PageFair on IAB consent framework: ‘Violates GDPR’
The anti-ad blocking firm, which recently launched a consent-less advertising initiative, reacts to the IAB’s new proposal for how ad tech should handle user consent.
That framework proposes that websites present visitors with consent options about using their data for specific ad purposes. (A version covering mobile apps is in the works.) A visitor’s consent profile, showing which options have been approved (or not), is then made available to the ad ecosystem when an ad bid request is made from a webpage.
The request for an ad bid contains a new consent indicator called a Daisybit, which contains info on use cases and vendors acceptable to that visitor.
For instance, if you agreed that only AppNexus could serve you ads based on your location, the Daisybit consent profile with that anonymized info is sent along with the webpage’s request for an ad bid.
But at least one publisher-side advocate thinks the IAB proposal won’t work and that it “violates GDPR.”
Johnny Ryan, head of ecosystem for PageFair, told me in January that consent cannot work in a programmatic ad system like the one that exists today, at least not without significant changes. That conversation preceded IAB’s release of this framework, which adds consent gating info to the ad call.
PageFair — best known for its software and research to counter ad blocking — has recently launched its own GDPR-compliant ad service, called Perimeter. It addresses the whole consent issue by avoiding it entirely. Participating publishers and ad tech providers agree to only target ads based on user interest, or on very large user segments.
Everyone who went to a site’s pages on outdoor gear, for instance, might see an ad for new camping equipment. Or everyone who comes in from a Chicago-area IP address, after visiting a site selling Chicago Bulls-branded products, might be targeted as “Chicago Sports Fans.” In both cases — interest targeting or large cohorts — the resulting data cannot be used to identify individuals and is therefore GDPR-compliant.
The IAB proposal, Ryan told me, has one intention: to make the status quo work. But this solution, he added, is “not workable.”
First, he noted that few site visitors will agree to fill out consent forms. His company’s research has indicated that only about 3 percent would take the time to process a consent form and grant or deny consent for the use of their personal data in ad targeting.
Then, Ryan continued, there’s the problem this framework poses for publishers.
“The IAB is trying to put publishers in a position where they try to get people to opt in” for ad targeting when they visit the site, he said. This conflicts with a publisher’s other priorities, including obtaining consent to use data to serve personalized content. It’s unlikely that many visitors will agree to such a blizzard of consent requests.
Next, Ryan said that the IAB approach bundles consent in a way that GDPR specifically prohibits. In other words, he said, GDPR does not allow consent requests for multiple purposes to be grouped together, which Ryan says is how the IAB framework presents the consent options.
And there’s the problem of data leakage.
The Daisybit — which contains your anonymized consent profile — has “enough info to be a unique identifier,” he said, in conjunction with other data or possibly even by itself.
Part of the way there?
As the IAB envisions things, the Daisybit would be made available to anyone in the ad tech system, but only some can act on it. Ryan finds this problematic because, “everyone gets all the [user] information,” even if they aren’t authorized to act on it. The result, he said, is a massive dissemination of user consent info, where a company could receive your consent info even if you opted out of providing it to that company.
I asked Ryan if it is possible to design a programmatic, targeted online advertising system that complies with GDPR.
“Absolutely,” he said. But it would have to deal with the bundled consent problem, the fact that few site visitors are going to spend time filling out consent forms and the release of consent profiles to companies not authorized by that individual.
I suggested that one possible solution could involve a kind of “consent wallet,” where a user gave or withheld the various consents once, perhaps with some incentives so that many users would do so. The IAB framework includes an option for a user to grant “web-wide consent” instead of just site-specific, but Ryan thinks that implementation also violates GDPR.
That wallet might live in a browser or a mobile device, could be easily revised by the user and would be automatically read whenever an ad bid request was made. It might have a wrapper, allowing only user-approved vendors to read the contents, thus addressing the data leakage issue.
Among other things, it could flip the targeting model so it becomes more like user-driven search. Instead of collecting and then assessing my profile info to determine if I should be targeted with ads about homes for sale, for instance, I tweak my consent wallet to indicate I’m interested in real estate ads.
Ads wouldn’t target me; I would target them. And it’s possible that the IAB framework, with its consent-carrying Daisybit, is part of the way there.