Last Updated November 4, 2021
1. Who we are, What we do, How you can contact Outbrain, our DPO or the relevant authorities
Who we are:
What we do:
Outbrain’s mission is to serve interesting recommendations to you based on what we believe are your interests. To achieve our mission we enter into agreements with:
- online publishers and partners who want to recommend relevant content to their readers (this is Outbrain Engage);
- advertisers who want readers to view their content (this is Outbrain Amplify); and
- third party partners who help us serve relevant recommendations.
For further information on our Amplify (advertiser) services see here and our Engage (publisher) services see here.
How to contact us:
If Outbrain does not satisfactorily answer your questions or concerns, you may also contact the following for advice, support or complaints:
- Outbrain’s Data Protection Officer (“DPO”) at firstname.lastname@example.org ; and/or
- the Information Commissioner’s Office, which is Outbrain’s lead supervisory authority within the European Territories.
2. Alliances and Adherence
- We adhere to the Self-Regulatory Principles set forth by the Digital Advertising Alliance (DAA) and the European Interactive Digital Advertising Alliance (EDAA);
- We are members in good standing of the Network Advertising Initiative (NAI), an association dedicated to responsible data collection and its use for digital advertising. We also adhere to the NAI Code of Conduct for Web and Mobile. Outbrain also adheres to the Interactive Advertising Bureau’s (IAB) Self-Regulatory Principles for Online Behavioral Advertising, and the IAB Europe OBA Framework; and
- We are also TAG Brand Safety Certified here.
3. Outbrain User Types (including Opt Out Options)
Site Visitors: You are a Site Visitor when you visit and interact with our web sites, web pages, interactive features, blogs and their respective contents at Outbrain.com (or any derivation, such as Outbrain.co.uk; Outbrain.fr; outbrain.de etc.) (“Our Sites“).
(a) What information we collect and why
We want to understand what services on Our Sites interest you and we want to remind you about the services we offer when you are not on Our Sites. In order to do this, we collect the following information from your device: (i) IP address; (ii) User Agent data: device type (e.g., iPhone), browser type (e.g., Chrome), operating system (e.g., iOS); (iii) the pages visited on Our Sites (e.g., the Outbrain “About” page); (iv) the time of visit (and corresponding time zone); and (v) referring URLs and other information normally transmitted in HTTP requests (e.g. information telling us how you arrived on Our Sites).
In addition, we may also collect your name and email address if you agree to send your details to us via Our Sites (e.g., by signing up to receive our newsletter).
(b) What cookies and other similar technologies we use
Please see this Cookie Table, which is updated from time to time, under the section “Site Visitors” for a detailed list of first and third party cookies (and their corresponding retention periods) that may be used when you visit Our Sites.
(c) How we may share information
- Sharing Information we learn about you on Our Sites
We do not sell and/or share personal data about you with third parties for third party marketing or advertising purposes. We may use various third parties (each listed on the Cookie Table) to help us market or advertise to you. We require that these third parties and companies agree to comply with all applicable data protection laws, keep all information shared with them confidential and to use the information only to perform their obligations to us. We do this by entering into agreements with all third parties who process personal data. If you post on our blog, your comment and information will be publicly available. Please contact email@example.com to remove your comment.
- Using Third Party Services on Our Sites
Our Sites contain links to other websites that we do not own or operate. We do not control, recommend or endorse the content, products, services, privacy policies or practices of these third party websites. For example, on Our Sites you will notice clickable icons which take you to the Outbrain Facebook page or the Outbrain LinkedIn page. If you choose to click on these links, you should know that these sites are not owned or operated by Outbrain and therefore these third party websites may send their own cookies to your device and they may independently collect personal data. It is therefore important that you get familiar with the privacy policies of these third party websites.
