Deloitte Digital Online Ad Privacy Notice
Last revised: 1/1/2020
- Information that we collect
- Technologies we use to collect information
- How we use information
- How we share information
- Opt-out and your rights
- Selling of information
- Industry programs
- Data retention
- Data security
- Sensitive information
- Children's privacy
- International use and data transfers
- Third-party services
- Changes to our Privacy Notice
- Contact us
Deloitte Digital (“Deloitte Digital,” “we,” or “us”) is a creative digital consultancy provided by Deloitte Consulting LLP, an affiliate of one of the US member firms within the Deloitte Network. As used in this Privacy Notice, the “Deloitte Network” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms and their related entities. DTTL and each of its member firms are legally separate and independent entities. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
This Privacy Notice describes how Deloitte Digital collects, uses, and shares information about consumers in connection with our services to create and deliver digital audiences and provide data to our clients (who are advertisers, brands, retailers, and other businesses) to target their own advertising based on such information (referred to as “Personalized Advertising”). Such information also helps us to analyze the effectiveness of these services through ad reporting, attribution, and analytics. For purposes of this Privacy Notice, the services provided by Deloitte Digital are collectively referred to as our “Services.” Please review the Deloitte.com Privacy Notice to learn about how information is collected, used, and shared on our website, www.deloitte.com, which is distinct from our Services.
Information that we collect
To provide our Services, we collect directly from individual users of websites, online services and mobile applications (“you”) and receive indirectly from vendors that we work with across the web (including data management platforms, marketing platforms, and data providers) a variety of information (collectively, the “Services Information”), including:
- Unique Identifiers. We may collect unique user identifiers from your browsers or devices. This may include, for instance, a unique identifier associated with a cookie stored on your browser. It may also include a mobile advertising identifier associated with your mobile device, such as Apple’s Identifier for Advertisers (IDFA) and Google’s Advertising ID. For more details on how these technologies work, please see the section below regarding “Technologies We Use to Collect Information.”
- Online Activities. Similarly, when you visit a website or use a mobile app that is provided by our client or our vendor, or a website or mobile app where our Services or our vendors’ services are deployed, our or our vendors’ tracking technologies or server logs may automatically collect information from your browser or device. This may include information such as your Internet Protocol (“IP”) address (a unique number automatically assigned to your device that may be used to identify your device and infer your general location and other browsers or devices that you use), date and time, whether one of our cookies is already set on your browser, user-agent, browser type and version, the website or mobile application with which you are interacting, the website you visited before visiting the current website, search data, webpage information, and your interactions with our Services, clients, or vendors. We may also track what ads were served on websites and whether you interacted with those ads by clicking, closing the ads, opting out of tracking, or taking any other action.
- Mobile Data. Through our vendors that collect mobile app data and from mobile apps owned by our clients using our Services, we may access mobile app data. In such cases, we may collect information about your interactions with mobile apps and your in-app activities (including but not limited to your IP address, time-stamp information, and features that you use within the app), and information about your mobile device (including device type, handset name, operating system information, mobile identifiers such as Apple IDFA and Android Advertising ID, app-specific identifiers, and a list of the apps your device interacts with). Such data collection may include the tracking of in-app ads that were served and whether you interacted with those ads by clicking, closing the ads, opting out of tracking, or taking any other action.
- Digital Audiences, Audience Segments, and Insights. We may create and offer digital audiences, audience segments, and insights to our clients, based on your online activities, interactions with the ads that you see, and inferences about your likely commercial interests (including inferences about interests in non-sensitive health or wellness topics, such as diet, nutrition, exercise, beauty, and fitness). Our clients and vendors use this information to determine which ads you might be interested in and to personalize and analyze the effectiveness of their advertising. We use machine learning technologies to make these inferences and create digital audiences, segments, and insights, but our Services are not intended to be used to make any decisions that would have a legal or similarly significant effect on individuals.
- Information from our Clients. Our clients may provide us with information that they have collected regarding your previous transactions, relationships, or interactions with them or your visits to their websites or use of their mobile apps. This may include information about your offline transactions and activities with our clients, such as whether you have purchased products or services from them in the past, or other information that our clients maintain in their customer relationship management or similar marketing databases. Clients may also provide us with additional information they have collected from third parties. We combine such client-provided information with other Services Information that we collect on third-party websites and mobile apps or from vendors, to provide our Services to the specific client who provided the information to us.
