Get in touch and let’s talk about GDPR:
John Stoneman is General Manager, Europe for TripleLift – the leading programmatic platform for native advertising. He likes privacy regulations. Honestly.
As we accelerate down this headlong rollercoaster ride towards GDPR compliance day in May of this year the industry is scrambling to achieve the nirvana of compliance. And the screams are getting louder.
Back in December we were all ‘waiting’ for the Article 29 Working Party to provide ‘guidance’ on the acquisition of Consent as a legal basis for data-driven advertising. December came and went and it didn’t feel to me like we had made a lot of progress as an industry even when the guidance was released.
But then came a press release from IAB Europe announcing an industry consent mechanism for meeting the challenges under the GDPR.
On face value it seemed like a Consent silver bullet. The release read: “The technical mechanism is designed to enable websites, advertisers and their ad technology partners to make more robust disclosures, as well as obtain, record and update consumers’ consent for their personal data to be processed in line with the GDPR.
“Moreover, the mechanism enables transmission of user consent choices to the supply chain, increasing accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.”
So to find out more I had a chat with IAB Europe’s Public Policy Officer Chris Hartsuiker, and their Senior Manager, Privacy & Public Policy Matthias Matthiesen, who told me that the organisation has an ongoing working party focusing on Consent because it is such a significant topic and because: “there is such a difference between what the European Union’s Article 29 Working Party is recommending for Consent and what the IAB Europe believes is acceptable. We needed to present an alternative point of view.”
The second piece is a series of Technical Specifications which focus on how Consent is captured and propagated through the programmatic ecosystem, because if you intend to use Consent you have to make a record of how it was captured – to demonstrate you had it in the first place.
IAB Europe envisions there will be different ways that Consent can be stored and that Publishers will have their own implementations depending on how they want to operate. A publisher may want to obtain Consent purely for their own benefit, or for a Group of Publishers.
If a consumer signs up for Consent on one Publisher, that can’t be transferred to another Publisher unless that was clearly outlined at the time of capture. So a consortium of Publishers can share Consent without it being explicitly obtained for that consortia, and if one Publisher does not like that Consent was NOT obtained through this mechanism, they would need to try and ask again for their own benefit – which may annoy the user.
Where there is conflict between different opt-ins on different Publishers and Groups, then the most specific would be considered the ruling Consent.
In addition, publishers will need to explicitly name EVERY downstream Partner that they intend to work with to the consumer, and their Partners’ Partners – because a founding principle of GDPR is that companies that are unknown to individuals should not have the right to use their personal data without Consent.
It will be an implementation choice of the Publisher whether they want to provide opt-in as a catch-all to all Partners, or as a list of opt-ins to Partners individually. The first does not provide a high level of granularity of user choice so can be considered less privacy-friendly, the second is an enormous list of companies the average user will not have heard of so is not particularly user-friendly.
If you have found that you have read through every word of this article and taken nothing in because of the sheer number of uses of the words Consent, Publisher, Partner and Group, then fear not. Just drop me a note and I will come over to your offices and draw it all out for you on a whiteboard.
Who knew that privacy could be such fun! ;o)