On September 25th, we held a 2.5-hour long webinar providing a Complete Overview of the IAB Europe Transparency and Consent Framework. As is usually the case, we had many interested attendees who were keen on learning more. While we usually do our best to make these as interactive as possible, we were simply overwhelmed with questions and had to skip over quite a few to be able to remain on schedule. For this reason, we have decided to answer the questions in a series of blogs. This is the fifth and final blog in the series, covering some final policy questions.
Is there a standardisation of data subject rights and how to handle them, i.e. the Right of Access, portability, rectification, restriction of processing, withdrawal and erasure?
Currently we are not aware of any initiative to standardise these data subject rights, nor has IAB Europe undertaken such an initiative. While it would be helpful, it is difficult to standardise this process across various different company types which use different technologies to offer their services.
Earlier this year, we have drafted a guidance paper together with members of our GDPR Implementation Working Group on the topic, providing guidance about whether to respond and how to respond to these requests. This working paper can be found on IAB Europe’s website here: https://www.iabeurope.eu/policy/iab-europe-gig-working-paper-on-data-subject-requests/.
“Do we expect tech partners to turn off/remove all inventory that doesn’t gather consent using the Transparency & Consent Framework? A huge amount of inventory still available does not adhere to this framework. Right now, we get users who have consented, users who haven’t, and everyone else (who haven’t given consent as per the definition of the GDPR).”
The Framework is an ecosystem of parties which have all agreed to the same Terms and Conditions, as well as the same Policies. They make use of the same technical infrastructure to communicate consent (or other legal bases) to each other.
With that said, it is not mandatory to use the Framework; companies are free to make their own decisions on how they implement their requirements under the GDPR, and how they communicate with their tech partners. It is not a requirement for vendors to stop working with any partners who are not using the Transparency & Consent Framework.
However, to protect the integrity of the Transparency & Consent Framework’s Global Vendor List (GVL), it is a requirement that vendors surfaced in a consent interface who aren’t part of the GVL are made clearly distinct from GVL-registered vendors. Consent cannot be communicated to non-registered vendors through the Transparency & Consent Framework as they would not appear as a slot in the consent string.
Are the “revised purposes” simply updates to the text of the existing purposes or are there also new purposes being added?
The revision of the standardized purposes has the goal of simplifying the language for users, while allowing more specificity in specific business models. In answer to the question, this means that the current purposes are being expanded into more specific purposes. The current five purposes were more general and all-encompassing, whereas the new purposes will look to break down into more specific descriptions of processing activities.
The intention is that this will make it clearer to users what is happening to their data, whilst also allowing companies to more specifically elucidate the type of processing they undergo.
Will CMP’s and Vendors need to re-register when the new specs are rolled out, to demonstrate conformity?
Vendors and CMPs who are registered on the Global Vendor List will be notified directly of any technical and policy updates to the Framework but will not need to complete registration again if they are already registered.
“I understand the TCF is also open for Advertisers, who also collect data. Can you change the reference of “publishers” into “Website/app owners” to make that clear?”
The terminology of ‘publishers’ was chosen to reflect that publishers are the user-facing actors in the online advertising ecosystem. Advertisers who are collecting data would either do so on a landing page, in which they would be acting as a publisher, or as a third party on another publisher’s site, in which they would be considered a third-party vendor.
The Transparency & Consent Framework’s policies also provides the following definition:
“Publisher” means an operator of a website, app, or other content where digital ads are displayed or information is collected and/or used for digital advertising, and who is primarily responsible for ensuring the Framework UI is presented to users and that legal bases, including consent, are established with respect to Vendors that may process personal data based on users’ visits to the Publisher’s content.”