(d) Your rights
For Site Visitors in the European Territory, Outbrain has implemented a consent management platform (powered by OneTrust) on Our Sites that provides you with the opportunity to consent, or not consent, to cookies and similar tracking technologies. Upon accessing Our Sites, you will see a banner in the centre of the page with information about the cookies we use. You may click the banner to reject any cookies (for example, performance cookies or targeting cookies) that are not strictly necessary cookies (as defined in the Cookie Table). By pressing “I Accept” on the banner you are indicating your acceptance to cookies and similar tracking technologies. Outbrain’s lawful basis for processing personal data of European Territory Site Visitors on Our Sites is consent. You may withdraw your consent at any time by clicking this button: . In respect of all other Site Visitors not located in European Territories, we rely on our legitimate interest for processing any personal data however, this does not preclude non-European Territory Site Visitors from withdrawing consent at any time via our consent management platform.
Example of an Outbrain Widget
(a) What information we collect and why
We use UUIDs, IP Address and other Usage Information so that we can serve interesting recommendations. Outbrain’s recommendations may be paid for by an advertiser linking you to a new website or they may be organic such that the link is to another page on the same Partner’s Site. Outbrain may use high-level health interest categories to serve recommendations, that you can find here.
When you, as a User, first visit a Partner Site (e.g., CNN.com), Outbrain drops a cookie on your device in order to generate a UUID. Alternatively, if you first interact with a Partner using that Partner’s application, Outbrain receives your advertiser ID which is assigned to you by your device. We catalogue and analyze the content you consume across Partner Sites. Our recommendations are based on: (i) a UUIDs browsing history; (ii) similar browsing patterns of other Users; (iii) recommendations that are generally popular with Outbrain’s audience at this time; (iv) some randomness, and (v) targeting requirements that may be provided or requested by our Amplify clients. As an example, Outbrain may know that UUID 123 (which could be you on your iPhone X on The Guardian using Chrome as your browser) likes to read about far away holiday destinations and that people who like to read about far away holiday destinations also like to read about exotic food. When you interact with Outbrain we do not collect traditional personal data from you, like your email address or name, therefore we cannot associate your name with your UUID (for example, we do not know that John Smith, who is also UUID 123, likes to read about far away holiday destinations).
The UUID is a sequence of numbers and/or letters. This UUID attaches itself to your device and varies depending on your browser combination. In other words, Outbrain records a different UUID depending on which device and/or which browser you use when accessing the Partner Sites. For example, you will have one UUID when you visit a Partner Site from your mobile phone using the browser Safari, and a different UUID when you visit a Partner Site from your iPad using the browser Safari. Outbrain will combine and consolidate a UUID from a mobile device (handheld or tablet) from a browser that then accesses an application (or vice versa) from that same device. Outbrain does not conduct cross device tracking and therefore cannot link a user interacting with Outbrain on their phone as the same user who is interacting with Outbrain on their desktop.
- IP Address
In addition to your UUID, we recognise your IP address, which we translate into geolocation and delete the last octet in order to mask the identifying information. We then use this masked information, in conjunction with information we received from other trusted third party partners (such as MaxMind) to determine a broad understanding of where you are located (e.g., New York). Outbrain will still recognise your IP address even if you opt out of personalised tracking as this is necessary to continue serving you context-based recommendations however, in such instances your IP address is not associated with your UUID and would not form part of any user profile.
- Other Usage Information
In addition to your UUID and IP address, we also collect the following information from you on (a) desktop and mobile web: (i) User Agent data: device type (e.g., iPhone), browser type (e.g., chrome), operating system (e.g. iOS); (ii) the pages visited; (iii) the time of visit; and (iv) referring URLs and other information normally transmitted in HTTP requests. The above statistical information provides us with information about how many Users visited a specific page on our Partner Sites on which the Outbrain widget is installed, how long each User stayed on that page, the type of content on that page they clicked on and how they generally engaged with that page; and (b) on applications (i) application version (as it appears in App Store or Play Store); (ii) application ID or package name (as it appears in the App Store or Play Store); (iii) operating system ( e.g. IOS or Android); (iii) operating system version; and (iv) device model (e.g. iPhone X).This information is considered personal data if Outbrain associates it with a UUID.
As Outbrain does not have a direct relationship with Users interacting with Partner Sites, Outbrain relies on its partners to determine the lawful basis upon which Outbrain can process personal data. Each partner site relies on either
(b) What cookies and other similar technologies we use
- Outbrain cookies
Please see the Cookie Table under “Users” for a detailed list of the First Party Cookies we use when you interact with Partner Sites where the Outbrain technology is implemented.
