IAB Europe Releases GDPR Standards For Passing Consent To Ad Tech Buyers

The IAB Europe GDPR working group has released for public comment its framework for transmitting user consent data up the supply chain, from publishers to technology companies and marketers.

The final version is scheduled to come out mid-April. Read the tech specs.

The framework provides standards so that publishers can provide transparency into their data use or collect different kinds of consent – like whether someone permits on-site data collection or agrees to location tracking and targeted advertising – and then plug that consent into the programmatic ecosystem.

“It makes no sense for a publisher to develop their own system that may have to be compatible with dozens of technology vendors, or vice versa – for a technology company to have a specific structure in place with hundreds or thousands of publishers,” said Matthias Matthiesen, IAB Europe director of privacy and public policy.

The IAB Europe consent standards were created primarily by advertising technology companies, with contributions from AppNexus, MediaMath, Index Exchange, Oath, Conversant, Quantcast and Sizmek.

And the framework’s backers may have their work cut out when it comes to getting scaled adoption from publishers.

“The IAB solution envisions that publishers will get global consent for the entire ecosystem, store it in a cookie [and] share it with a third-party consent server,” said Jason Kint, CEO of online media trade group Digital Content Next, in a note to AdExchanger.

The pitch to publishers is that data-based buys drive higher ad rates, and so they’ll earn more if supply chain partners can target audiences with consent when it’s required.

Kint said the use of aggregated cookie data and consent across sites and apps “doesn’t meet the letter or spirit of the GDPR,” and it could expose publishers to liability.

The IAB Europe “did its homework and is plugged in with regulators,” said Alice Lincoln, MediaMath’s VP of data policy and governance. She said the framework is also intended to evolve based on GDPR enforcement and the final version of the ePrivacy law.

And other publishers have contributed to the IAB Europe working group, if indirectly.

AppNexus shared the working group’s ideas with media clients while it developed the framework with the IAB Europe, so some of its top publishers have already adopted the solution and given feedback on the standards, said Julia Shullman, AppNexus deputy general counsel and director of the company’s privacy group.

And the IAB’s Matthiesen said there are some common misunderstandings about its third-party cookie language.

“We’re using ‘cookies’ in this case as any device where information about user consent is stored,” he said.

For now, the system does rely on cookies for the transmission of consent, he said, but in the future, the group plans to develop non-cookie based ways to pass data, like an offline server-to-server solution to centralize IDs.

The IAB Tech Lab GDPR working group, working separately from IAB Europe, debuted an OpenRTB feature last month for passing consent in the supply chain as a bidstream data field. The Tech Lab is also working on ways, like blockchain-based encryption, for publishers to pass data to known vendors – or at least vendors with ads.txt certification – without potentially exposing data to another intermediary.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!