Get in touch and let’s talk about GDPR:
Twitter: @tl_johnstoneman
John Stoneman is General Manager, Europe for TripleLift – the leading programmatic platform for native advertising. He likes privacy regulations. Honestly.
As we accelerate down this headlong rollercoaster ride towards GDPR compliance day in May of this year the industry is scrambling to achieve the nirvana of compliance. And the screams are getting louder.
Back in December we were all ‘waiting’ for the Article 29 Working Party to provide ‘guidance’ on the acquisition of Consent as a legal basis for data-driven advertising. December came and went and it didn’t feel to me like we had made a lot of progress as an industry even when the guidance was released.
But then came a press release from IAB Europe announcing an industry consent mechanism for meeting the challenges under the GDPR.
On face value it seemed like a Consent silver bullet. The release read: “The technical mechanism is designed to enable websites, advertisers and their ad technology partners to make more robust disclosures, as well as obtain, record and update consumers’ consent for their personal data to be processed in line with the GDPR.
“Moreover, the mechanism enables transmission of user consent choices to the supply chain, increasing accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.”
So to find out more I had a chat with IAB Europe’s Public Policy Officer Chris Hartsuiker, and their Senior Manager, Privacy & Public Policy Matthias Matthiesen, who told me that the organisation has an ongoing working party focusing on Consent because it is such a significant topic and because: “there is such a difference between what the European Union’s Article 29 Working Party is recommending for Consent and what the IAB Europe believes is acceptable. We needed to present an alternative point of view.”
The IAB are creating a set of standards and mechanisms which will provide an informed way for people to implement Consent solutions. The first of which is a Global Vendor List which will have details like Name, Address, Description of Services, link to Privacy Policy etc. of ecosytem players, and which will be held in a central repository where vendors can keep their information up to date – to provide transparency to the world.
The second piece is a series of Technical Specifications which focus on how Consent is captured and propagated through the programmatic ecosystem, because if you intend to use Consent you have to make a record of how it was captured – to demonstrate you had it in the first place.
IAB Europe envisions there will be different ways that Consent can be stored and that Publishers will have their own implementations depending on how they want to operate. A publisher may want to obtain Consent purely for their own benefit, or for a Group of Publishers.
If a consumer signs up for Consent on one Publisher, that can’t be transferred to another Publisher unless that was clearly outlined at the time of capture. So a consortium of Publishers can share Consent without it being explicitly obtained for that consortia, and if one Publisher does not like that Consent was NOT obtained through this mechanism, they would need to try and ask again for their own benefit – which may annoy the user.
Where there is conflict between different opt-ins on different Publishers and Groups, then the most specific would be considered the ruling Consent.
In addition, publishers will need to explicitly name EVERY downstream Partner that they intend to work with to the consumer, and their Partners’ Partners – because a founding principle of GDPR is that companies that are unknown to individuals should not have the right to use their personal data without Consent.
It will be an implementation choice of the Publisher whether they want to provide opt-in as a catch-all to all Partners, or as a list of opt-ins to Partners individually. The first does not provide a high level of granularity of user choice so can be considered less privacy-friendly, the second is an enormous list of companies the average user will not have heard of so is not particularly user-friendly.
The technical specifications that IAB Europe will be providing will be open source and they are currently finalising the open software licensing with the intention of publishing at the end of January. It will be information on storage format and javascript APIs for Publishers. The proliferation of Consent through the ecosystem will be based around an extension to the Open RTB spec, plus the reference implementation portal will be built and opened for entrants.
If you have found that you have read through every word of this article and taken nothing in because of the sheer number of uses of the words Consent, Publisher, Partner and Group, then fear not. Just drop me a note and I will come over to your offices and draw it all out for you on a whiteboard.
Who knew that privacy could be such fun! ;o)