- Outbrain pixels
- Third party pixels
(c) How we may share information
- Our Partners
Outbrain does not share and/or sell a User’s entire profiles with any third parties. However, we may share certain elements of a user profile (for example, UUID) with the following partners, including:
- Brand safety, analytics and fraud partners;
- Demand Side Platforms (DSP) and Supply Side Platforms (SSP);
- Ad Exchanges and/or Networks; and
- Demand Management Platforms.
Please see here for a list of some of our trusted partners. In addition, we may collect and/ or share some personal data with trusted partners by virtue of participating in the OpenRTB. Many of these partners are registered as IAB TCF Global Vendors and can be found here.
(d) Your rights
- Outbrain opt out on desktop and mobile web
You may opt out of Outbrain’s personalized recommendations (or, if you have opted out and would like to opt back in) at any time by moving the toggle below. You may also opt out of personalized recommendations via Outbrain’s Interest Profile which is a website that provides a general visualization of the data Outbrain knows about you and may use to make its recommendations.
- Outbrain opt out on apps
In order to opt-out of Outbrain’s recommendations on your mobile applications you can follow the steps below:
- iOS Devices: Settings > Privacy > Advertising > Limit Ad Tracking
- Android Devices: Google Settings App > Ads > Opt Out of Interest-based Advertising
- Additional Opt-Out Options
You may also opt out of receiving personalized ads served by us or other advertising companies through industry powered tools such as the NAI or the various DAA-based pages (DAA, http://www.aboutads.info/choices; DAAC, www.youradchoices.ca/choices , and/or EDAA www.youronlinechoices.eu). Visiting the NAI, DAA, DAAC, or EDAA consumer choice pages allows you to opt out of all some or all of the participating members’ services. Like Outbrain’s opt out, these opt outs do not mean you will no longer receive any advertising, the advertisements will just not be tailored to you. You will continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you visit the DAA, DAAC or EDAA consumer choice pages, your opt out may not be effective as our opt out is cookie based.
Even though you have opted out of Outbrain’s personalised recommendations:
- You will still see Outbrain recommendations. Opting out of Outbrain personalization tracking does not mean you will no longer receive recommendations from Outbrain. Instead, it means that Outbrain’s recommendations will not be personalized (i.e. they will be context based recommendations).
- Your opt out will be cookie based and device/browser specific. If you browse the web from several devices and/or browsers, you will need to opt out from each device and/or browser to ensure that we prevent personalization tracking on all of them. For the same reason, if you buy a new device, change browsers or delete (or clear) the opt out cookie, you will need to opt-out again. Opting out of personalization tracking is not the same as blocking cookies.
- You must not opt in to Outbrain for at least 21 days as the deletion of your profile is tied to your UUID. Your opt out from Outbrain’s personalized recommendations is effective immediately. However, if your browser permits local storage and you opt into Outbrain’s personalized recommendations (for example, by accepting a cookie banner) within 21 days of your opt out, it is possible your prior profile will be reconnected to your UUID. If you do not opt in within 21 days, your profile will be deleted and cannot be recovered.
- As with most opt out cookies, the Outbrain browser opt out relies upon a cookie. The opt-out cookie is intended to be persistent to honor the user’s preferences. However, the “Intelligent Tracking Prevention” feature in iOS11 may impact the persistence of cookies across websites post a 24 hour window. We suggest using another browser or considering blocking all 3rd party cookies from the browser so that you are “opted out” without needing to rely on any company’s actual opt out methodology.
- Your local storage will not be cleared. Even though you have opted out of Outbrain’s personalised recommendations your local storage will not be automatically cleared and therefore you need to clear this at a browser level in addition to your opt out.
Business Partners: You are a Business Partner when you register (or email with Outbrain) on behalf of the company you work for to use the Outbrain Amplify or Outbrain Engage Services.
(a) What information we collect and why
You may provide certain personal data (such as email address) when you sign up for the Amplify or Engage services or otherwise communicate or interact with us. If you apply to become a Business Partner, we may request additional information from you via advertiser application forms, insertion orders and other forms. We automatically collect information about your username’s actions in the Outbrain dashboard. As an example, as an Amplify Business Partner if you change the cost-per-click for one your campaigns, Outbrain’s audit trail will have a record of all those actions.
