How The IAB And Ad Tech Plan To Transmit GDPR Consent In Programmatic

The IAB Tech Lab is tackling the thorny problem of transmitting consent under the European Union’s General Data Protection Regulation.

On Friday, the Tech Lab debuted an openRTB feature to convey user consent through the digital supply chain and unveiled plans to launch a GDPR Technical Working Group tasked with helping programmatic advertisers deal with GDPR and the coming ePrivacy regulation.

GDPR presents a challenge to advertising technology companies “which must be overcome in order to produce a clear and compelling value proposition,” said MediaMath CTO Wilfried Schobeiri.

The problem for advertisers and their vendors is that under GDPR user consent is required in order to apply personal data to media. Users also need to clearly opt in before they can be targeted with ads, retargeted messages or email marketing.

But complexity in the programmatic universe makes that a difficult task, Schobeiri said.

The new IAB openRTB protocol introduces a bidstream data field that indicates if an individual is an EU data subject and whether the person has consented to see targeted ads, as well as what data is available as part of that consent, including age, gender, location and other information the EU considers sensitive.

The publisher supplies the consent and audience data to inform a buyer’s decision.

But this isn’t a magical checkbox for consent, said Oath CTO of global supply platforms Jim Butler, a co-chair of the Tech Lab’s openRTB working group since 2011.

The new consent data embedded in programmatic inventory won’t be authoritative. Rather, it’s a way for publishers to signal to bidders that data can be applied for targeting, meaning that inventory is likely to be considered more valuable.

But it’s still possible for an advertiser or ad tech company relying on openRTB consent data to violate GDPR.

In other words, adhering to the openRTB consent data isn’t a legal solution to GDPR, Butler said. It’s a functional solution for programmatic players looking for EU audiences they can feel comfortable targeting.

For now, at least, the string of openRTB consent data only moves one way along the supply chain, from publisher to buyer. More work is needed to connect the publisher data to opted-in audiences that vendors or brands bring to the table. That’s what advertisers will need if they want to target based on identity and not just demographic segmenting.

The GDPR working group and the openRTB working group are also developing methods to keep media companies or tech intermediaries from tampering with the data transmitted in the consent string, which “must be immutable throughout the flow of a transaction,” according to the IAB Tech Lab’s GDPR consent update.

The word “immutable” is a veiled allusion to blockchain-based cryptographic solutions, which the IAB Tech Lab and the main openRTB working group have recently embraced as a way to transmit data and inventory without the possibility of distortion, like ad networks replacing URLs or fudging audience info to trick exchange buyers.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. This suggests that publishers are going to be delighted to pass their hard won permissions over as part of the existing arbitrage model.
    The network, as demonstrated in recent press, has hardly won our trust and behaved in a fair minded manor towards publishers. As discussed in the article, GDPR is therefore the best opportunity for publishers to win back control as they are best placed to gain permissions from the subscriber. They handed over their data before and got their fingers burnt, are they really going to do the same again? As we say in Scotland, “Ah hay ma doots”

  2. Claire Horan

    I am confused as to why the belief exists that consent is required for all interest based advertising, largely what is shared is aggregate information to help advertisers reach the kind of audience they want to target (for example, women in London). If the third party cannot personally identify any living individual, why does the GPDR apply?

  3. Claire, while it’s true that advertisers are interested in targeting a predefined audience (e.g. women in London), they, or rather the publishers, need to be able to identify these women from London when they visit their website. Now the question is — how can a publisher tell whether a user is a woman from London or not? Well, by identifying their IP address for starters, and also other information they’ve collected about them (e.g. their gender). So there are 2 prime examples of personal data, for which consent will need to be obtained. Personal data refers to any piece of data that can be used to identify a person, this means knowing whether someone is a new or returning visitor. If advertisers and publishers want to avoid obtaining consent under the GDPR, then they’ll have to revert back to showing contextual ads that don’t require any personal data — e.g. showing golf ads on a web page about golf.