IAB Transparency and Consent Framework
IAB EU Transparency & Consent Framework
Wednesday 3L
Convener: Wendell Baker
Notes-taker(s): Wendell Baker
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Transparency & Consent Framework, Interactive Advertising Bureau (IAB)
- Frequently-Asked Questions (FAQ); 2018-03-08.
- Cookie and Vendor List Format, Version v1.0a
- CMP.js API, Version v1.0, hosted at Github
Purposes
- Accessing a device allow storing or accessing information on a user’s device.
- Advertising personalisation allow processing of a user’s data to provide and inform personalised advertising (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose
- Analytics allow processing of a user’s data to deliver content or advertisements and measure the delivery of such content or advertisements, extract insights and generate reports to understand service usage; and/or accessing or storing information on devices for that purpose.
- Content personalisation allow processing of a user’s data to provide and inform personalised content (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose.
Features
- Matching data to offline sources combining data from offline sources that were initially collected in other contexts.
- Linking devices allow processing of a user’s data to connect such user across multiple devices.
Precise geographic location data allow processing of a user’s precisegeographic location data in support of a purpose for which that certain third party has consent.
Purpose versus Feature
- Purpose is a data use that drives a specific business model and produces specific outcomes for consumers and businesses. Purposes must be itemised at the point of collection, either individually or combined.
- Feature is a method of data use or data sourcing that overlaps across multiple purposes. Features must be disclosed at the point of collection, but can be itemised separately to cover multiple purposes.
Promotional
- InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework, at GitHub
- The Advertising Industry’s GDPR Transparency & Consent Framework, IAB Europe; also advertisingconsent.eu
Transcription of the session by Mei Lin Fung
Organizer, People Centered Internet, co-founded with Vint Cerf
External advisor to the Stanford Center for Population Health Science
Member of the Global Future Council on Digital Economy and Society, World Economic Forum
Member of the Steering Committee, World Economic Forum, Internet for All
Vice Chair, Internet Inclusion, IEEE Internet Initiative
(e) mlf@alum.mit.edu ; mlfung@gmail.com
(t) meilinfung
IAB report discussion – Wendell Baker
There is another permissions level –
Consumers who have their consent cookie will participate, defacto is ‘no consent.
On a chain of custody basis – to signify that consumer had given consent to …..
List permissions defined to date on Pg 18
Consumer can state this in their browser as defined by a publisher
Thru real time bidding – server to server – can signal what consumer has consented to along the way
Because all members of IAB have signed agreement – this is a voluntary group creating a conforming standard
This allows IAB members to speak to each other
Consumer must consent to be tracked otherwise GDPR will not allow it
Doc – Adtech system defacto becomes an identity provider about consumers who have given consent – by solving the cookie mapping problem
Wendell – IAB says we are only doing consent.
Cookie tracking problem – fall out, people hate it, if consumers have an ID.,.. could be helpful
Sam – will content be held hostage – consumers will not consent otherwise
Iain – have to have equivalent service for those who do not consent
Wendell – who is going to sign up for this? At OATH we will launch a dialog to fill in this stuff – 3rd party publishers have to conform to GDPR in Europe – have to ask invasive questions (once provided you log in thereafter)
Cookies will time out – may be very short
Sam – law requires that equivalent service must be provided for those “unwilling to consent”
Wendell – debates with engineers who think only a few will not consent. There will be a wall
Iain – 1 minute part midnight after GDPR – we should expect things to half
Wendell – we expect to be QA’d before going live. Usually on Internet – its as its rolled out – we will this time, build tests ahead of time – its no longer cheap on the web – we will have to insist on provenance tracking
Doc – on commercial web (which is not the whole web – not Wikipedia, not universities) – we will see a new front door on every website
When people see all these front doors – all different – der Spiegel, Wikipedia, google – and all have a different consent gauntlet…
Will people hate
The sites
The advertising business
European regulators
Or will there be a universal log in ?