- Information from our Vendors. We receive information from our vendors regarding your online activity across websites, mobile apps, and linked devices over time, as well as demographic information.
- Data Enhancement and Combination. We may combine the Services Information listed above, or enhance it with other information that we obtain from vendors, to improve our Services. When we do this, we or our clients or vendors may use data “hashing” and other methods to match data while obfuscating certain types of information, such as email addresses or other personal identifiers, used to match the data.
Technologies we use to collect information
- Server Logs. We automatically receive and record certain information from your computer (or other device) and your browser. To obtain such information, we may use server logs or apps that recognize your computer or device and gather information about its online and mobile app activity.
- Mobile Advertising IDs and SDKs. We may use or work with clients and vendors who use mobile SDKs to collect information, such as mobile identifiers (e.g., IDFAs and Android Advertising IDs), and information related to how mobile devices and their users interact with our Services or the mobile apps that use our Services. The data is accessed via data connectors (sometimes referred to as SDKs) embedded within those apps. An SDK is a snippet of code that mobile app developers can include in their mobile apps to enable ads to be shown, data to be collected, and related services to be implemented. We may use this technology, for instance, to personalize advertising across websites and mobile apps or to analyze or measure certain advertising through mobile apps and browsers based on information associated with your mobile device.
- Cross-Device Linking. We receive information from our vendors regarding how a particular computer, browser, or mobile device may be linked to other computers, browsers, or mobile devices used by the same person or household (including the cookie IDs and mobile advertising IDs that seem to be related to the cookie ID or mobile advertising IDs on the device being used).
- Server-to-Server Transfers. We may send or receive information from our clients or vendors through server-to-server transfers. Server-to-server connections allow companies to efficiently transfer information directly between each other.
As described in How we share information, we and our clients or vendors may use the above technologies (sometimes, in combination with each other or other data such as IP addresses or hashed data) to coordinate identifiers across platforms, browsers, or devices, to more efficiently analyze or personalize advertising.
How we use information
We use the Services Information for a variety of purposes, including:
- Provision of the Services. We use the Services Information to provide our Services. For instance, we use the Services Information to enable our clients to better tailor digital advertising on websites and in mobile apps to their own customers and prospective customers. To do this, we may use unique identifiers that enable our Services, as described above, and we may work with our clients and vendors to do so.
- Creation and Sharing of Digital Audiences, Audience Segments, and Insights. We use the Services Information to create digital audiences, audience segments, and insights, as described above, which may then be used by us, our clients or our vendors to tailor advertising, marketing, and other services, or their own products or services or the products and services of others. For example, if you visit a website about outdoor gear or travel, we may help our clients send targeted ads to you regarding outdoor gear, flights, or travel. We also may create data models that indicate that many people with similar attributes to you (based on general location inferred from IP address or online activities) seem to like the outdoors and travel, and our clients may then send them ads regarding outdoor gear, flights, or travel, based on that same model.
- Cross-Device Linking. We use Services Information that we receive from our vendors to understand the probability and nature of connections between devices, including to understand which computers, browsers, or mobile devices are likely owned or used by the same person or household (e.g., computers, browsers, or mobile devices that are linked to the current device being used) for the purpose of helping our clients personalize advertising and measure the effectiveness of their advertising across linked devices.
- Ad Delivery, Reporting, Attribution, and Analytics. We use Services Information to provide insights, facilitate ad delivery, and provide advertising-related services to clients and vendors, including attribution, statistical reporting, traffic analysis, analytics, optimization of ad placements, ad performance, reach and frequency metrics (e.g., frequency capping), security and fraud prevention, billing, and logging the number and type of ads served on a particular day to a particular website, application, or device.
- Improving the Services. We use Services Information to improve the Services and to create new products and services.
- Compiling Aggregated Information. We use Services Information to build aggregated insights about marketing and Services trends for our own internal use, including research and development, and to report such trends to third parties, such as our vendors, clients, prospective clients, or the media.
- Legal purposes. For legal or other necessary purposes, including as described below.
How we share information
To provide our Services, we share information in a variety of circumstances, including:
- Clients and Vendors. We share Services Information with our clients and vendors as necessary to provide the Services to our clients, for the purposes described in this Privacy Notice. These clients and vendors may use the information that we provide them to improve and measure the effectiveness of their own advertising, offerings, and services or products.
