CMPs must adhere to TCF Policies and UI/UX requirements Last year’s enforcement decision by the CNIL against French mobile ad tech company Vectaury has sent
All vendors that publishers work with when surfacing content to the user, including Sell-Side Platforms (SSPs), Exchanges, Demand Side Platform (DSPs), ad servers and data management platforms, need to be disclosed to the user alongside information on the purpose(s) for which they are collecting and processing data and the legal basis or bases for that collection and processing.
- Adhere to the Framework policy;
- Provide transparency to the user into the ways they intend to comply with GDPR requirements – note a vendor need not necessarily be a data controller;
- Be listed in one well-known location, the Global Vendor & CMP List (List). Publishers can then use the List to view the vendors participating in the Framework, hosted at https://vendorlist.consensu.org/vendorlist.json;
Vendors are assigned a vendor ID when they register on the Global Vendor & CMP List (List), with which they can read and interpret information on the consent status of a user and the consent status of a user in relation to other vendors.
FAQs: GLOBAL VENDORS AND THE FRAMEWORK
- “CMP” – a company operating as a consent management platform, that can read and/or set the user’s consent status for the vendors chosen by a website operator, either publisher specific through a first-party cookie, or global through a third-party cookie. A CMP is not necessarily synonymous with a company that surfaces the user interface to a user, although it can be the same.
- “Purposes” – the purposes for which a vendor enabled by a website operator is using personal data collected from, or received by a third-party, about an end user.
- “List” – Global Vendor & CMP List that contains the approved registration and allocation of vendor IDs and CMP sub-domains for global participation in the Framework.
Yes, publishers maintain complete control over which vendors they wish to work with. Publishers also choose whether to surface disclosures and obtain service-specific or global consent for their vendors.
The List will include all vendors that agree to the following:
- Compliance with Framework policies and technical specifications, such as
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP JS API or in the bid request, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose. For example, if a vendor receives a bid request and the bid request reveals that the vendor does not have consent to process the personal data contained in that bid request, it may not process any personal data contained in that bid request unless it has another legal basis for doing so.
Vendors may choose not to pass bid requests containing personal data to other vendors who do not have consent. In the event that a bid request containing personal data is passed to a receiving vendor without consent, the vendor that does not have consent is responsible for only acting upon that data if it has another applicable legal basis for doing so.
Vendor registration details can be viewed at https://register.consensu.org/
- IAB Europe manages and updates the List, consistent with predefined policy.
- When new vendors are added to the List and a publisher chooses to work with them, new disclosures will need to be made to a user and, where necessary, user consent will need to be obtained for those new vendors. They cannot rely on a global consent given to a prior list of vendors.
- Similarly, if a vendor that is already on the List adds a new purpose for which it needs disclosures to be made on its behalf or for which it relies on consent, new disclosures must be made and consent must be obtained for that new purpose.
Register for our weekly webinars, taking place Fridays at 17:00 CEST.
View the upcoming schedule and register:
Notification addressed to Global Vendors and CMPs on 11.01.2019 Please note that CMP ID 1 is not currently assigned to a Consent Management Provider (CMP) participating in the IAB
“I’m a CMP. Am I doing it right?” #1 CMP Registration and CMP IDs – IAB Europe’s new blog series to help CMPs / Part 2
CMPs must register with IAB Europe and use their assigned ID Last week, IAB Europe communicated to Vendors and CMPs registered for participation in the
The registration process is open for vendors and CMPs to apply for approved status in the context of IAB Europe Transparency & Consent Framework.