We collect and process the personal data above in order to perform our obligations under our agreement as a Business Partner (or prospective Business Partner) with you including to:
- respond to your questions and requests;
- to provide you with access to certain functions and features of our Amplify or Engage services (e.g., to provide and maintain your dashboard account);
- verify your identity; and
- communicate with you about your account, our products, and available promotions relevant to your use of the Amplify or Engage service.
(b) What cookies and other similar technologies we use
Please see this Cookie Table under “Business Partners” for a detailed list of First and Third Party cookies (and their corresponding retention periods) we use with Business Partners.
(c) How we may share information with anyone
(d) Your rights
If as a Business Partner you wish to verify, correct, update or request the deactivation of your information, you may go to the Outbrain dashboard in order to edit your profile preferences or contact us at firstname.lastname@example.org. If you are receiving Outbrain emails, you may “unsubscribe” using a link in the email. Note that unsubscribing shall not opt you out of notifications critical to providing the Amplify or Engage services (e.g., email invoices).
(e) Lawful Basis
Outbrain’s lawful basis for processing personal data of Business Partners is contractual.
4. Security Measures, Transfers Outside the EEA, Sharing and Data Retention
Outbrain has a dedicated security team. We maintain tight controls over the personal data we collect, retaining it in firewalled and secured databases with strictly limited and controlled access rights, to ensure it is secure. Please see our security standards for more information.
Business Partners have access to certain password-protected features of the Amplify or Engage service. Business Partners are responsible for keeping this password confidential and for ensuring the same for their employees and/or their agents. Please remember that, unfortunately, the transmission of information via the internet is never completely secure. A common Internet scam is known as “spoofing” or “phishing.” This occurs when you receive an email from what appears to be a legitimate source requesting personal data from you. Please be aware that we will not send you any emails requesting you to verify credit card, bank information, or any other personal data. If you ever receive an email that appears to be from us requesting such information from you, do not respond to it, and do not click on any links appearing in the email. Instead, please forward the email to us at email@example.com, as we will investigate instances of possible Internet fraud.
Data Transfers Outside the EU/EEA
When we transfer personal data from the European Economic Area (EEA) we will ensure such transfers are in compliance with relevant data protection laws, including, if applicable, EU Standard Contractual Clauses, or a European Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC or Article 45 of the GDPR. In other words, your rights and protections remain with your data and we used approved contractual clauses and other measures designed to ensure that the recipients of your personal data protect it. Outbrain has in place the Standard Contractual Clauses between Outbrain entities to govern the transfer of data outside of the EEA.
In addition to the description of how we may disclose your personal data for each user type, we may also disclose personal data as follows:
- Within the family of companies controlled by Outbrain for internal reasons, primarily for business and operational purposes;
- If we go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of our assets, your personal data will likely be among the assets transferred;
- When legally required to do so (e.g., to cooperate with law enforcement investigations or other legal proceedings); and/or
- To respond to a genuine emergency.
In addition, we combine your personal data with those of other users in order to share trend information and aggregate user statistics with third parties, always in aggregated and anonymized form.
The retention period for each of the cookies Outbrain uses (whether our own or on our behalf by third parties) is stated in the Cookie Table. More specifically, the Outbrain cookie (Obuid),which is used for tracking user actions such as clicks, expires three (3) months after a user visited a particular site within our network however, this cookie will reset if a user returns to the same site or different site within our network. In addition, we do not retain any individual data point on a User for more than 13 months. For example, if UUID 123 read an article on December 31, 2018, on February 1, 2019 that article will no longer be part of UUID 123’s profile. Outbrain also maintains a Data Retention Policy that details the retention period for personal data based on our analysis of how long the specific data is reasonably required for legal or business purposes. When we no longer need personal data, we securely delete or destroy it. Aggregated data, which cannot identify a device/browser (or individual) and is used for purposes of reporting and analysis, is maintained for as long as commercially necessary.
