The IAB Transparency and Consent Framework for GDPR and ePrivacy

IAB Europe has released the draft technical specifications of its IAB Transparency and Consent Framework. The online media and advertising ecosystem can check it out and submit feedback. An overview.

End 2017 IAB Europe announced a cross-industry initiative to tackle the challenges of the General Data Protection Regulation (GDPR) from an online publishing and online advertising perspective, essentially what the IAB is all about.

The GDPR will bring a number of new requirements to all participants in the digital advertising ecosystem. Such change requires a new shared industry standard, and the IAB Europe Framework offers the best solution to achieving this. GroupM has been consulting with IAB Europe and other members to ensure the framework meets our needs, and so that we can align to its requirements (Colin Barlow, Global COO, GroupM)

With a broader interpretation of personal data under the GDPR, more and stronger data subject rights, transparency being one of the main data processing principles and stricter rules regarding consent under GDPR, IAB Europe invited several players and stakeholders in the online advertising industry, both from the demand and the supply side of the online advertising ecosystem to help the industry in dealing with these and other GDPR-related challenges.

A key task of one of the working groups in the resulting, broader GDPR Implementation Working Group (GIG) was to provide guidance on consent as a legal basis for lawful processing. Another working group, which was created as a consequence of that consent-related work, was tasked to come up with a standard solution which could be used by players in the online advertising group in case consent is the legal basis: the IAB Transparency and Consent Framework.

Citing research, conducted by IHS Markit on behalf of IAB Europe and EDAA (“The economic contribution of online advertising in Europe”), which among others indicates that digital advertising accounts for 37.2 percent of all advertising revenue in Europe and that advertising represents 81.5 percent of revenues for digital publishers, IAB Europe announced draft technical specifications for its GDPR Transparency and Consent Framework as an outcome of all the above on March 8, 2018.

IAB GDPR transparency and consent framework ePrivacy

The draft technical specifications of the IAB ePrivacy and GDPR Transparency and Consent Framework

The online advertising and publishing association, which has the ePrivacy Regulation to deal with too (and has been active in lobbying against many of its elements which are seen as disastrous for the industry as publisher associations recently once again reminded in open letters) invites data protection officers, IT leaders and anyone involved and interested within the online media industry (from media and advertising agencies and technology vendors to brands and online publishers) to check out the specifications.

The Framework includes technical specifications that will allow companies and consumers to have greater control over, and dynamic insight into, the parties who access and process the personal data of consumers in the EU

We of course don’t mention the ePrivacy Regulation just like that: IAB Europe, the GDPR Implementation Working Group and the other working groups obviously haven’t just looked at GDPR but also at ePrivacy, now still the ePrivacy Directive in their Transparency and Consent Framework scope.

Since the technical specifications for the GDPR Transparency & Consent Framework are drafts feedback is requested. The draft specifications of the GDPR Transparency and Consent Framework are open for public comment and organizations can provide feedback until April 8, 2018. The IAB Europe also has a further series of webinars planned until April 13, 2018 (each Friday), especially around feedback.

AdTech data flows from the sell side perspective for illustration purposes - source IAB Europe Transparency and Consent Framework presentation - dowload all slides in PDF here
AdTech data flows from the sell side perspective for illustration purposes – source IAB Europe Transparency and Consent Framework presentation – download all slides in PDF here

Cookie and Vendor List Format and Consent Manager Provider JavaScript API

The draft specifications of the IAB Europe Transparency and Consent Framework which is designed to “help publishers, advertisers and technology companies comply with key elements of GDPR” consists of two documents on GitHub for now.

The mission of IAB Europe’s GDPR Transparency & Consent Framework is to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR when processing personal data or accessing non-personal or personal data on user devices (IAB)

Going forward these specifications will be maintained by an IAB Tech Lab.

  1. The first document (Cookie and Vendor List Format – draft for public comment v1.0a) as the name indicates covers the specifications regarding how consent information is stored as a third-party cookie, what information is stored, what is not supported in the cookie and the vendor list JSON as you can read in the Cookie and Vendor List Format draft in GitHub.
  2. The second document in the IAB Transparency and Consent Framework covers the Consent Manager Provider JavaScript API or CMP JS API. Being in its version 1.0 at the time of the announcement of the availability of the draft technical specifications of the Transparency & Consent Framework, the CMP API specifies the minimum-necessary functionality the Consent Manager Provider needs to provide “vendor” consent info as you can read in the Consent Management Provider JS API draft in Github (the “vendor”,  is not necessarily a data controller).

Further information and feeback regarding the IAB Transparency and Consent Framework

On top of checking out the documents (and most probably updates and more) in the IAB Europe Transparency and Consent Framework GitHub repository, you can register for one of the mentioned webinars in the “Transparency and Consent Framework Feedback Webinar Series” and read more on the purpose, next steps and announcement in IAB Europe’s blog post on the release.

GDPR reaffirms the importance of a social contract between publishers and consumers (AppNexus)

The announcement of the draft technical specifications further states that without the IAB Transparency and Consent Framework “consumers will see less relevant online messages from brands, and brands will see less engagement from consumers” with losses in advertising revenue and in jobs within the online media and advertising ecosystem in the broadest sense as a result.

Also check out the Vimeo video from AppNexus, which played a key role in the project and “strongly supports the Transparency and Consent Framework”, encouraging its clients and partners to adopt it asap as the company explains in a blog post on the “what and why”.

Quoting from the AppNexus post (the video covers the ‘what, why’ too but also explains the ‘how’ very well): “the IAB Europe framework is essential to preserving the social contract that publishers have with consumers: they produce world-class content in return for the limited ability to serve advertisements in a targeted but privacy-safe and transparent fashion”.

The IAB invites stakeholders to submit general feedback to feedback@advertisingconsent.eu and technical feedback to transparencyframework@iabtechlab.com.

Last but not least there are also slides (where the above illustration comes from), which you can download in PDF here.

Top image: Shutterstock – Copyright: Rawpixel.com – All other images, sources and the IAB Europe logo are property and courtesy of the IAB and partners in the Transparency and Consent Framework initiative.