Leave it to GDPR to bring about an unwieldy terms like pubsvendors.json.
Publishers and vendors in particular should get familiar with this file, created by the Interactive Advertising Bureau Europe and IAB Tech Lab as a way to give publishers more control over who can use their audience data — and for what purposes — whether the publisher has taken a legitimate-interest or a consent-based approach to GDPR compliance.
Here’s a primer:
So, WTF is pubvendors.json?
Essentially, it’s a supercharged whitelist. Publishers can embed the file in their domain, showing vendors they are willing to gain consent for, approved vendors on a legitimate-interest basis, and what purposes those vendors can use the audience data for. Vendors that are part of the IAB Transparency and Consent framework must then check the pubvendors.json file — like they would an ads.txt one — to see what they can do, and what the publisher GDPR policy is.
Why is it necessary?
Two of the most popular approaches among publishers toward GDPR compliance are legitimate interest — meaning they’ve determined they are legally justified in using audience data for certain purposes — and consent, where they have informed a user how they plan to use their data and collected permission to do so. Until now, the IAB Transparency and Consent framework, which is currently the only attempt at an industrywide GDPR standard, gave stricter boundaries for businesses working on a consent basis, than those that had adopted legitimate interest. Publishers have demanded that the framework provide them with more control over which vendors use their audience data, and how, regardless of whether they’ve taken a consent or legitimate-interest approach. Pubvendors.json is the IAB’s attempt to meet that need.
So this is different to a consent string?
Yes, darling. A consent string identifies the consent status of an ad tech vendor and is generated by a publisher’s consent management platform,which then passes the information to every other partner in the ad supply chain. It helps keep track of who has consent to serve personalized ads, and who doesn’t. But it’s only useful for publishers that have gone the consent route and have adopted a CMP, and not everyone has. It doesn’t work for those that have adopted legitimate interest. That’s where our friend pubvendors.json comes in.
So how does it work?
A publisher posts a pubvendor.json file that includes details on which basis a publisher wishes to work on: a legitimate interest basis or a consent basis. The file will also include a breakdown of which vendors the publisher is willing to gain permission from users for, and for what purposes, as well as those they’re willing to work with on a legitimate interest basis (if any). It will be mandatory for vendors that operate within the framework to refer to this — like added protection. If a vendor sees the publisher will only work with them on a consent basis, via their Pubvendors.json file, then they must refer to the consent-string information before sending personalized ads to that publisher’s users. Think of it like a bar posting a “no shirt, no shoes, no service” sign.
So it’s beneficial for publishers?
In theory, yes. The first version of the IAB GDPR framework was initially criticized by publishers for being biased toward vendors. The framework has had subsequent face lifts to address publisher concerns around the lack of granular control on how vendors used their audience data for ad targeting. Consent strings were added to help every business in the supply chain stay on the same page about which publisher users can and can’t be sent personalized ads. Pubvendors.json has been developed to give publishers the same level of granular control over how their audience data is being used in their digital ad supply chains, if they have taken a more light-touch legitimate-interest route. It creates more accountability for all vendors that work with that publisher.
Do publishers have to use it?
No. It’s currently being debated whether it should be mandatory or optional for publishers to adopt it, according to Matthias Matthieson, director, privacy and public policy at IAB Europe. The reasoning is that if they don’t adopt it, it’s hard to ensure vendors enforce it. So the current conversation is whether there should be default rules if a publisher chooses not to implement it — for vendors to stick to. “It’s been created to make legitimate interest safer,” added Matthieson.
It’s just important to ensure all information is accurate in the file. Publishers will need to be across that, and it means having to know their digital ad supply chains inside out, in order to be able to give the kind of granular information needed about which vendors can do what.
The AMERICA Act spotlights Capitol Hill’s ingrained antipathy for Big Tech
A reprised version of the Competition and Transparency in Digital Advertising Act spells trouble for double-sided marketplaces.
How BuzzFeed’s Creator Score is grading the impact of its creator network
BuzzFeed's Creator Network is a primary focus in 2023 for the publisher, and its campaign grading tool is being used to prove out its ability to create successful ads.
In graphic detail: Google’s Ads Safety Report shows suspect ad activities are on the rise
Google's ad transparency efforts detail how bad actors necessitate further investment.
SponsoredHow critical data pillars will increase brands’ confidence in CTV
This article is part of Digiday’s coverage of its Digiday Publishing Summit. More from the series → Mario Diez, CEO, Peer39 With every quarter, the balance of TV viewership slips away from the traditional linear model and more towards connected TV. Less than half of the adults in the U.S. subscribe to cable or satellite, […]
Media Briefing: Publishers share their biggest challenges and opportunities at the Digiday Publishing Summit
While Q1 ad revenue, sales cycles and payment windows appeared to be equally bad across the media industry, bright spots arose around consumer revenue streams, new tech experimentation and traffic patterns.
How Dotdash Meredith worked through the challenge of integrating two major publishers’ tech stacks
At the Digiday Publishing Summit, Dotdash Meredith product chief Adam McClean shared why he had initially expected the integration to be done by summer 2022 and why the work is still ongoing.