How the IAB Tech Lab’s new PrivacyChain could solve one of consent management’s biggest problems

The IAB Tech Lab’s visualization of PrivacyChain, where “audience” = “consent record.” (Click to enlarge.)

The new privacy blockchain proposal — announced last week by the Interactive Advertising Bureau’s Tech Lab in conjunction with identity resolution provider LiveRamp — could solve one of the biggest problems of consent management.

Background on the TCF and the Big Issue. In early March, the Interactive Advertising Bureau (IAB) Europe unveiled its Transparency & Consent Framework (TCF).

Later co-sponsored by the IAB Tech Lab, which is a separate organization from IAB Europe, the TCF offers a protocol for how advertisers and publishers can track their collection and sharing of consent records granted by consumers to allow the use of their personal data for specific marketing purposes, in a way that complies with the European Union’s General Data Privacy Regulation (GDPR).

A key criticism of the Framework, from such organizations as the anti-ad-blocking solutions provider PageFair, was that it didn’t sufficiently track the sharing of user consent records.

When a user allows a publisher to use her info for marketing or ads, the consent info is passed via a TCF-suitable consent management platform to vendors who have been approved by the publisher, such as ad exchanges, data management platforms, tag management platforms and so on. But those vendors could share the info with other vendors, or there might be vendors on the web site who got hold of the info without the publisher’s knowledge.

A potential solution. One possible solution to this “data leakage” problem was offered this past July by Boston-based Namogoo, which offers a service to track which vendors are collecting personal data, what is being collected and how it is being shared.

And there have been a variety of blockchain-based endeavors that seek to solve the problem of personal data privacy management for digital advertising, such as ad tech platform MadHive.

But the new blockchain-based PrivacyChain could provide a more universally-accepted solution that automatically records every transaction involving a given user’s consent record.

As a distributed ledger, the blockchain allows each participating organization — every publisher, agency, data management platform, ad exchange and so on — to have their own local blockchain node that contains all the info on the entire chain. Every node is updated whenever updates are made.

User A’s consent record, first agreed to on Publisher XYZ’s web site, would have a permanent breadcrumb trail showing every vendor or other organization that had access to the info. Every transaction involving the consent record generates a smart contract, and the contracts are tied together by IDs.

LiveRamp VP Arthur Coleman told me that no data lives on the blockchain, which only contains a “consent to use” pointer. The actual personal data resides with the publisher or advertiser that originally collected it.

This is similar to the approach of various other blockchain-based efforts to support GDPR. Since blockchains are virtually immutable, they cannot easily accommodate GDPR’s “right to be forgotten” requirement if the personal data would be written to the blockchain, because users can ask that their personal data be deleted.

If a user does request the consent record be deleted from PrivacyChain, a new block is written to the chain nullifying the previous “consent to use” pointer, and assumedly the data would also be erased at the publisher or advertiser.

A lot of figuring to do. This “system of record” could be employed for any consent tracking, whether for GDPR, the new California Consumer Privacy Act, the upcoming European Privacy Directive or a company’s own privacy policies.

But, to get there, the IAB Tech Lab still has a lot of figuring out to do.

A web domain, Consensu.org, was established under TCG as a storage site for consent records obtained by publishers or advertisers. One possible scenario, Coleman noted, is that Consensu could run on PrivacyChain.

But, IAB Tech Lab SVP and General Manager Dennis Buchheim told me, it’s not yet clear if PrivacyChain will actually become a system of record for TCF, and the relationship of this new PrivacyChain to Consensu remains to be worked out.

“It’s a potential solution,” he said. “The devil is in the details.”

The PrivacyChain project is currently employing the Hyperledger blockchain protocol, as a permissioned entity open only to registered and accepted participants. Processing speed is an issue with some blockchain implementations, and Coleman noted that factors of speed, scale and load are still to be worked out.

And then there’s the issue of who is actually managing the PrivacyChain, how the blockchain consensus protocol works and what the rules are for acceptance of new participants.

At this point, a reference implementation and a test bed are available for public comment and testing for six months at portal https://tools.iabtechlab.com, and the open source repository can be found at https://iabtechlab.com/privacychain/code

After testing and comments, Coleman said the next step will be to involve five to seven partners in field testing.

Why this matters to marketers. Even with all the consent management systems, the TCF and various other solutions for consent management, perhaps the biggest issue to any online privacy data solution is data leakage. In other words, users’ consent info and privacy data, once released, could get into the hands of hundreds of vendors in countless ways.

If there was a reliable, economically feasible and trusted system for tracking each and every use and sharing of this data, it would go a long way to solve the problem that is facing marketers interested in targeted ads or personalized content.

The TCF has been criticized as being too advertiser-friendly and not publisher-friendly enough, so a consent tracking solution that is sufficiently secure and trusted by all parties could help to move a more equitable arrangement forward. And, of course, such a solution benefits advertisers and publishers if consumers feel they can trust the brand.

About The Author

Barry Levine

Barry Levine covers marketing technology for Third Door Media. Previously, he covered this space as a Senior Writer for VentureBeat, and he has written about these and other tech subjects for such publications as CMSWire and NewsFactor. He founded and led the web site/unit at PBS station Thirteen/WNET; worked as an online Senior Producer/writer for Viacom; created a successful interactive game, PLAY IT BY EAR: The First CD Game; founded and led an independent film showcase, CENTER SCREEN, based at Harvard and M.I.T.; and served over five years as a consultant to the M.I.T. Media Lab. You can find him at LinkedIn, and on Twitter at xBarryLevine.