To Be Or Not To Be

As the adoption of the IAB Europe Transparency & Consent Framework gains momentum we are seeing increasing and exciting levels of engagement from the industry.  Our Friday Webinar series on the Framework is attracting over 300 participants each week – sign-up for the next one here.

After each webinar we have received numerous questions about what was covered during the session. They ranged from detailed technical questions about how the Framework works, to queries about the registration process, cookies, consent policy, legal liability, and the user interface.

One of the common questions is the declaration dilemma of processor and controller and the place for each in the Framework.  Our List of registered vendors does not differentiate between controller and processor namely because for different processing activities vendors may be controllers and/or processors in the same transaction, or between different transactions. Being on the list doesn’t make a representation about a company’s legal status as a controller/processor in a given situation under the GDPR. The primary value of the List is for companies, irrespective of their controller or processor status, to provide transparency and obtain consent in accordance with their own assessment of when that is needed.

As a controller under GDPR companies are responsible to ensure that transparency is provided and a legal basis established where personal data is processed, which makes the value of the List apparent for controllers.

However, even if you are a processor who may not need to provide transparency into a legal ground for processing personal data, because you are acting on the instruction of and under the legal basis of a controller, you may still need to obtain consent for information storage or access under the ePrivacy Directive and therefore can leverage the Framework exclusively to that end.

Therefore: If you are a vendor and consider that you are a processor that does not need to provide transparency as a legal ground for processing personal data, but still like to obtain consent for the placement of cookies, then the declaration of one of five purposes the Framework enables “information storage and access” (described as ‘the storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies’) would be the minimum you should consider.

With this thought in mind do not delay in signing up to the Global Vendor List here and join the growing number of vendors (over 130 at the last count) that to date have joined the Framework. This will ensure that you can continue to maintain and work closely with the publishers that you support now and in the future.

IAB Tech Lab & IAB Europe Release Pubvendors.Json And Mobile In-App Specifications To Support Transparency & Consent Framework

Available for 30-Day Public Comment, New Specs Will Enable Seamless Communication Among Publishers, Buyers, and Vendors on Approved Interactions and GDPR Settings & Provide Mobile In-App Support

BRUSSELS, BELGIUM & NEW YORK, NY (May 2, 2018) – On the heels of releasing the final technical specifications for the Transparency and Consent Framework last week to address user choice and other aspects of compliance with the notice, transparency, and choice requirements set forth in the GDPR (European General Data Protection Regulation), IAB Tech Lab and IAB Europe are introducing an additional supporting tech spec—pubvendors.json (a publisher’s list of vendors)—and the much awaited mobile in-app support for the Framework is also being released for public comment. Both tech specs build upon initial adoption of the Framework, with over 120 vendors registered on the Global Vendor List.

The pubvendors.json tech spec is intended to:

  • Provide a standard for publishers to publicly declare the vendors that they work with, and their respective data rights/configuration
  • Allow vendors to verify publishers’ GDPR settings and verify/audit Consent Management Provider (CMP) consent strings
  • Establish a standard way for publishers to white-list vendors
  • Enable publishers to limit purposes and features (consistent with the Framework) on a per-vendor basis

Mobile in-app enables app developers to access and honor the Framework’s consent and legitimate interest mechanisms as a supporting standard to assist with GDPR compliance. CMP API endpoints and app developer local storage are specified, which enables the mechanism of collecting and propagating consent, so third-party vendors can operate in respect of users’ and publishers’ choices. App developers continue to have flexibility in defining user experience for exposing purposes and controls, as per the Framework.

“The feedback from publishers since we launched the public consultation on the first version of the specs for the Transparency and Consent Framework included a couple of strong messages,” noted Townsend Feehan, CEO, IAB Europe.  “First, publishers wanted even more control with respect to data processing purposes, notably to be able to authorise different partners to leverage different purposes.  Second, they wanted more control over which legal bases their partners could adduce.  The pubvendors.json solution is a rapid response to accommodate these requirements.”