5. Children and Sensitive Data
None of our services are intentionally directed at children under 16. We do not knowingly collect personal data from anyone under 16 years of age. If we determine upon collection that a Site Visitor, a User or a Business Partner is under 16, we will not use or maintain his/her personal data. If we become aware that we have unknowingly collected personal data from a child under the age of 16, we will make reasonable efforts to delete such information from our records. If you’re a kid, please go play in the yard, don’t use or interact with Outbrain!
We do not collect or receive any sensitive categories of personal data.
6. European Territory Visitors
In compliance with certain privacy laws, in particular the European General Data Protection Regulation (GDPR), Outbrain provides specific additional rights for individuals who interact with Outbrain such as the right to access, rectification, right to object, to complaint, erasure and blockage. More specifically and under certain circumstances:
- the right to request information about whether and which personal data is processed by us, and the right to demand that personal data is rectified or amended.
- the right to request that personal data should be deleted.
- the right to demand that the processing of personal data should be restricted.
- withdraw your consent to the processing and use of your data completely or partially at any time with future application.
- have the right to obtain your personal data in a common, structured and mechanically readable format.
- contact our data protection officer if there are any questions, comments, complaints or requests in connection with our statement on data protection and the processing of your personal data.
- the right to complain to the responsible supervisory authority if believed that the processing of your personal data is in violation of the legislation.
Please email Privacy@outbrain.com with any questions about exercising any of the above rights.
7. California Privacy Rights
This section applies only to California residents. It describes how we collect, use and share Personal Information of California residents in operating our business, and their rights with respect to that Personal Information. For purposes of this section, “ Personal Information” has the meaning given in the California Consumer Privacy Act of 2018 (“ CCPA”) but does not include information exempted from the scope of the CCPA.
(a) Your California privacy rights.
As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
- Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected.
- The categories of sources from which we collected Personal Information.
- The business or commercial purpose for collecting and/or selling Personal Information.
- The categories of third parties with whom we share Personal Information.
- Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient.
- Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient.
- Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
- Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Opt-out of sales. If we sell your Personal Information, you can opt-out. In addition, if you direct us not to sell your Personal Information, we will consider it a request pursuant to California’s “Shine the Light” law to stop sharing your personal information covered by that law with third parties for their direct marketing purposes.
- Opt-in. We contractually prohibit our publishing and advertising clients from placing our technology on pages that target individuals younger than 16 years old. If we learn that you are younger than 16 years old, we will asking for your permission (or if you are younger than 13 years old, your parent or guardian’s permission) to sell your Personal Information before we do so.
- Non discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
(b) How to exercise your rights
You may exercise your California privacy rights described above as follows:
- Right to information, access and deletion. You can request to exercise your information, access and deletion rights by:
- calling us toll free on 1-866-I-OPT-OUT and entering service code 253# to leave us a message.
- emailing firstname.lastname@example.org
- Right to opt-out of the “sale” of your Personal Information. We do not sell your Personal Information in the conventional sense (i.e., for money). However, like many companies, we use services that help deliver interest-based ads to you. California law classifies our use of these services as a “sale” of your Personal Information to the companies that provide the services. This is because we allow them to collect information from our website users (e.g., online identifiers and browsing activity) so they can help serve ads more likely to interest you. To opt-out from this “sale”, click on this link which will take you to our Interest Profile where you can opt out of personalised recommendations.
We will need to confirm your identity and California residency to process your requests to exercise your information, access or deletion rights. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.
(c) Personal information that we collect, use and share
|Outbrain User Type||Statutory category of personal information (PI)
(click for details)
|Source of the PI||Purpose for collection||How we may share, disclose or “sell” information.|
Internet or Network Information
|Site Visitor||See Section 2(a) (Site Visitors).||See Section 2(c) (Site Visitors).|
Internet or Network Information
|Users||See Section 2(a) (Users).||See Section 2(c) (Users).|
|Business Partners||See Section 2(a) (Business Partners).||See Section 2(c) (Business Partners).|
8. “Do Not Track” Disclosure
Some browsers transmit Do Not Track (DNT) signals to websites. Because there is no common understanding of how to interpret the DNT signal, Outbrain does not currently alter, change, or respond to DNT requests or signals from these browsers. We will continue to monitor industry activity in this area and reassess our DNT practices as necessary. In the meantime, you can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving personalized recommendations in the Users section.