Legitimate Interest And Consent – Can Both Legal States Be Declared In The Framework?

In our last blog ‘To be or not be’ we presented the duality of the ‘processor’ and ‘controller’ and how the Global Vendor & CMP List (List) could best serve them. Concluding that the primary value of the List is for companies, irrespective of their controller or processor status, to provide transparency into a legal ground for processing personal data and obtain consent in accordance with their own assessment of when that is needed.

This brings us to a second important state of duality that the Framework is tackling – the declaration of the two allowable legal states, under GDPR, of consent and legitimate interest against a purpose.

Participation in the Framework requires that the consent manager provider (CMP) or publisher acting as a CMP must disclose every vendor they wish to work with alongside the purpose and the legal basis of their data processing – they must not signal that consent has been obtained for a vendor and purpose that has not been disclosed to the user. This is not optional but a hard requirement under the policies as well as the law. Publishers who refuse to make disclosures on behalf of a vendor will not be able to work with that vendor under the Framework.

Currently the Framework also supports the disclosure of legitimate interest as a legal basis by a vendor who processes data toward a specific purpose. The publisher or CMP must not attempt to obtain consent for that vendor and purpose combination or make it appear as though a vendor is operating on the basis of consent for that purpose.

When a vendor declares consent as their legal basis against a purpose the publisher or CMP must provide transparency and obtain consent on behalf of the vendor. Therefore, when consent is the legal basis a publisher must pass information about consent (or the lack thereof) to its vendors.

When a vendor declares legitimate interest as their legal basis, it only needs the publisher to provide transparency. Since legitimate interests are claimed, rather than given, no signal about the existence of the legitimate interest is necessary.

BUT currently it is not possible for a publisher or CMP to pass onto a vendor, information that they have provided transparency to the end user that legitimate interest and vendor and purpose is the claimed state for personal data processing. They can only pass to the vendor that they have requested and obtained consent. The only way for a vendor to know that transparency has been provided is when receiving a positive consent signal. If no consent is ‘signalled’ this means that consent has not been given – in the dual world of legitimate interest and consent this could mean that the publisher or CMP have either disclosed a legitimate interest, attempted but failed to obtain consent, or chosen not to work with a vendor. The vendor has no way of knowing which of these cases is causing this transmission and would therefore be conflicted by the signal. However, since under the ePrivacy Directive consent is generally required for storing and/or accessing information on a device, Vendors can rely on their consent status for ePrivacy Directive purposes to infer the remainder of their disclosure status.

However, in future the recently announced Pubvendors.JSON extension to the Framework, which is currently subject to public consultation will address this information transmission conflict by giving publishers a mechanism by which they can inform vendors of the disclosures they have provided on their behalf. As a result, Pubvendors.JSON will allow vendors to declare consent or legitimate interest against purposes provided that they adhere to the Pubvendors.JSON implementation.

Public comment concludes on June 1, 2018. IAB Tech Lab and IAB Europe participants will evaluate and incorporate feedback received and release a final version of each of these specifications. If the dual challenge of legitimate interest and consent resonates with your company then you can adopt the pubvendors.json technology as a beta implementation now, even before the specifications are finalized.

We welcome your feedback  – technical feedback can be sent to transparencyframework@iabtechlab.com and general feedback can be sent to feedback@advertisingconsent.eu.

We look forward to hearing from you.

To Be Or Not To Be

As the adoption of the IAB Europe Transparency & Consent Framework gains momentum we are seeing increasing and exciting levels of engagement from the industry.  Our Friday Webinar series on the Framework is attracting over 300 participants each week – sign-up for the next one here.

After each webinar we have received numerous questions about what was covered during the session. They ranged from detailed technical questions about how the Framework works, to queries about the registration process, cookies, consent policy, legal liability, and the user interface.

One of the common questions is the declaration dilemma of processor and controller and the place for each in the Framework.  Our List of registered vendors does not differentiate between controller and processor namely because for different processing activities vendors may be controllers and/or processors in the same transaction, or between different transactions. Being on the list doesn’t make a representation about a company’s legal status as a controller/processor in a given situation under the GDPR. The primary value of the List is for companies, irrespective of their controller or processor status, to provide transparency and obtain consent in accordance with their own assessment of when that is needed.

As a controller under GDPR companies are responsible to ensure that transparency is provided and a legal basis established where personal data is processed, which makes the value of the List apparent for controllers.

However, even if you are a processor who may not need to provide transparency into a legal ground for processing personal data, because you are acting on the instruction of and under the legal basis of a controller, you may still need to obtain consent for information storage or access under the ePrivacy Directive and therefore can leverage the Framework exclusively to that end.

Therefore: If you are a vendor and consider that you are a processor that does not need to provide transparency as a legal ground for processing personal data, but still like to obtain consent for the placement of cookies, then the declaration of one of five purposes the Framework enables “information storage and access” (described as ‘the storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies’) would be the minimum you should consider.

With this thought in mind do not delay in signing up to the Global Vendor List here and join the growing number of vendors (over 130 at the last count) that to date have joined the Framework. This will ensure that you can continue to maintain and work closely with the publishers that you support now and in the future.

IAB Europe Transparency & Consent Framework: Announcing The Publication Of The Vendor And Consent Management Provider Registration Guides

Further to our recent release of the GDPR compliance Transparency & Consent Framework for public comment, IAB Europe is pleased to announce that Vendors and Consent Management Providers (CMPs) that would like to register to participate in the IAB Europe Transparency & Consent Framework can now view the relevant guidance documents.

  • See Vendor Registration Guide here
  • See CMP Registration Guide here.

These documents set out the series of questions that need to be completed for registration as either a Vendor or a CMP, and the verification process that will be used to determine if the applicant is eligible.

On completion of this process, Vendors will be assigned a Vendor ID and notified that they will be published in the Global Vendor List (GVL). CMPs will be assigned a CMP ID as well as a delegated sub-domain, and similarly notified and published in the CMP list. The Vendor/CMP web portal where registration can take place is due to go live imminently. If you have not already registered for updates, please register here.

Do you have any questions or feedback on the Transparency & Consent Framework? Email us at feedback@advertisingconsent.eu or join the webinar series. Take a look at the schedule and Register here.

To access more resources about IAB Europe’s GDPR Transparency & Consent Framework, please visit the website www.advertisingconsent.eu