“These additional tech specs are a direct reflection of our commitment to the flexibility and adaptability of the Transparency and Consent Framework, to ensure that it meets the needs of publishers and other parties in the supply chain,” said Dennis Buchheim, Senior Vice President and General Manager, IAB Tech Lab. “The continued dominance of apps in mobile environments made supporting tech specs on that front particularly vital, and we’re pleased that our working group moved quickly to close that gap.”

After public comment concludes on June 1, 2018, IAB Tech Lab and IAB Europe participants will evaluate and incorporate feedback received and release a final version of each of these specifications. Companies with urgent transparency goals are invited to adopt the pubvendors.json technology as a beta implementation, even before the specifications are finalized.

To review the proposed pubvendors.json technology specification and the mobile in-app specification, please visit here. Technical feedback can be sent to transparencyframework@iabtechlab.com and general feedback can be sent to feedback@advertisingconsent.eu.

IAB Europe And IAB Tech Lab Release Cross-Industry Transparency & Consent Framework For Adoption

Brussels & New York City, April 25, 2018 — IAB Europe and IAB Technology Laboratory today released the market-ready technical specifications for the initial iteration of the Transparency & Consent Framework (“Framework”) following a 30-day public consultation in March and April 2018.

The official release version of the standard reflects extensive feedback from publishers, agencies, and ad tech companies collected during an open consultation period.  As with all standards, it is expected that this standard will be iterated with new features and attributes in the future.

The Framework allows users to have full authority over their data

The Framework is a cross-industry standard that supports online services and their partners in their efforts to provide transparency and choice mechanisms for their users. In accordance with the General Data Protection Regulation (GDPR), users can now be made aware of not only online services’ use of their users’ personal data but also use of that data by third parties’ assisting online services in showing advertisements to their users and measuring the effectiveness of those advertisements. The Framework is particularly relevant for “first parties” (publishers) and other suppliers of online services, who partner with “third parties” (vendors) to enable those third parties to process user data on one of the legal bases laid down by the Regulation (including both legitimate interests and consent, where applicable).

The GDPR will be enforced as from 25 May 2018. Fines for non-compliance with the new regulation could run as high as 4% of companies’ annual global turnover.

IAB Europe and IAB Tech Lab call for immediate and cross-industry support for, involvement in and adoption of the Framework

CEO IAB Europe, Townsend Feehan said: “GDPR will mean European users get more information about, and control over, who is processing their data.  This should give them increased confidence online – that is the challenge and opportunity that the complex new EU law presents.  The Transparency & Consent Framework will sit at the intersection of users, publishers and the third-party partners (vendors) that support the publishers in monetising their content, giving both users and publishers more control and transparency in the new environment.”

How does the Framework operate?

The technology is based on a JavaScript API and enables the surfacing of the selected third parties’ information, the storage of a user’s choices related to those third parties and the passing of information about approved third parties, so that parties in the online advertising ecosystem understand which parties have been approved by publishers and surfaced to and approved (or consented to, where necessary) by their users. A key piece of the Framework is a unique registry known as the Global Vendor List, which is a list of registered and approved third parties (“vendors”) that a publisher may, in connection with the processing of personal data on its digital properties, choose to allow to access information on its users’ devices or process its users’ data for specified purposes. The Framework also facilitates management of signals by Consent Management Providers (CMP) across participating organisations that meet specific and required criteria.

Robert Whelan, Chief Operating Officer at Emerse, a registered vendor said: “Emerse DSP is now enrolled in the Transparency & Consent Framework, an excellent initiative for the digital advertising industry.”

Publishers can take advantage of the Framework in the following ways:

  • Publishers can use the registry to view which of their partners have applied to adhere to the Framework’s policies and for which purposes their partners are using personal data to determine which third parties they choose to work with and include as vendors in their individual user interfaces they decide to make available
  • Publishers can then surface information to their users about which vendor may be allowed to lawfully collect and use the personal data of their users in connection with the sale and measurement of ad space
  • Publishers and vendors can communicate with one another (“signal”) about which vendors may be allowed to access or process the personal data of publishers’ users and for which purposes
  • Publishers and vendors can capture, disclose and maintain an audit trail of a user’s choice about those vendors and their data processing activities

Major European Publishers including Axel Springer and Schibsted Media Group recently endorsed the Framework:

“We believe a standardized industry framework is necessary to not only meet transparency and user choice requirements, but also to maintain a high-quality user experience for our audiences,” said Moritz Holzgraefe, Chief Operating Officer Corporate Digital Platforms at Axel Springer. “Closed or fragmented solutions don’t enable publishers to choose which technology providers they work with and don’t allow advertisers to operate effectively, which is critical to our business and to our users.”

