Since the EU General Data Protection Regulation (GDPR) went into effect May 25, 2018, any company with a website visited by anyone from the E.U. must comply with the regulation or face heavy fines. To comply, companies must obtain consent when collecting personal data from visitors. The IAB GDPR Transparency and Consent Framework is the Interactive Advertising Bureau’s solution to help publishers tell visitors what data is being collected, and how they and their vendors plan to use it—and which vendors are using it.
GDPR basically redefines what we’re talking about when we talk about collecting and processing personal data, including IP addresses, device IDs, location data, and even cookies. This completely changes the way the advertising ecosystem collects, manages and uses data in that companies now have to provide evidence that consent was given from visitors to access and process the information that is used when providing recommendation and personalization services, as well as behavioral targeting, retargeting and any other form of targeting.
To help the ad ops community make an easier transition into GDPR compliance, IAB Europe and IAB Tech Lab came up with the GDPR Transparency and Consent Framework so that publishers, digital advertisers, and ad tech companies can more easily comply with the privacy policy. As well as providing users with information about how their data will be used and who will use it, the Framework helps to obtain consent or denial for each item and then communicates that choice throughout the entire ad ecosystem.
How Does the IAB Consent Framework Actually Work?
In a nutshell, the IAB’s Framework, developed as a non-commercial, open-source initiative, standardizes the process of obtaining user consent and then relays the information down the advertising supply chain.
The IAB maintains and provides something akin to a whitelist of registered vendors on the Global Vendor List (GVL), as well as a list of registered Consent Management Providers, that the publisher can choose to partner with. Once partners are chosen, a first-time site visitor will receive a popup or some other form of communication through the site that reveals what data is being collected, how that data is being used and who is using it—and then ask for consent for each purpose and each vendor. Once consent is given, the consent is stored as first-party cookies and a vendor on the list can then serve ads to that user.
If everything works as expected, a bid request will contain consent flags about the user with targeted ads only using the data that the user consented to. Consent can be specific to that one publisher or across the web so that users don’t have to provide consent multiple times. The Framework will also be supported in OpenRTB transactions, which is widely used across the industry. And as of June 2018, there are also mobile in-app specifications for the Framework for mobile app providers.
A step in the right direction toward compliance, the IAB Consent Framework provides an industry-wide standard that makes the process of GDPR compliance a lot easier for publishers and their ad tech vendors. For users, it enables them to show legit interest in interacting with advertising that has been targeted to them either based on location, demographic or any other variable.