Minor Update to the Policies of the IAB Europe Transparency & Consent Framework relating to CMPs

IAB Europe has published a minor change affecting the Policies of the IAB Europe Transparency & Consent Framework (“Framework”) on Wednesday, 3 October 2018.

The update exclusively addresses a paragraph under the heading “Working with Vendors” in the “Policies for CMPs”, that could have been understood as requiring CMPs to work exclusively with Vendors who participate in the Framework.

Such an exclusivity paragraph is inconsistent with the “Policies for Interacting with Users”, which stipulate that the UI must prominently distinguish between Framework participants and others and avoid confusing or misleading users about the Framework participation of any of the disclosed parties.

To resolve this inconsistency and address confusion it has caused, IAB Europe deleted the exclusivity language under the heading “Working with Vendors” in the “Policies for CMPs”, and replaced it with the following wording:

“If a CMP works with Vendors who are not registered with the MO, the CMP must make it possible for users to distinguish between Vendors registered with the Framework, and those who are not. CMPs must not mislead others as to the Framework participation of any of the Vendors who are not registered with the MO.”

No other changes have been made to the Policies at this time. The new Policies Version 2018-10-03.2a replace the previous Version 2018-04-25.2.

Amsterdam eWeek & IAB Nederland – The IAB Europe Transparency and Consent Framework TownHall – 8 October

Join the Townhall organised by IAB Nederland on 8 October during the Amsterdam eWeek, a week-long festival shaping the future of digital business, to learn and discuss the IAB Europe Transparency and Consent Framework with industry experts. They will explain how the Framework operates and how it can be implemented.

The panel discussion will include the following speakers: 

  • Matthias Matthiesen – Director Privacy & Public Policy at IAB Europe
  • Tim Geenen – Member of the Board of IAB Netherlands, CEO & Founder at Faktor
  • Jeroen Beeke – Digital Strategy Director at Initiativ
  • Marco Kloots – CEO & Founder at Platform161

Practical information: 

  • Date: 8 October
  • Time: Walk-in 08:30 / Start 09:00-11:00
  • Note: The session will be in English
  • Location: B.Amsterdam

To join this event, buy the tickets here & visit the IAB Nederland website here.

Are you a member of IAB Nederland? Please note: we apply a no-show fee* of € 50 for the costs incurred for free IAB Nederland Members tickets.

No-show fee: if you are unable to attend, cancel your free ticket or send an e-mail to info@iab.nl. Free cancellation is possible up to 24 hours before the event. Less than 24 hours before the event, IAB Nederland will apply a no-show fee of 50 euros.

IAB Europe Webinar – A Complete Overview of the Transparency & Consent Framework – 25 September

Join this webinar to gain insight into the IAB Europe Transparency & Consent Framework.

IAB Europe Panel at DMEXCO: Taking stock – the impact of Europe’s new data protection – 12 September

Join the IAB Europe panel at DMEXCO on 13 September 2018 on Day 2 at 9.45 – 10.15am on the Debate Stage. It will be moderated by Townsend Feehan, CEO, IAB Europe and will discuss the impact of GDPR several months after its enforcement date, as per the description below:
 
Taking stock – the impact of Europe’s new data protection rules four months on
In May 2018, the EU’s long-awaited General Data Protection Regulation became enforceable, following a two-year transition period. The Regulation is supposed to empower consumers, giving them more transparency and control over how their personal data are processed, and to make life easier for European companies, who in theory now have one harmonised set of rules for a market of 450 million users. Four months on, is the vision being realised? Will Europe lead the world in the development of innovative privacy-enhancing technologies, as the GDPR’s supporters have promised? Or will it struggle to cement its Digital Single Market because of contradictions inherent in the Regulation and between the Regulation and the proposed ePrivacy regulation? How has GDPR impacted the bottom line?
In addition to this seminar, IAB Europe will also have a booth at DMEXCO so make sure to schedule a meeting or drop by.

Transparency And Consent Framework Mobile App Spec Ready For Adoption

Today, IAB Tech Lab and IAB Europe released the Transparency and Consent Framework’s Mobile In-app Specifications as a final version ready for widespread industry adoption. No significant changes were made to the specs in the process of finalization. Tech Lab’s GDPR Mobile Subgroup reviewed the specifications and public comments, considering their own implementation strategies in applying the Framework for in-app.

Early adopters of the mobile specs should be sure that their implementation complies with the final mobile in-app specifications and adheres to the Framework policies.

Released for public comment at the same time earlier this quarter, pubvendors.json will also be finalized in the coming weeks. Pubvendors.json provides granular controls to publishers, allowing them to whitelist vendors, addressing publisher liability concerns, and the ability for publishers to express if they support a vendor using Legitimate Interest as a legal basis. For mobile app inventory use of pubvendors.json, please review the Mobile Guidance for Ads.txt out for public comment until July 6th.

The Transparency and Consent Framework has over 350 registered vendors on the Global Vendor List, over 100 registered CMPs (Consent Management Providers), and potentially tens of thousands of publishers. This rapid adoption will be strengthened with the addition of finalized mobile in-app specifications.

General questions on the Framework can be sent to feedback@advertisingconsent.eu, and technical questions can be sent to transparencyframework@iabtechlab.com

To join the Transparency & Consent Framework, register at: http://register.consensu.org/

The Idea That The Transparency & Consent Framework Increases Publisher Liability Is A Red Herring

A recurring theme in the feedback we are getting from the market on the Transparency & Consent Framework (TCF or “the Framework”) is that it increases the degree of legal liability that publishers bear under EU data protection rules, notably by forcing them to assume full liability for actions by third parties that are beyond their control.

In fact, nothing could be further from the truth. The TCF does not create new rules on liability, nor does it alter existing ones. Those rules are regulated by law and by contract, neither of which is affected by the Framework. The GDPR states that controllers are responsible, and therefore liable, for the processing of personal data they control. A controller is also liable for processing done on its behalf by processors under its control, unless the processor acted against the instructions of the controller.

In addition, liability is regulated through other law, such as tort law, and contract law. In many cases companies will contractually stipulate where liability lies – agreeing amongst themselves how to share it out as part of a normal commercial negotiation. Such contracts are typically concluded between publishers and their third-party partners, something that will not change under the GDPR or the TCF.

The Framework allows publishers to provide consumers transparency into the third-party partners they work with, and to obtain and transmit user consent signals to those partners. Indeed, the reason we need these signals is that third parties must comply with the GDPR’s transparency requirements and, where they are leveraging the consent legal basis, must be able to demonstrate that the user has indeed consented. These things are only possible if there is a signal.

For example, if a publisher lets a third party know that it has not provided transparency into on behalf of a third party, and has not obtained consent on behalf of a third party (maybe because the publisher doesn’t work with that third party), and that third party starts processing personal data regardless, the publisher is now able to demonstrate that it has duly informed the third party of all relevant facts allowing blame and liability to be established clearly with the third party that has engaged in unlawful processing despite better knowledge.

If anything, publishers are in a better position implementing the Framework than they were pre-GDPR.  This is because thanks to the audit trail it creates in order to convey information up the delivery chain, the Framework will make it possible to detect what parties were acting without the necessary legal basis, so that liability can be correctly apportioned.