“It is important to us to have a solution that can evolve as other publishers, advertisers, and technology providers work with regulators and end users to iterate over time,” said Ingvild Naess, Group Privacy Officer, Schibsted. “IAB Europe’s Transparency and Consent Framework is designed to be fine-tuned as best practices become clearer in the coming months and years.”

The Framework we’ve developed establishes a way to communicate and user choices about the processing of their data for advertising and other purposes.” said Alice Lincoln, VP – Data Policy & Governance, MediaMath, who chaired the initial IAB Europe Working Group on Consent that led to the creation of the Framework. “In addition, the Frameworkprovides technical measures for publishers that help ensure their audience data is secure. We believe these two accomplishments will help the ecosystem adopt a consumer-first mindset in which data processing practices are in alignment with users’ rightful expectations of both privacy and better advertising experiences.

The updated technical specifications for the GDPR Transparency and Consent Framework can be found HERE.

The specifications include:

  • Consent Management Provider Javascript API spec v1.1
  • Consent String and Global Vendor List format spec v1.1 

An additional draft specification being made available for public comment within the coming week in conjunction with the release includes:

  • publisher-vendors.json spec v.1.0 (draft) 

This additional draft specification will provide more robust support for vendors operating on different legal bases, secondary audit trails, and more granular controls for publishers over approved purposes for each of their approved vendors.

“When GDPR is enforced across Europe, publishers and vendors need not only a solution for today, but one that can evolve based on guidance from the regulatory community, internet users and companies relying on the framework for a standardised, supporting standard,” said Dennis Buchheim, Senior Vice President and General Manager, IAB Tech Lab. “The team at the IAB Tech Lab has taken on technical governance of the Framework to ensure that it meets policy needs, works with other relevant standards (such as OpenRTB), and is flexible enough to continue to evolve and to support future data-privacy-related needs.”

With the GDPR enforcement date fast approaching, publishers and their advertising partners are strongly encouraged to implement the Framework immediately.  For publishers that wish to enlist a third-party CMP, a regularly-updated list of fully operational CMPs is available HERE.

In addition:

  • Information and resources about the Transparency & Consent Framework are available here.
  • Implementation Guidelines for the Transparency & Consent Framwork are available here.
  • List of the current supporters of the Framework is available here.
  • Register as a vendor and/or a CMP here
  • CMP Demos from QuantcastFaktor and Didomi are available here.
  • Register here for this week’s webinar on Friday 27 April at 8am PDT/ 11am EDT/ 4pm BST/ 5pm CEST.

IAB Europe Media Contacts

 

IAB Tech Lab Media Contact

Laura Goldberg – Phone: +1.347.683.1859 – Email: laura.goldberg@iab.com


About IAB Europe

IAB Europe is the leading European-level industry association for the digital advertising ecosystem. Its mission is to promote the development of this innovative sector and ensure its sustainability by shaping the regulatory environment, demonstrating the value digital advertising brings to Europe’s economy, to consumers and to the market, and developing and facilitating the uptake of harmonised business practices that take account of changing user expectations and enable digital brand advertising to scale in Europe.

