IAB Europe unveils its GDPR Transparency & Consent Framework
If you’ve been wondering how the heck consent to targeted advertising in the age of the upcoming General Data Protection Regulation (GDPR) is supposed to work, the Interactive Advertising Bureau (IAB) Europe is out with a proposed solution.
It is releasing today a draft tech specification of its open source GDPR Transparency & Consent Framework for 30 days of public comment. The specs will be maintained by a working group of the IAB Tech Lab in New York, collaborating with IAB Europe.
In a US exclusive to MarTech Today, two IAB representatives gave us some insight into the overall vision.
There are several main objectives, IAB Europe CEO Townsend Feehan told me. First, the framework is intended to create an environment where publishers can tell visitors what data is being collected, how the site and its vendors intend to use it and which vendors are using it.
Second, the site obtains the visitor’s consent — or denial of consent — for these separate items when necessary. And, third, that consent, or lack thereof, is conveyed throughout the ad ecosystem.
Of course, that sounds like the overall intention of GDPR. But how to accomplish that?
Sizmek Chief Privacy Officer Ari Levenfeld, a member of the GDPR Technical Working Group, walked me through the proposed solution.
Let’s say you visit a complying site like CNN/Europe. (Since the degree to which companies in the US are required to comply with GDPR is a somewhat gray area, let’s say it’s an American company clearly serving an EU audience.)
If consent is required of a visitor, you’re served a pop-up or some method to conduct a dialog about what personal data the site is collecting, what entities intend to use it and the specific ways in which it will be used. It asks for your yes or no approval of each component.
Site-specific or web-wide
Let’s say that you click “yes,” CNN/Europe can collect data about your visit, and only Sizmek and AppNexus among the listed vendors can employ that data to serve you ads. (An oversimplified set of consents, but let’s keep it simple for the moment.)
Those consent fields, showing which you approve and which you do not, are stored in a first-party cookie by CNN/Europe on your browser.
The current version does depend on the consent data being stored in cookies. In the future, the solution could be moved to use other consent storage mechanisms like central registries storing user id and their consent information. At that time the implementation will need to be updated to retrieve consent data from the other source.
Now, let’s say you leave the CNN/Europe site, go elsewhere and come back to that site the next day. You’ve already answered the consent questionnaire, as your first-party cookie indicated, so CNN/Europe doesn’t ask again.
Consent can be a site-specific “yes or no” to the particulars, so that it only applies the next time you visit the CNN/Europe site. Or it can be a web-wide “yes or no,” so that you wouldn’t have to repeat your consent choices when you visit other sites.
When you visit the CNN/Europe site the second time, the top of the home page has a space for a banner ad. Operating within milliseconds, the page sends out a bid request to an ad exchange, looking for an ad.
This ad bid request is similar to today’s setup. But the Framework proposes that the bid request contains consent flags about you, the visitor for that page at that moment, that say, in effect: this User 123 is OK with seeing ads targeting her on the basis of her visits to this site, but only for ads delivered by Sizmek or AppNexus. Also in milliseconds, Sizmek and/or AppNexus then deliver an ad targeted at that user, employing only the personal data approved by the user.
An ad-gating system
Essentially, the IAB Europe framework adapts the industry’s ad-targeting system into becoming an ad-gating system. “There is already all kinds of info in the bid request,” Levenfeld said, adding that consent data is just one more type.
That consent data — a signal or flag that goes from the publisher site to the ad exchange — has been given a catchy name by the proposed IAB Framework: a Daisybit.
This Daisybit is a string of data with relevant consent gating information. For most of the ad call and delivery, Levenfeld said, the DaisyBit lives inside the new OpenRTB 3.0 protocol that guides ad bidding and delivery, in a new space designed for consent data.
In addition to consent, this new Framework is also designed to track whether “legitimate interest” — one of the potential ways that brands can collect and use data without consent — is employed. And browser-based user consent records could reside inside third-party cookies as well.
I asked Feehan why the IAB had not released a GDPR framework before, given that the Regulation is set to start in slightly over two months.
She pointed out that it’s a complicated problem with lots of interested parties, and she added that this proposed solution is coming out at the right time.
“It’s a good first shot,” she said. “Not too early, not too late.”