this Schedule B to “Business”, “Business Purpose” “Consumer”, “Controller”, “Cross-Contextual Behavioral Advertising”, “Personal Data”, “Personally Identifiable Information”, “Personal Information”, “Processor”, “Sell”, “Share”, “Service Provider”, “Targeted Advertising” and “Third Party” shall have the meanings given in Applicable State Privacy Laws. References under this Schedule B to “Personal Information” includes “Personal Data” and “Personally Identifiable Information”.
- Scope. The rights and obligations in this Schedule B take effect on the Applicable State Privacy Laws’ effective and/or enforcement dates and apply to the collection, processing, disclosure and sale and/or sharing of Personal Information from Consumers by and between MediaMath, Client and certain Third Parties. For the purposes of this Schedule B, references under the Agreement to “disclosures to Users required by Applicable Law”, or otherwise similar disclosure requirements, shall mean applicable Choice Mechanisms, as defined above.
- Obligations of Client.
(a) Disclosure and Notice. Client shall comply with the minimum notice requirements required under Applicable State Privacy Laws. Client shall not collect categories of Personal Information other than those disclosed in its notice at collection. If Client sells to, or shares with, MediaMath any Personal Information, Client shall provide explicit notice to such Consumer using plain language describing (i) the categories of parties to which Client sells or shares Personal Information and that such categories of parties may re-sell or re-share it for the purpose of delivering Ads tailored to such Consumer’s interests; and (ii) that the Consumer has the right to Opt Out of the re-sale or re-sharing of the Consumer’s Personal Information via a California Consumer Choice Mechanism.
(b) Choice Mechanisms: Client shall include a Choice Mechanism on the Client Sites to the extent required by Applicable State Privacy Laws. In addition, Client may provide the Consumer a means to provide an Opt-Out override.
- MediaMath as Business or Third Party. Where MediaMath processes Client Data solely as a Third Party (a) Client makes the Client Data that is Personal Information available to MediaMath only for the limited and specified purposes set forth in this Agreement, (b) MediaMath may use the Client Data solely for the Business/Third Party Purposes in accordance with the license of Client Data to MediaMath under the Agreement (c) MediaMath will provide the same level of privacy protection as required of a Business by the CCPA as amended, (d) Client has the right to take reasonable and appropriate steps to ensure that MediaMath uses Client Data in a manner consistent with the Client’s obligations under the CCPA as amended, (e) Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of the Client Data, and (f) MediaMath will notify Client if it can no longer meet its obligations under the CCPA as amended.
- MediaMath as Service Provider. (a) When a Consumer has exercised an Opt Out with Client, any Client Data that is Personal Information will not be used, disclosed, or retained by MediaMath for any purposes other than (i) processing the request to opt-out of the sale/sharing, and (ii) processing the Client Data as a Service Provider subject to the Restricted Data Processing Purposes. (b) As a Service Provider MediaMath shall not: (i) sell and/or share such Personal Information; (ii) retain, use or disclose such Personal Information for any purpose other than for the Restricted Data Processing Purposes; (iii) retain, use or disclose such Personal Information outside of the direct business relationship between the parties; or (iv) combine the Client Data with Personal Information that it receives from or on behalf of another person or persons, or collects from MediaMath’s own interaction with the Consumer, provided that MediaMath may combine Personal Information to the extent it is designated as a Joint Service Provider under this Agreement. (c) Client acknowledges that this shall not preclude MediaMath from disclosing Client Data to another Service Provider (i) of Client on Client’s behalf or (ii) of MediaMath in connection with performing the Services for Client, and that any such disclosure shall be within the direct business relationship between MediaMath and Client. (d) MediaMath hereby certifies that it understands its obligations under this Section 5 and will comply with them.
- MediaMath as Processor under Applicable State Privacy Laws (EC). The parties acknowledge that for certain Restricted Processing Purposes subject to Applicable State Privacy Laws (EC), Client is the Controller of Client Data and appoints MediaMath as its Processor for the processing purposes as set out at www.mediamath.com/legal/processingpurposes. The provisions of the Agreement and Schedule A relating to Client’s obligations as a Controller, and MediaMath’s obligations as a Processor shall apply.
- Audit. The audit provisions at Section 4(d) of Schedule A, shall also govern audit rights under this Schedule B and if required under Applicable State Laws.
- Impression Data. Where Client receives any Opted-Out Impression Data from MediaMath where MediaMath acts as a Business or Third Party, subject to Publishers, SSPs and other supply side, measurement and data partners being signatories to the MSPA, Client hereby appoints MediaMath as a Joint Service Provider or Service Provider subject to the following:
(a) Client is a direct signatory to MSPA. Client will (i) promptly notify MediaMath in writing (email sufficient) when Client signs up and registers as a participant to the MSPA, and (ii) the Opted-Out Impression Data will be treated as a Covered Transaction (as defined under the MSPA) by MediaMath acting as a Joint Service Provider under the terms of the MSPA. Client will also notify MediaMath if Client subsequently terminates its registration as a participant in the MSPA in which case Section 8 (b) below will apply.
(b) Client is not a direct signatory to MSPA. Where Client receives any Opted Out-Impression Data that is subject to the MSPA and Client is not a direct signatory to MSPA, Client hereby acknowledges that MediaMath is limited solely to processing data as a Service Provider to Client for Restricted Data Processing Purposes.