All You Need to Know About the GDPR and Voluum

All You Need to Know About the GDPR and Voluum

May 25, 2018, is a much anticipated deadline in countless companies around the world. When the General Data Protection Regulation (GDPR) comes into effect, all companies and institutions within the European Union (EU), or dealing with customers from the EU, have to meet the new requirements for data privacy.

Voluum has taken all the necessary steps to comply with the GDPR. It’s high time to make sure you’re compliant as well.

What is the GDPR?

Even though the GDPR is one of the hottest topics globally at the moment, it is nothing more than a tempest in a teapot, if you have taken the time to prepare properly.

As you probably realize, the EU already has a set of rules for data protection. It’s called the Data Protection Directive (DPD) and was issued in 1995. Now, the GDPR is set to replace it.

As a replacement for the DPD, the GDPR will mainly serve as an update and an expansion of the current directive. Here’s what it aims to achieve:

First and foremost, the goal of the GDPR is to enhance the protection of the personal data of EU citizens. It also imposes restrictions on companies that collect or process this kind of data. Additionally, it involves harsher-than-ever penalties for any violations in this field.

What is really important here, is that the GDPR doesn’t only affect companies within the EU but also those that aren’t necessarily located inside the EU but collect and use personal data from people in the EU (EU-located visitors).

In practice, one of the biggest changes that the GDPR brings imposes on data-collecting companies is the necessity to obtain a legal basis for processing of personal data.

What’s more, the GDPR will allow customers to request a copy of their data from companies and to receive it, in most cases, free of charge. They’ll also have the right to ask for the removal of their data and they can withhold their consent for data processing.

More information about the key changes brought by the GDPR can be found here.

Shared Responsibility for Data Security

Voluum has undergone an audit, and our GDPR-dedicated team will make sure we’re fully compliant before the May 25 deadline.

In the GDPR, however, companies are divided into data controllers and data processors, and both share the responsibility for data security.

Controllers are the ones who collect the data and determine the reason for processing it. This is you – a Voluum customer.

Processors (Voluum in this case), on the other hand, are the ones who process the data on behalf of the controllers.

As a data processor, our obligation is to provide you with a GDPR-compliant platform. That’s why Voluum enforces data privacy by design. By May 25, you will have received our updated terms and conditions, so you can see what has changed.

With that said, Voluum has already been incorporating various technologies and procedures to ensure the high security of the personal data processed with our platform.

voluum-gdpr-serversPrincipally, we rely only on secure vendors who process personal data in compliance with the GDPR and ensure an appropriate security level. In that context, we use only secure cloud servers, including Amazon’s AWS for storing data. The AWS meets a variety of security standards, such as PCI-DSS, HIPAA/HITECH, FedRAMP, the EU Data Protection Directive, and FISMA. It’s also ISO 27017 and ISO 27018 compliant. Additionally, we have appropriate data protection agreements with our vendors.

voluum-gdpr-tls encryptionThen, by default, we use Transport Layer Security (TLS) encryption. The TLS is a cryptographic protocol that ensures the overall security of data transferred over a network of computers. In other words, the connection between your browser and our servers is encrypted. This also encompasses the tracking of your campaigns.

voluum-gdpr-firewallFurther security enhancements include the use of front-end and back-end firewalls. These monitor and control incoming as well as outgoing network traffic. In practice, they block any unauthorized attempts to access data.

voluum-gdpr-third partyMoreover, we work only with third-party APIs and SDKs that have the highest security standards. We rely on external companies, for instance, to deliver the customer support ticketing system.

voluum-gdpr-data protection officerAdditionally, we are training our employees to produce not just quality code but code that is secure. Our company employs over a hundred outstanding developers and an entire team dedicated to security. We’ve also appointed a Data Protection Officer to make sure we emphasize personal data protection and stay GDPR compliant.

Finally, we have also drawn up a GDPR-compliant Data Processing Agreement to give you contractual protection. The documents, available soon, will be applicable by May, 25.

As a data controller, however, you must determine and obtain the legal basis for controlling the data and sending it through Voluum.


Voluum has introduced two new features to secure data privacy.

The first one is IP Anonymization. Click here to find out more about it.

The other is the Opt-Out option – a cookie allowing end users of your campaigns to reject tracking. You can read more about this feature by clicking here.

What Do I Need to Do?

Here is a short “to do” list for you to make sure you comply with the GDPR.

  1. Determine the lawful basis for processing personal data that fall under the new regulation. In particular, you need to check whether the GDPR requires you to obtain visitors’ consent or whether there is another legal basis for processing the data, such as a legitimate interest (learn more here). Remember, do not process any data for which you do not have a lawful basis to do so.
  2. Update your privacy notices to reflect the changes introduced by the GDPR and improve their transparency. Explain how you use tracking services or cookies technology. You may also wish to give your visitors’ optional privacy preferences.
  3. Determine a way for users to access their data.
  4. Double check the regulation, to make sure you’re fully compliant. Additionally, check out the GDPR Frequently Asked Questions.

When the dust settles, remember we’re here to assist you with any inquiries you may have about our role as a data processor as well as how we can help you stay GDPR-compliant.

So keep calm, and enjoy tracking with Voluum once the GDPR is in force as much as you have so far!


  1. I was waiting for these announcements from you for a long time lol!!

    There is an issue though, the users I track will have to click on the voluum tracking link, which will record their IP address for GEO data, set some tracking cookies…etc

    If we were to comply with GDPR, none of this would be compliant, since when redirecting to an offer or lander, we would be forced to show a page asking for consent, then redirecting afterwards.

    Any thoughts on this.

  2. Hi,

    Don’t take my word for it, since I am no lawyer.

    What I’ve learned about this is that if the affiliate is the controller of the data, the controller decides how the data is processed (Voluum would be the processor).

    Now, as the controller, you would have to make sure there is cookie consent. (since you want to track personal data [IP’s are that]) … I can’t seem to find out of the consent status can be ON by default. Or that it has to be some sort of OPT in the situation, where you present ’empty checkboxes’ for cookies to the user.

    However, there is also a rule in GPDR, that every person is allowed to be ‘forgotten’. That means that you have to be able to take them out of the database. This database with IP adresses (personal info) is stored by Voluum.

    My question is: how are they going to link a cookie consent click that happens on a lander to a certain IP adress in their DB ?

    Personally, I think this GDPR thing is either going to be : a fad …. or it’s going to be very disruptive …

  3. I can assure you this GDPR thing will kill tracking/analytics world, it will be very disruptive as you said.

    Acting as a user, if you show me a modal window where you tell me that you want my consent to track me, I’ll immediately uncheck the whole thing, no one likes to be tracked, most internet users are tracked because they don’t know they are tracked.

    As for linking cookies to a certain IP, that’s not an issue, most trackers store a cookie containing a unique user id, easily linked to IPs used by the same user.

    Even if they anonymize IPs (replacing the last digit by 0), we’re still left with unique user IDs which are considered personal data.

    GDPR is the killer for analytics and tracking software, I can assure you that, tracked visitors will drop dramatically, conversion attribution will be impossible, there is no way to tag a user without consent, and no one will give consent unless they really need your product (sign in to a Saas software for example).

    CPA marketers will suffer the most:
    – either ignoring GDPR (very bad)
    – or running campaigns blindly (hoping that someone will give consent to be tracked)
    – or forget EU geos (advertisers will suffer too: since no one will be promoting their offers)

    I can’t seem to find an answer to this. Really!

    Oh! did I mention that even Google Fonts stores some data about the user: even if you want your awesome looking fonts to show up, you need consent ??!!

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like