About IAB Technology Laboratory

The IAB Technology Laboratory (“Tech Lab”) is a non-profit research and development consortium that produces and provides standards, software, and services to drive growth of an effective and sustainable global digital media ecosystem. Comprised of digital publishers and ad technology firms, as well as marketers, agencies, and other companies with interests in the interactive marketing arena, IAB Tech Lab aims to enable brand and media growth via a transparent, safe, effective supply chain, simpler and more consistent measurement, and better advertising experiences for consumers, with a focus on mobile and “TV”/digital video channel enablement. The IAB Tech Lab portfolio includes the DigiTrust real-time standardized identity service designed to improve the digital experience for consumers, publishers, advertisers, and third-party platforms. Board members include AppNexus, ExtremeReach, Google, GroupM, Hearst Digital Media, Integral Ad Science, Index Exchange, LinkedIn, MediaMath, Microsoft, Moat, Pandora, PubMatic, Quantcast, Telaria, The Trade Desk, and Yahoo! Japan. Established in 2014, the IAB Tech Lab is headquartered in New York City with an office in San Francisco and representation in Seattle and London

Transparency & Consent Framework Specification Launches Global As Industry Participation Increases

We are very pleased to announce the release of the technical specifications for IAB Europe’s Transparency & Consent Framework. This exciting cross-industry initiative will be a critical tool in helping publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements of the EU’s new General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018.

The Framework will ensure that online services give consumers full visibility and control over who is allowed to process their data in connection with advertising, and for what purposes.

The official release version of this open-source standard reflects extensive feedback from publishers, advertisers, and other important stakeholders who all participated in the final working group review of the following technical specifications:

To support the technical specifications, there is a series of implementation guides for publishers, buyers (DSPs and agencies), CMPs and DMPs:

The technical specifications of the Framework will be maintained by an IAB Tech Lab working group. We will be working continuously with them to update the technical specifications to accommodate any changes in policy as well as feedback from the market. We look forward to hearing from you at advertisingconsent.eu.

Sign up now

This release swiftly follows our recent announcement that the registration process is now open for both Vendors and Consent Management Providers (CMPs) to apply for approved status in the context of IAB Europe’s Transparency & Consent Framework. Since the announcement, we are seeing an increasing number of Vendors and CMPs registering and gaining approval. For more information about the Framework, including a link to the registration portal for vendors wishing to participate, visit advertisingconsent.eu.

Join our next Webinar

On Friday 20th April, we had a very successful Webinar with a panel of CMPs demonstrating their consent solution to over 300 participants. You can watch a recording of it here. We will repeat this webinar on Friday 27 April at  8am PDT / 11am EDT / 4pm BST/ 5pm CEST. If you are interested please check advertisingconsent.eu for details or register here.

Vendors And Consent Management Providers Are Invited To Register To Participate In IAB Europe’s Transparency And Consent Framework

The registration process is open for Vendors and Consent Management Providers to apply for approved status in the context of IAB Europe’s Transparency and Consent Framework.

The General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, requires a legal basis for processing the personal data of EU residents. While the GDPR offers six possible legal bases, the two that digital publishers, advertisers and those that support them typically find most relevant include consent or legitimate interest. Crucially, publishers must also provide transparency into the list of vendors or partners they decide to work with that may also process their website visitor’s personal data.

IAB Europe’s Transparency and Consent Framework has been created to offer flexibility in terms of various paths towards complying with the law, and providing a standardised means of communicating signals to different parties in real time.

The member registry of vendors and CMPs (known as the List) will facilitate adherence to the Framework policy, provide transparency into the ways companies intend to comply with GDPR requirements, and centralise participants into one well-known location. Publishers can then use the List registry to view which of their partners are a part of the Framework, and determine which vendors to include in the transparency and consent user interfaces they decide to make available on their sites.

Registration is at register.consensu.org and there are separate pages for vendors and CMPs to complete the required information.

Once companies have submitted their application and received approval by IAB Europe, they need to pay the annual fee. We will then issue vendors with an ID and publish them in the Framework while CMPs will receive an ID and sub-domain and will be listed on advertisingconsent.eu.

You can find all the background information you need in the FAQ and on advertisingconsent.eu. We will also hold an open webinar on Friday, 20 April 17:00 CEST/16:00BST/11:00 EDT/ 08:00 EDT) when our technology and policy experts will be on hand to answer your questions – Register for the webinar: here

Taking Back Control: What’s In It For Publishers

With the public consultation on the first iteration of the Transparency & Consent Framework (the Framework) that closed on April 8, 2018, we are continuing to receive good, actionable feedback from publishers.  A recurrent theme is whether and how the Framework can assist publishers to assert greater control over the delivery of advertising to their sites, and especially of valuable first-party data.  Without getting ahead of ourselves, it seems at least possible that the Framework will provide an opportunity for publishers and ad tech to address a source of tension that has dogged their commercial relationship for over a decade, and reach a more durable modus vivendi.

