back button

Back

Didomi now supports the IAB Europe consent framework

April 20, 2018byRomain Gauthier

Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework.

The IAB Europe Consent Framework

The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a complex chain of data controllers and processors which varies from one ad to the other. Ad impression after ad impression, personal data of users (such as cookies, geolocation, user identifiers) flows in real-time among various vendors. The main difficulty is that no one in the chain has visibility over the exact number and quality of the vendors. All these vendors get access to the data, usually in the form of a bid request following the OpenRTB standards. Within the GDPR and soon-to-come ePrivacy frameworks, processing this data will in certain situations require user consent.

The IAB Consent Framework is the first attempt to solve a key privacy problem with a standardized approach for all players. The idea is fairly simple: attach a consent token to the data so that consent follows the data wherever it flows. The token is an encrypted consent message which details which vendors have permissions for which purposes. Practically, the OpenRTB bid request will have a new field containing the token. This means that any vendor receiving the data can decode the token and check whether it has sufficient permission to process the data for its own purposes prior to anything else happening in its systems. If it has no permission, the vendor will not retain the data in its system and, voilà, compliance is maintained across the whole chain.

This solution is not perfect as it relies on trust: a bad player can receive the data and process it without permission. However, it’s the most elegant way to solve a complex problem with a solution that doesn’t lock the whole market in the hands of a few players. With this system, publishers and advertisers will have a strong incentive to only collect consents for compliant vendors which will therefore be rewarded for being privacy friendly. There are still some limitations with the implementation of the first version of the standard, but it’s great to see that serious vendors are working together to find solutions that fit into the new privacy framework.

The role of the Consent Management Platform

In this new GDPR world, a new breed of vendors is emerging: the consent management platforms. Their role is to help advertisers and publishers manage their user consents. At Didomi, we break down consent management in 3 distinct yet essential steps: collecting consent, storing and accessing consent, and sharing consent.

Collecting consent is arguably one of the most exciting field of research these days. It’s the perfect use case for advanced technologies and innovative designs. We’re probably at year 0 in terms of user experience: consent is collected via banners positioned on the first landing page. The message presented is most of the time obscure and it poorly informs a user about what is being asked from him. Yet this is a tough challenge because the regulatory framework is strict and can’t be tweaked that much while you want to guarantee the best user experience. Expect a lot of innovation in this field in the coming years.

Storing consent is a legal obligation. As a data controller (be it an advertiser or a publisher) you must be in a position to prove that you collected consent adequately for the data processing that required consent as legal basis under GDPR or ePrivacy. If any European Data Protection Authority knocks on your door, you need to show that you effectively collected consent for the data processing which needed it for all the clients/users/individuals you collected data from. When consent is stored, you also need your users to be in a position to revoke the consent at any time as simply as the consent has been given otherwise the said consent will not be considered valid. How do you do that? There is a need for revisiting the whole user privacy experience on websites and apps, but that’s another topic.

Sharing consent is where the IAB Europe Consent framework gets in. Not only do you collect consent for your company, but most of the time also for your vendors, whose ability to provide their services often depends on consent as well. But wait, this isn’t the only consent framework. Ever heard of OpenGDPR? And this  IAB Europe Consent framework only deals with the advertising purposes. What about Direct marketing (aka emailing)?

Now all this can be fairly complex. Consents can be given but also withdrawn. They can be attached to a cookie or to an email (or another offline key). The volumes you need to manage can be massive or really small. Your business could suffer from neglecting some key technical constraints: your advertising vendors need you to pass them consents in real-time as every millisecond lost is less business for everyone. You’ll need to integrate with all the consent frameworks that exist out there. In all cases, companies will most of the time be better off not distracting themselves from their core business and getting some help from a Consent Management Platform.

How is Didomi contributing?

As a member of the IAB Europe and the IAB Techlab GDPR working groups, Didomi is actively contributing to shape the Consent Framework and its evolutions. We released and maintain the open source JavaScript library Consent String (the reference implementation of the consent specification) to help developers encode and decode consent information. We also built an online tool to help adtech vendors check the compatibility of their tags with our consent management technology. And that’s just the beginning!

This is part of a larger effort to provide publishers and advertisers with easy-to-use privacy management solutions that are needed to help the industry take the plunge of GDPR compliance and also embrace the new European privacy framework as an opportunity to reinvigorate online advertising.

At Didomi, we’re convinced that privacy will prevail.

Related articles

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers

March 29, 2018byJulie Tamba

An interpretation of Google new consent requirements for publishers

We wrote a few articles in the last months regarding consent, including on how consent should be obtained (e.g. may clicking on the website be considered a sufficient positive act ?) or why it should be obtained  (e.g. which geolocation uses or marketing communications will require consent ?). Taking into account this framework, we thought it would be…

Read more

Ad Tech

Consent

GDPR

Google

Publishers

targeted advertising

December 29, 2017byJulie Tamba

Which kind of electronic advertising will require consent?

There are some cases where consent of the end-user is mandatory: this is the case for direct marketing, a category of advertising covering various techniques. As of now, the ePrivacy Directive required consent in relation to “the use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for…

Read more

Consent

custom audience

ePrivacy

tailored advertising

targeted advertising

November 22, 2018byJulie Tamba

What CMPs can learn from the French data protection authority

On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns. On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among…

Read more

CMP

CNIL

Consent

Cookies

France

GDPR

IAB

Sanction

Vectaury

Warning

December 5, 2017byJulie Tamba

Does collecting user geolocation require consent?

Collecting geolocation is a tricky topic in data privacy regulations. As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on…

Read more

Consent

ePrivacy

European Union

GDPR

Geolocation

personal data