- Syncing Information across Platforms or Services. We may share Services Information (including the digital audiences, audience segments, or insights that we create) with our vendors so that they can offer or provide our Services to their own customers through their platforms or services. This may be done by syncing our cookie IDs or mobile advertising IDs with those cookie IDs or mobile advertising IDs used by our vendors. Likewise, we may obtain information from our vendors, such as unique identifiers and associated information, that allows us to sync the IDs as described above, provide clients with information from vendors, or improve our Services.
- Service Providers. We may use third-party service providers to help us manage and improve the Services. These service providers may collect and use your information to assist us in achieving the purposes discussed in this Privacy Notice. For example, we may use service providers to perform data storage, processing, or analytics services for us.
- Aggregated Information. We may share aggregated information about the Services, such as by publishing or sharing reports with third parties about marketing trends or trends in the usage of the Services.
- Legal Purposes. We may disclose your information to law enforcement, regulatory or other government agencies, or to other third parties, in each case to comply with legal, regulatory, or national security obligations or requests, or to establish, protect, or exercise our legal rights or defend against legal claims.
- Corporate Transactions. We may share your information with third parties to facilitate (including in connection with due diligence) the merger, acquisition, sale, financing, securitization, insuring, assignment, bankruptcy, reorganization or liquidation, or other disposal of all or part of our business or assets.
Any Services Information that we have referenced above under “Information that we collect” may be disclosed or sold to the third parties identified in this section for the purposes set forth herein.
Opt-out and your rights
- Opting-Out of our data tracking and personalized advertising services
You may opt-out of Deloitte Digital’s data tracking and Personalized Advertising in web browsers, mobile apps, and across linked devices and thereby request that your Services Information not be sold by following the instructions below.
Please note that mobile apps and web browsers operate with different identifiers, even though they may be used on the same device, and different web browsers on the same computer have independent identifiers. Accordingly, the opt-out will apply only to the specific browser or mobile device from which you opt-out (and to certain data collected or used on linked devices, as discussed below under “Opt-out of Cross-Device Linking”), and you will need to opt-out separately on all of your browsers and mobile devices. If you delete or reset your cookies or mobile identifiers, change browsers, or use a different device, any opt-out cookie or tool may no longer work, and you will need to opt-out again.
- Web Browser Opt-Out. To opt-out of Deloitte Digital’s data tracking and Personalized Advertising on your current web browser, please click here: privacy.xspadvertising.com/opt/out.
To opt-out of other companies’ personalized advertising practices, please visit the optout.aboutads.info, optout.networkadvertising.org, and www.youradchoices.ca/choices (for Canadian users). To help preserve the choices that you make on optout.aboutads.info, you can also install the Digital Advertising Alliance’s “Protect My Choices” extension that is available at www.aboutads.info/PMC.
- Mobile Application Opt-Out. To opt-out of Deloitte Digital’s data tracking and Personalized Advertising in mobile apps, you can adjust the advertising preferences on your mobile device. For example:
- In iOS 7+, visit Settings > Privacy > Advertising > Limit Ad Tracking.
- In Android, visit Settings > Google > Ads > Opt-out of interest-based ads or Opt-out of Personalized Advertising.
You can also opt-out of personalized advertising in mobile apps for companies that participate in the Digital Advertising Alliance's AppChoices tool by downloading AppChoices at www.aboutads.info/appchoices and following the instructions in the app. For more information about opting out on mobile devices, please see www.networkadvertising.org/mobile-choice.
- Opt-out of cross-device linking: Exercising the opt-out choices in web browsers and mobile apps described above will stop us from: (1) using for Personalized Advertising purposes information collected from the browser or mobile device from which you opt-out on other, linked browsers or mobile devices; (2) using for Personalized Advertising purposes information collected on other, linked browsers or mobile devices on the browser or mobile device from which you opt-out; and (3) sharing information collected on the browser or mobile device from which you opt-out with unaffiliated third parties for Personalized Advertising purposes.
Opting out does not mean you will block online advertising altogether or see fewer ads. It simply means that the advertising that you see will not be personalized for you. Future advertising may be served based on the website you are visiting or your current search, or they may be randomly placed.
Our Services do not respond to browser Do Not Track signals at this time.
