At Nimbus we had the luxury of building our technology in a world where GDPR and CCPA were already in sight. We didn't have to shoehorn our current technology to a new regulatory environment. This allowed us to build something that was far more applicable to this new era, where data security is paramount: both user privacy and a publisher's valuable first-party data. 

One of the concerns many publishers have about their open market programmatic partners is "what is going to happen to my data?". Sure, publishers like the extra money they might get from sharing their data with ad partners, but they can't help feeling uneasy about the whole situation. Their data, out there in the wild, being used by who-knows-who for lord-knows-what. This has always been a concern for publishers, but with the onset of GDPR in the European Union and CCPA in California, a regulatory component has been added as well. Not only does this kind of data leakage feel bad, but now in many cases, it could well be illegal.

Historically, the open marketplace programmatic economy has not been well set up for complying with these laws. Publishers might share some data with their ad mediation platform, and they might share it with a bunch of DSPs and other demand sources, and who knows what they might do with it. This makes it difficult to understand why a demand source made the bid they did, but more importantly raises privacy concerns in this new regulatory environment. It also may potentially deprive publishers of a source of revenue. On the regulatory front, initiatives such as the European IAB's Transparency and Consent Framework and the US IAB's CCPA Compliance Framework for Publishers aim to wrangle in this ecosystem, and at Nimbus we are active participants in both of these initiatives. However, we believe more could be done. 

The vast majority of players in the open marketplace programmatic economy operate as *joint controllers* in GDPR parlance. What this means is that they are, along with the publisher, a controller of the publisher's data. Which means that the publisher has ceded some level of decision-making about data-sharing with their programmatic partners. This can make some sense - it allows for more streamlined functionality in augmenting first-party publisher data with other data sources during the auction process. However, we believe it greatly expands regulatory complexity. Additionally, it may introduce obfuscation into the bidding process, making it difficult, if not impossible, for a publisher to understand who won their ad auction, and why, and how. 

At Nimbus we take a different approach. We operate as a *processor* under GDPR. This means we only do what publisher’s direct us to do with their data. We do not augment. We don't "salt" bids. We do not share the data with parties our publisher clients don't want us to share it with. A Nimbus auction is a pure, transparent auction, solely between bidders with whom publishers  have entered into a direct contractual relationship with. Publishers share what they want with each bidder. We simply pass it along. 

There are several huge advantages to this process: 

1. Being a processor of publisher’s data reduces regulatory headaches, by limiting a potential source of 'data leakage.'

2. It allows publishers to protect their first-party data, which is becoming more and more important from a revenue point of view, and also from a regulatory point of view.

3. In the current state of flux and uncertainty with the implementation of technical solutions to CCPA and GDPR, having direct connections to all our publisher clients’ demand partners, and an auction platform as a processor allows for greater flexibility in compliance with certain parts of the regulations.  For example, rather than relying on the CCPA Compliance Framework's flag passing for CCPA compliance, in certain situations with our approach a publisher could enter into a contractual relationship with a demand source that agrees to only pass CCPA-compliant traffic, and take comfort that what they pass to their auction platform will go straight to the demand source partner without any data manipulation, leakage or other risks. These types of solutions aren't applicable for all publishers, but it's nice to know there's added optionality when working with an auction platform that's a processor.

4. Finally, and perhaps most usefully, it allows for completely transparent auctions. In each Nimbus auction, publishers can see who won, the CPMs, and who's bidding. They can also know what data they sent them to consider the bid. There are no mysterious 'marketplaces' that come in and bid and maybe win over and over at some unknown CPM against unknown bidders without being able to see exactly what is going on. This is huge. Publishers can know exactly where their revenue is coming from, and exactly how much their audience is worth to each demand partner. 

We believe this approach makes for a system that is more protective of your data and your users’ date. We believe this makes Nimbus a more useful, and transparent offering. If you have technical questions on our implementation, please don’t hesitate to get in touch.