IAB Europe’s GDPR guidelines, explained

In an attempt to get the entire digital advertising industry to comply with the General Data Protection Regulation, the Interactive Advertising Bureau Europe has released a new framework aimed at standardizing the process of gaining consent to collect and use consumer data.

In a nutshell, participating publishers would get to select which ad tech vendors they wish to continue working with for programmatic trading from a centralized list of global vendors that have applied — and paid a nominal fee — to appear on the list. Once publishers have chosen vendors from the list, they must then get consent from the consumer on those vendors’ behalf.

The framework’s purpose
Getting consumers to consent to their data being used under the GDPR will be a challenge for everyone, but it will be far harder for companies that don’t have a direct relationship with them — and therefore aren’t brands that consumers recognize — such as ad tech intermediaries and agency trading desks.

Publishers, on the other hand, are in a strong position to ask consumers for consent. The IAB Europe hopes with this framework that if publishers help gain consent on behalf of third-party vendors, programmatic revenues won’t be choked, as suppliers will be able to continue trading on their supply.

The theory is that a unified approach means users can give consent to multiple vendors at the same time, which would drastically simplify the process. It would also help some ad tech vendors keep their businesses afloat.

A love-hate situation
The industry has had a mixed response to the framework. While the benefits are clear for the some 5,000 ad tech vendors in the Lumascape, which will struggle to gain explicit consent, the benefits for publishers are less obvious. Some believe the framework requires publishers once again to assume the legal risk in order to maintain ad tech’s status quo, while potentially annoying or overwhelming their users with messages asking for consent for dozens of ad tech partners.

For now, vendors aren’t strictly vetted for the list, although they must be a member of a trade body or organization to be on it. In the future, should the industry request it, the IAB Europe can help set up a certification process to validate that each vendor is as GDPR-compliant as it claims, according to Matthias Matthiesen, IAB Europe’s senior manager of privacy and public policy. Matthiesen stressed that participating vendors will also need to demonstrate their own GDPR compliance and privacy policies; they can’t just sit back and allow publishers to take responsibility for that.

But publishers can choose the vendors for which they want to gain consent and if they wish, ignore the rest. “Just as non-authorized resellers fell away with the introduction of ads.txt, vendors who have to this point maintained a parasitic existence, syncing users through non-direct relationships and in the absence of any value exchange, are suddenly looking very exposed,” said a publisher executive. “We saw with ads.txt when suspect vendors tried to get themselves erroneously listed in publishers’ ads.txt files — you can expect to see those under threat to try and persuade the publisher to legitimize their existence via consent, which you can safely assume few publishers are going to allow to happen.”

The idea is that the framework provides the transparency required under the GDPR and creates an audit trail, so everyone can keep abreast of all parties’ compliance status. If the law is violated, there is essentially visibility of who is at fault, added Matthiesen.

The framework needs publisher buy-in
Ultimately, the framework needs publishers to get on board for it to work. So far, publisher response has been lukewarm.

“The current proposal is aimed at maintaining the status quo of an ecosystem which is not sustainable as it is today due to its unbalanced nature,” said Alessandro De Zanche, publisher consultant and former News UK executive. “GDPR is an opportunity for publishers to regain control of the relationship with their user, and through that, [be] given consent for the use of data. This would make publishers much stronger versus the rest of the ecosystem.”

The proposed framework is open for the industry’s feedback, and a final version will be released in mid-April. Until then, the IAB Europe plans to get feedback on it from publishers across Europe.

For some, however, full publisher cooperation on the framework is a long shot. “I don’t see publishers embracing it without significant changes,” said Jason Kint, CEO of publisher trade body Digital Content Next. “It’s designed to attempt to protect the broad interests of the many IAB ad tech companies who designed it.”

The GDPR will have long-lasting effects on how all companies collect and use data. Download Digiday’s primer on all you need to know. 

https://digiday.com/?p=279060

More in Media

Creators are left wanting more from Spotify’s push to video

The streaming service will have to step up certain features in order to shift people toward video podcasts on its app.

Digiday+ Research: Publishers expected Google to keep cookies, but they’re moving on anyway

Publishers saw this change of heart coming. But it’s not changing their own plans to move away from tracking consumers using third-party cookies.

Incoming teen social media ban in Australia puts focus on creator impact and targeting practices

The restriction goes into effect in 2025, but some see it as potentially setting a precedent for similar legislation in other countries.