On September 25th, we held a 2.5-hour webinar providing a Complete Overview of the IAB Europe Transparency and Consent Framework. As it is usually the case, we had many interested attendees who were keen on learning more. While we usually do our best to make these as interactive as possible, we were simply overwhelmed with questions and had to skip over quite a few to be able to remain on schedule. For this reason, we have decided to answer the questions in a series of blogs. This is the first blog in the series, where we deal with the ‘big picture topics’ surrounding our Framework. The next blogs in the series will delve into the technical questions, and to conclude we will answer policy-related questions about the Framework.
Some of these questions have been edited for clarity, or we have answered to topics which were asked about several times
Please provide definitions for some of the acronyms and terms used:
TCF: Acronym for the Transparency & Consent Framework.
EDAA: The European Interactive Digital Advertising Association. This organisation adheres the self-regulatory framework for online behavioural advertising (‘the OBA Framework’).
OBA: Online Behavioural Advertising. The practice of making use of data about user behaviour online to determine more relevant advertising. The EDAA’s OBA Framework is a tool that allows users to get information about this practice and to opt-out of receiving this targeted form of advertising but does not equate to an objection to data processing as provided for under the GDPR’s data subject rights.
Daisybit: This is the information containing information about consent that is given (or not given) for the various purposes standardised by the Framework as well as for different vendors. The information is compressed into a ‘bit-string’ which is daisy-chained through the online advertising supply chain, hence the name ‘daisybit’.
SSP: Supply-Side Platform. Also referred to as the ‘sell-side’, these are platforms that facilitate the sale of ad space.
DSP: Demand-Side Platform. Also referred to as the ‘buy-side’, these platforms help brands and agencies buy ad space.
Publishers: A publisher in the context of our Framework is any consumer-facing website or application, also referred to as the ‘first-party’. It does not refer exclusively to news publishers.
On Google integration with the IAB Europe Transparency & Consent Framework:
Google has stated during the webinar that it plans to interoperate with the Framework once the current work on updating the Purposes, Policies, and introducing Pubvendors.json is complete. This is so that they avoid integrating with the current Policies and Purposes only to have to transition to the revised ones almost immediately. Our expectation is that Google will make an announcement over the next 3-4 weeks and will actually be implementing the TCF as from January 2019.
IAB is supporting the Transparency and Consent Framework as well as OBA Framework (EDAA). How do these two initiatives talk to each other? Does the first make the later redundant?
The EDAA’s OBA Framework does not help companies achieve compliance with EU data protection law. It is a self-regulatory framework providing so-called “enhanced notice” through an icon and allowing users to “opt-out” of behavioural targeting. Neither the transparency provided through “enhanced notice” nor the “opt-out” meet the relevant requirements under European data protection law.
The IAB Europe Transparency & Consent Framework (TCF) is a Framework designed and intended to help companies comply with obligations arising from EU data protection law, such as transparency, lawful processing, and accountability. Using the TCF, first-parties can enable third-parties to process user data on one of the legal bases of the regulation. The Framework standardises the presentation to users’ third-party data processing requests that require “informed” consent for data processing. The Framework enables “signaling” of user choice across the advertising supply chain. It is open-source, not-for-profit with consensus-based industry governance led by IAB Europe with significant support from industry parties and the IAB Tech Lab, which provides technical management of the open-source specifications and version control.
The two Frameworks are entirely separate and do not interoperate.
On meetings with Data Protection Authorities:
We have been meeting with European data protection authorities to present the IAB Europe Transparency & Consent Framework and to engage in an open-ended conversation to aid in our joint goal of helping companies in the online media and advertising business to comply with European data protection law. Our meetings with the DPAs are private, meaning that we will not be sharing any specific responses or feedback publicly. We hold meetings with those DPAs where we have established contact and who show an interest in meeting with us. It is therefore possible we have not met with DPAs in your jurisdiction – to date we have met with five different DPAs in Europe.
Does the IAB Europe Framework align or reference to some of the key requirements as detailed in the WFA manifesto earlier this year?
While the IAB Europe Transparency and Consent Framework does not make any direct reference to the requirements of the World Federation of Advertisers’ (WFA) Manifesto for Online Data Transparency, we believe that the TCF is a critical tool in achieving the manifesto’s view that a sustainable digital advertising ecosystem requires the engagement and commitment of all stakeholders to practices that put consumers’ needs first, providing transparency, control, and accountability.
I am a vendor that’s included in the Framework. Could you clarify – how is the framework supposed to benefit me as a vendor?
The Framework allows Vendors to be disclosed to users, establish a lawful basis for processing, and receive a signal that allows it to verify that transparency and/or consent have been established. It is unlikely that in absence of a technical framework Vendors would be able to reliable comply with the law.