On 30 October, the French data protection authority (CNIL) published a notice declaring that French start-up company VECTAURY failed to meet conditions for valid consent
The Framework gives full control to website operators and publishers over which third-party companies they work with, which third-parties they disclose to their users and for what purpose they obtain consent. It enables the transmission of consent signals for data processing to the third-parties that they are working with and for this to be transmitted across the advertising supply chain.
The Framework enables website operators & publishers to:
- Select and control third-party vendors they want to work with;
- Provide users with transparency into third-party vendors selected by them and the purposes for which they process data;
- Request and obtain informed consent to process data, or establishing other legal bases to process data;
- Transparently pass information relating to user choices to the ecosystem;
- Act as a CMP, in which case they would need to register as a CMP in the Framework;
- Support the use of data for measuring campaign effectiveness and the use of contextual advertising that requires access to users’ devices.
The Framework is not only relevant for publishers who make advertising inventory available directly but also programmatically, which often requires the use of personal data to deliver higher CPM tailored advertising.
FAQs: WEBSITE OPERATORS / PUBLISHERS AND THE FRAMEWORK
- “CMP” – a company operating as a consent management platform, that can read and/or set the user’s consent status for the vendors chosen by a website operator, either publisher specific through a first-party cookie, or global through a third-party cookie. A CMP is not necessarily synonymous with a company that surfaces the user interface to a user, although it can be the same.
- “Purposes” – the purposes for which a vendor enabled by a website operator is using personal data collected from, or received by a third-party, about an end user.
- “Vendor” – a third-party that a service operator is using in connection with surfacing content to its end users that either (1) access an end user’s device or browser for setting cookies, etc., or (2) collects personal data based on the actions of the service operator’s end users. A vendor need not be a controller.
- “List” – Global Vendor & CMP List that contains the approved registration and allocation of vendor IDs and CMP sub-domains for global participation in the Framework.
Server-specific disclosures and consent take priority over global consent. If a user makes a global consent choice first, and then later makes a service-specific choice, the service-specific choice will determine a user’s consent status for that service.
Yes, a CMP is essentially just a mechanic for making sure that disclosures are made about a website operator / publisher’s approved vendors are made and that the consent signal is generated and transmitted in a standardised way, rather than writing and agreeing new protocols for each publisher/vendor relationship. A publisher may choose to act as a CMP or to use a commercial provider to implement the function on their behalf.
Website operators and publishers have full control over which vendors they wish to work with. We are proposing that publishers only work with vendors on the List. The List will be vetted and all vendors will be required to strictly follow policies and procedures in order to participate. Vendors will need to register on the List in order to use the Framework. Vendors rather than publishers will be responsible for complying. Publishers control which vendors they want to use from the List. Publishers may choose to work with vendors who are not on the List, but they will not be presented as part of the Framework.
The List includes standardised definitions of processing purposes and, when registering, vendors are required to select the purposes for which they wish to collect and process personal data. One vendor may be collecting and processing personal data in a manner that they believe requires consent while another may be collecting and processing personal data in a manner that does not require consent. The List currently enables vendors to declare against five purposes.
Website operators and publishers decide how a request for consent is presented to consumers. We have some minimum policies related to vendor disclosures to ensure that the manner in which preferred vendors are disclosed to a publisher’s users meets legal requirements, and to ensure the signals a publisher sends about vendors consent status are clear.
This is an open source industry solution and will be maintained as such by the industry. Website operators and publishers are not required to pay to use the Framework. CMPs are required to pay to use the Framework, as well as publishers operating as a CMP, as each needs to be assigned an ID and a delegated sub-domain. The payment supports the administration of operating the CMP list. IAB Europe will charge a fee of EUR 350 per year.
Register for our weekly webinars, taking place Fridays at 17:00 CEST.
View the upcoming schedule and register:
IAB Europe Press Release: Global Network of IABs holds annual meetings as industry GDPR compliance standard reaches new milestones
Brussels, London, 8 November 2018— The global community of national IABs, the digital advertising industry’s leading industry association network, kicks off two days of meetings
Blog Series: What you always wanted to know about the Transparency & Consent Framework (TCF) / Part 3
On September 25th, we held a 2.5-hour long webinar providing a Complete Overview of the IAB Europe Transparency and Consent Framework. As is usually the case,
The registration process is open for vendors and CMPs to apply for approved status in the context of IAB Europe Transparency & Consent Framework.