- Your Privacy Rights
Depending on the jurisdiction in which you are located, you may have the right to request that we modify, delete, or stop processing your Services Information, and you may also have the right to request that we provide the following information regarding the Services Information we hold about you:
- The categories and/or specific pieces of Services Information we collected
- The categories of sources from which Services Information is collected
- The business or commercial purpose for collecting or selling Services Information
- The categories of third parties with whom we shared Services Information
- The categories of Services Information we sold about you and the categories of third parties to whom the Services Information was sold
To exercise any of your rights under applicable law described above regarding your Services Information, please contact us at USPrivacyQuestions@deloitte.com or call us at 844.919.0711. When contacting us, please provide your name and email address. Once we receive your request, we may ask you to provide additional information to enable us to respond.
Applicable laws may also give you the right to lodge a complaint with a local supervisory authority related to this Privacy Notice.
We will not discriminate against you for exercising any of your rights with respect to your Services Information.
Selling of information
Depending on the jurisdiction in which you are located, you may also have the right to request that we not sell Services Information we hold about you. To do so, please visit our Do Not Sell My Personal Information web page.
We participate in the self-regulatory program of the Digital Advertising Alliance (“DAA”) in the United States and adhere to extent applicable to the Self-Regulatory Principles of the DAA. For more information about the DAA and to learn more about the “Ad Choices” icon, visit www.aboutads.info. We also participate in the self-regulatory program of the Digital Advertising Alliance of Canada (“DAAC”) and adhere to the extent applicable to the DAAC Self-Regulatory Principles for Online Behavioural Advertising and related guidance. For more information on the DAAC, please visit youradchoices.ca.
We may retain the information we collect for as long as reasonably necessary for our legitimate business purposes, to fulfill the purposes described in this Privacy Notice, or as required by law. However, we retain most of the Services Information used for Personalized Advertising or ad delivery and reporting for 24 months from the date it was collected.
We have in place reasonable commercial standards of technology and operational security to protect the Services Information from unauthorized access, disclosure, alteration or destruction.
Our Services are not intended to be used to collect information that we consider sensitive without your affirmative express consent to such collection or use. We consider the following types of information to be sensitive: (i) health data, including insurance plan numbers, information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history, based on, obtained, or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment (e.g., if the source is sensitive), or information, including inferences, about sensitive health or medical conditions or treatments, including, but not limited to, all types of cancer, mental health-related conditions, and sexually transmitted diseases (e.g., if the condition or treatment is sensitive regardless of the source); (ii) financial account information; (iii) Social Security numbers or other government-issued identifiers; and (iv) precise location (e.g., stored latitude/longitude coordinates that contain more than two decimal places or a geographic area with a radius of less than 500 meters).
The Services are not directed to children under the age of 13 (or Mexican minors under the age of 18), nor are they intended to be used to collect information from children who we know are under the age of 13 (or Mexican minors under the age of 18 or from websites, mobile apps, or online services directed to children under the age of 13 (or Mexican minors under the age of 18).
International use and data transfers
The information that we collect through or in connection with our Services may be transferred to and processed in the United States for the purposes described above. We also may subcontract the processing of your information to, or otherwise share your information with, third parties in the United States or countries other than your country of residence. The data protection laws in these countries may be different from, and less stringent than, those in your country of residence. Also, your information could be accessed by the courts, law enforcement, and national security authorities of these countries, where required by law. To the extent that we engage in such cross-border transfers, we may implement contractual arrangements or other mechanisms, as appropriate, to safeguard information that is transferred to other countries, in compliance with applicable law.
This Privacy Notice does not apply to the practices of our clients, nor does it apply to those third-party advertising systems, exchanges, networks, or other vendors with whom we have a relationship. We encourage individuals to review the privacy policies of the companies, brands, and advertisers with whom they interact.
Changes to our Privacy Notice
In addition to describing our current privacy practices, this Privacy Notice also describes the categories of Services Information we collected, disclosed, or sold during the preceding 12 months. We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this Privacy Notice, we will amend the revision date at the top of this page and such modified or amended Privacy Notice shall be effective as to you and your information as of that revision date. We encourage you to periodically review this Privacy Notice to view any updates.
If you have any questions or concerns regarding this Privacy Notice, please contact us at USPrivacyQuestions@deloitte.com or call us at 844.919.0711.
Deloitte Consulting LLP, with an address at Attention: US Office of Confidentiality and Privacy, 30 Rockefeller Plaza, New York, NY, 10112, is the data controller responsible for processing personal data we collect in connection with our Services, except where we act solely as a service provider or data processor for our client, in which case our client is the data controller. The Chief Confidentiality and Privacy Officer of our parent company, Deloitte LLP, oversees our privacy practices.