With the GDPR coming into effect on 25 May 2018, and the current ePrivacy Directive still in force, the regulatory framework alone is already improving publishers’ ability to control which third parties are active on their sites.  The ePrivacy Directive makes consent the primary legal basis for interactions with consumer devices in nearly all EU markets, and the publisher has privileged direct access to the user to obtain that consent.  Consumer information obligations in the GDPR mean that even where the legitimate interest legal basis is used, third parties will rely on publishers to make the necessary disclosures to enable those third parties to process data.  No disclosure, no legal basis.  Publishers and other first parties are the gate-keepers on whom third-party vendors will be completely dependent.

Reinforcing the pivotal position of the publisher

The Framework reflects, and will further reinforce, the pivotal position of the publisher. Publishers will decide what choices are presented to their users – which third parties, processing data for what purpose.  A publisher can ensure that only trusted partners are surfaced, and only for purposes that align to publisher objectives

Where user consent must be obtained, publishers will determine whether users are offered the option of granting global or only service-specific consent to a given vendor to process data for a given purpose.  Publishers also have complete freedom to determine all other aspects of the user interface.  Some publishers will want to build their own consent management platforms. Some will want to hire in a third-party Consent Management Provider.  In either case, the look and feel will be adapted to the requirements and preferences of the publisher.

Publishers are free to unilaterally present additional different purposes in the same UI. However, only the standardised set of purposes can be transmitted through the Framework. As a result, any non-standardised purposes would need to be leveraged and/or transmitted through a means other than the Framework. This flexibility enables publishers, within the same UI, to provide transparency into, and request consent for, purposes in addition to the standardised ones – for example, for their own use, or to work with vendors outside of the online advertising ecosystem.

We’ll have a final wrap on feedback from other key stakeholders next week, as we move toward deployment in mid-April and the opening of the global vendor and CMP registration process.

IAB Europe Transparency & Consent Framework: Announcing The Publication Of The Vendor And Consent Management Provider Registration Guides

Further to our recent release of the GDPR compliance Transparency & Consent Framework for public comment, IAB Europe is pleased to announce that Vendors and Consent Management Providers (CMPs) that would like to register to participate in the IAB Europe Transparency & Consent Framework can now view the relevant guidance documents.

  • See Vendor Registration Guide here
  • See CMP Registration Guide here.

These documents set out the series of questions that need to be completed for registration as either a Vendor or a CMP, and the verification process that will be used to determine if the applicant is eligible.

On completion of this process, Vendors will be assigned a Vendor ID and notified that they will be published in the Global Vendor List (GVL). CMPs will be assigned a CMP ID as well as a delegated sub-domain, and similarly notified and published in the CMP list. The Vendor/CMP web portal where registration can take place is due to go live imminently. If you have not already registered for updates, please register here.

Do you have any questions or feedback on the Transparency & Consent Framework? Email us at feedback@advertisingconsent.eu or join the webinar series. Take a look at the schedule and Register here.

To access more resources about IAB Europe’s GDPR Transparency & Consent Framework, please visit the website www.advertisingconsent.eu

IAB Europe Releases GDPR Transparency & Consent Framework For Public Comment

IAB Europe today released the draft technical specifications for its GDPR Transparency & Consent Framework (“Framework”) for public comment. First announced in November 2017, the Framework is a cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements (including consent where necessary) of the GDPR before the regulation comes into effect on May 25 this year. The Framework is a non-commercial, open source initiative. The final version is scheduled for release mid-April, after continued consultation with publishers, advertisers, and other important industry participants.

The GDPR covers a broader scope of “personal data” than the existing EU Data Protection Directive, and companies are expecting to be more constrained in how they can access and process such data for advertising purposes. The Framework is available to companies based in Europe and around the world, and is designed to support various channels and formats, including mobile and desktop environments.

