Didomi now supports the IAB Europe consent frameworkApril 20, 2018byRomain Gauthier
Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework.
The IAB Europe Consent Framework
The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a complex chain of data controllers and processors which varies from one ad to the other. Ad impression after ad impression, personal data of users (such as cookies, geolocation, user identifiers) flows in real-time among various vendors. The main difficulty is that no one in the chain has visibility over the exact number and quality of the vendors. All these vendors get access to the data, usually in the form of a bid request following the OpenRTB standards. Within the GDPR and soon-to-come ePrivacy frameworks, processing this data will in certain situations require user consent.
The IAB Consent Framework is the first attempt to solve a key privacy problem with a standardized approach for all players. The idea is fairly simple: attach a consent token to the data so that consent follows the data wherever it flows. The token is an encrypted consent message which details which vendors have permissions for which purposes. Practically, the OpenRTB bid request will have a new field containing the token. This means that any vendor receiving the data can decode the token and check whether it has sufficient permission to process the data for its own purposes prior to anything else happening in its systems. If it has no permission, the vendor will not retain the data in its system and, voilà, compliance is maintained across the whole chain.
This solution is not perfect as it relies on trust: a bad player can receive the data and process it without permission. However, it’s the most elegant way to solve a complex problem with a solution that doesn’t lock the whole market in the hands of a few players. With this system, publishers and advertisers will have a strong incentive to only collect consents for compliant vendors which will therefore be rewarded for being privacy friendly. There are still some limitations with the implementation of the first version of the standard, but it’s great to see that serious vendors are working together to find solutions that fit into the new privacy framework.
The role of the Consent Management Platform
In this new GDPR world, a new breed of vendors is emerging: the consent management platforms. Their role is to help advertisers and publishers manage their user consents. At Didomi, we break down consent management in 3 distinct yet essential steps: collecting consent, storing and accessing consent, and sharing consent.
Storing consent is a legal obligation. As a data controller (be it an advertiser or a publisher) you must be in a position to prove that you collected consent adequately for the data processing that required consent as legal basis under GDPR or ePrivacy. If any European Data Protection Authority knocks on your door, you need to show that you effectively collected consent for the data processing which needed it for all the clients/users/individuals you collected data from. When consent is stored, you also need your users to be in a position to revoke the consent at any time as simply as the consent has been given otherwise the said consent will not be considered valid. How do you do that? There is a need for revisiting the whole user privacy experience on websites and apps, but that’s another topic.
Sharing consent is where the IAB Europe Consent framework gets in. Not only do you collect consent for your company, but most of the time also for your vendors, whose ability to provide their services often depends on consent as well. But wait, this isn’t the only consent framework. Ever heard of OpenGDPR? And this IAB Europe Consent framework only deals with the advertising purposes. What about Direct marketing (aka emailing)?
Now all this can be fairly complex. Consents can be given but also withdrawn. They can be attached to a cookie or to an email (or another offline key). The volumes you need to manage can be massive or really small. Your business could suffer from neglecting some key technical constraints: your advertising vendors need you to pass them consents in real-time as every millisecond lost is less business for everyone. You’ll need to integrate with all the consent frameworks that exist out there. In all cases, companies will most of the time be better off not distracting themselves from their core business and getting some help from a Consent Management Platform.
How is Didomi contributing?
This is part of a larger effort to provide publishers and advertisers with easy-to-use privacy management solutions that are needed to help the industry take the plunge of GDPR compliance and also embrace the new European privacy framework as an opportunity to reinvigorate online advertising.
At Didomi, we’re convinced that privacy will prevail.