Leave it to GDPR to bring about an unwieldy terms like pubsvendors.json.
Publishers and vendors in particular should get familiar with this file, created by the Interactive Advertising Bureau Europe and IAB Tech Lab as a way to give publishers more control over who can use their audience data — and for what purposes — whether the publisher has taken a legitimate-interest or a consent-based approach to GDPR compliance.
Here’s a primer:
So, WTF is pubvendors.json?
Essentially, it’s a supercharged whitelist. Publishers can embed the file in their domain, showing vendors they are willing to gain consent for, approved vendors on a legitimate-interest basis, and what purposes those vendors can use the audience data for. Vendors that are part of the IAB Transparency and Consent framework must then check the pubvendors.json file — like they would an ads.txt one — to see what they can do, and what the publisher GDPR policy is.
Why is it necessary?
Two of the most popular approaches among publishers toward GDPR compliance are legitimate interest — meaning they’ve determined they are legally justified in using audience data for certain purposes — and consent, where they have informed a user how they plan to use their data and collected permission to do so. Until now, the IAB Transparency and Consent framework, which is currently the only attempt at an industrywide GDPR standard, gave stricter boundaries for businesses working on a consent basis, than those that had adopted legitimate interest. Publishers have demanded that the framework provide them with more control over which vendors use their audience data, and how, regardless of whether they’ve taken a consent or legitimate-interest approach. Pubvendors.json is the IAB’s attempt to meet that need.
So this is different to a consent string?
Yes, darling. A consent string identifies the consent status of an ad tech vendor and is generated by a publisher’s consent management platform,which then passes the information to every other partner in the ad supply chain. It helps keep track of who has consent to serve personalized ads, and who doesn’t. But it’s only useful for publishers that have gone the consent route and have adopted a CMP, and not everyone has. It doesn’t work for those that have adopted legitimate interest. That’s where our friend pubvendors.json comes in.
So how does it work?
A publisher posts a pubvendor.json file that includes details on which basis a publisher wishes to work on: a legitimate interest basis or a consent basis. The file will also include a breakdown of which vendors the publisher is willing to gain permission from users for, and for what purposes, as well as those they’re willing to work with on a legitimate interest basis (if any). It will be mandatory for vendors that operate within the framework to refer to this — like added protection. If a vendor sees the publisher will only work with them on a consent basis, via their Pubvendors.json file, then they must refer to the consent-string information before sending personalized ads to that publisher’s users. Think of it like a bar posting a “no shirt, no shoes, no service” sign.
So it’s beneficial for publishers?
In theory, yes. The first version of the IAB GDPR framework was initially criticized by publishers for being biased toward vendors. The framework has had subsequent face lifts to address publisher concerns around the lack of granular control on how vendors used their audience data for ad targeting. Consent strings were added to help every business in the supply chain stay on the same page about which publisher users can and can’t be sent personalized ads. Pubvendors.json has been developed to give publishers the same level of granular control over how their audience data is being used in their digital ad supply chains, if they have taken a more light-touch legitimate-interest route. It creates more accountability for all vendors that work with that publisher.
Do publishers have to use it?
No. It’s currently being debated whether it should be mandatory or optional for publishers to adopt it, according to Matthias Matthieson, director, privacy and public policy at IAB Europe. The reasoning is that if they don’t adopt it, it’s hard to ensure vendors enforce it. So the current conversation is whether there should be default rules if a publisher chooses not to implement it — for vendors to stick to. “It’s been created to make legitimate interest safer,” added Matthieson.
It’s just important to ensure all information is accurate in the file. Publishers will need to be across that, and it means having to know their digital ad supply chains inside out, in order to be able to give the kind of granular information needed about which vendors can do what.