The Framework includes technical specifications that will allow companies and consumers to have greater control over, and dynamic insight into, the parties who access and process the personal data of consumers in the EU. The technical specifications will be maintained by an IAB Tech Lab working group going forward, through a collaboration between IAB Europe and IAB Tech Lab that leverages IAB Europe’s policy and legal expertise and IAB Tech Lab’s technical expertise.

IAB Europe has published the draft specifications for public comment and is working to closely collaborate with key industry stakeholders including publishers, advertisers, agencies, and their important trade organisations. Organisations wishing to meet with stakeholders involved in the framework and provide feedback may do so until April 8, 2018.

Vital information for data protection leads within companies

Data protection officers, IT leaders and other interested individuals within publishers, brands, agencies and technology vendors responsible for their organisation’s GDPR compliance can access the specifications here.

General feedback may be submitted in writing to feedback@advertisingconsent.eu, and technical feedback may be submitted to transparencyframework@iabtechlab.com. Those interested have the opportunity to share further feedback and ask questions by participating in upcoming Q&A Webinars that will be scheduled during March 2018. See the webinar schedule and register here.

A Framework to ensure future growth of the global publishing industry

Advertising accounts for 81.5 percent of revenues for digital publishers (Source: IHS Markit). From May 25, publishers looking to provide a customized online experience including tailored advertising can use the Framework to allow data to be collected and processed lawfully by their partners for advertising and other purposes.

Without the Framework consumers will see less relevant online messages from brands, and brands will see less engagement from consumers. The resulting loss in advertising revenue would impact jobs within the publishing and digital advertising industries, and millions more in related sectors.

Commenting on the Framework, Colin Barlow, Global COO, GroupM said: “The GDPR will bring a number of new requirements to all participants in the digital advertising ecosystem. Such change requires a new shared industry standard, and the IAB Europe Framework offers the best solution to achieving this. GroupM has been consulting with IAB Europe and other members to ensure the framework meets our needs, and so that we can align to its requirements.”

For more information and updates on the proposed solution and its supporters, please visit the dedicated website at www.advertisingconsent.eu.

IAB Europe Presents Industry Consent Mechanism For Meeting Challenges Under The GDPR And Calls For Broad Industry Engagement On Further Development And Roll-Out

London, 28 November 2017 – IAB Europe today presented a new technical standard to support the digital advertising ecosystem in meeting requirements relating to user consent under the General Data Protection Regulation (GDPR), which will enter into application in May 2018. The announcement was made at the EDAA Summit 2017 which brought together 200 participants including advertisers, agencies, ad tech, and media in London.

The technical mechanism is designed to enable websites, advertisers and their ad technology partners to make more robust disclosures, as well as obtain, record and update consumers’ consent for their personal data to be processed in line with the GDPR. Moreover, the mechanism enables transmission of user consent choices to the supply chain, increasing accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.

Key features include:

  •  Works on mobile devices and desktop devices alike.
  •  Enables dynamic disclosure by first parties of third party advertising partners and the purposes for which they collect and process data.
  •  Allows obtaining “global” or “service-specific” affirmative consent, as well as updating consent choices and withdrawing consent.
  •  Enables the transmission of user consent choices to third party advertising partners.
  •  Increases accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.
  •  Can be deployed before the date of application of the GDPR.

Companies relying on the future mechanism will have to adhere to principles and criteria that will be developed in consultation with brands, agencies, websites, publishers and tech companies. These principles will contribute to greater mutual reassurance and trust between all ecosystem participants.

IAB Europe is inviting broader industry engagement over the coming months with a view to building cross-industry consensus and commitment to the standard, the principles around its use, its implementation, and the governance underpinning the tool.

Commenting on the news, Townsend Feehan, IAB Europe CEO, said:

“Advertising is a critical revenue stream for online services of all shapes and sizes, be they news publishers, mobile apps and other online media. It is an important step that affected players have come together to develop a robust response to the new legislation.”

Companies who wish to stay informed can register their interest at www.advertisingconsent.eu.