Iain – this is about competitive play for Europe – people expect innovation to spring up in Europe – on the side of the individual
Wendell – log in providers springing up – Universal SSO using SAML will happen – ifts a paywall, what do you pay, what do you give people who don’t pay – can have tiers of service
Consortia for Universal log in - VIANT
Doc – this table will be half this conference in IIW October
Brides magazine – very confined customer basis
Wendell – lots of niche blocks – ADSENSE will come back – problem in industry is how to show auditing for circulation which we say we have – alternatives to current estimates – working out what is the right balance
Login requirements and Sarbanes Oxley requirements are more onerous
Adblock – was 10-15% then became inflammatory when people emerged using beacons to see if ad was above the fold or not, or whether it appeared or not
In the old days, you could bill for adblock – now viewability tracking is possible for campaigns
Now adblock is untenable to all the industry
See business insider article about the consortia – Axel Springer, VIANT, French newspaper
Imagine you need to log in to newspaper with auditable logs
Andrew – I already do – I have a subscription
Wendell- now the law will require it
Sam – people will have a huge burden – some consent is worth it and some is not going to be worth it
Paywalls, etc – have to move barriers far enough “gauntlet required content” or “gauntlet not required content” that division is going to be really obvious
Wendell – a lot of content is written by robots – eg spammers create content.. financial earnings
Propublica deep dive – real journalism costs a ton of money and risk for a person…
So less material to read – people will recognize the robots – ads will not be able to monetize the robot content in the old way – that could change the proportion of robot content – (MLF: up or down?)
Sam – people will feel it in terms of gauntlet and in terms of distinguishing between content that is robot generated vs human generated
……: What about cut and paste?
Wendell – not supposed to be doing it – that may show up for a while
Targeted audience buying was always odious to publishers…. Supply and demand are usually inverses in econ 101. Buy side is a lot smarter – they are not inverses in practice – changed through more information
Publisher mindset is not sophisticated – supply side is not keeping up with buy side sophistication
Doc – when ad tech came along and brand advertising entered the Internet – there is not a function at the publisher to do that… they will go to a 3rd party and say give us a front door to cover this for the GDPR
Andrew –yahoo portal may come back – if publishers are told by Google to manage the layer, one way to solve it is to publisher portal
Wendell – OATH family may offer publisher tools –
Doc – May 25th – will every app require it ?
All adware apps have this problem –
Wendell - data must be stuffed into adware SDK’s that will work with this
IAB is only display ads – not mobile apps
Consent string thru our apps – we will use the consent signaling string –some adware vendors will say “ we will do our own thing”
Its an IAB decision whether to deal with them
When someone says I’m not ready for IAB…. That’s one thig
When someone says I’m not going to use this – then we say Thank you, when you are ready to do business in Europe, come back
If you have a login system – you get this once. Without log ins – you will be asked everytime
Doc – it will be wild
Wendell – analytics will be split in consent and non consent
Doc – the answer is a simple and standard across individual side that says “here’s how I work” across all the stuff (google, etc)
Wendell – would have loved W3C and vendors took it on. Bake in all ideas into next gen browser
Separate cookie jar that holds this cookie
Doc – I followed DNT (do not track) which showed up at Berkman center – someone spoke up – John Mayer – like Do not Call – this became the “tracking preference”
Wendell – that’s Adblock baked in the browser – if the affordance is in the browser baked in at the sale of the device showing the browser – signaled up to the server to know consumer’s preferences
Our nightmare is 1 button – never see ads again – never happened
Tracking preferences for blocking ads – this is a permissions based thing – positive consent
Dave – only works if there is a common ontology
Wendell – IAB has members to develop this
There is a different group on the browser, phone and devices – not been involved.
We are 1 browser release away from universal ID and a cookie management process – they could make the problem go away
Apple instituted ITP – intelligent tracking protection – survey your cookies – if they detect a tracking cookie
If you are in a first party context – user preference prevails
Dave Huston– firefox had this – I worked on this at Mozilla - not on, by default
Sam - if it is really bad – gauntlet is bad – need to respond
Doc – what can customer commons do?
Wendell – standardize terms. Stand up a consent manager with your own terms
Dave – because you have an accounting piece – consider overlap with decentralized ledgers – they are trying to teach browsers to do authentication using ledgers – signal something to a browser that you are going to consent (or not) to terms
Merge the two ideas together – always have consent payload, sometimes have authentication payload
Wendell – could signal something benign, send it around – consent – if leaked is that a big deal?
Circulate to developers, first responders – if behavior is like a Cert
Dave – will look like when a Bank sends something to a phone – needs to be something on your phone – interactive consent
Sam – use TLS flex one (Evernym)
Andrew – Kantara – data format to report purpose and consent of user – transmit to others – like the cookie but full data format – consent receipt to fill gaps – need transport in, interfaces specified
What would it take to make a transport format (right now it's a data format)
Its just a spec – this is what a receipt looks like
Dave – could it be an RFC
Andrew – consent receipt envisions the activation of GDPR – this is a method to …..
Not cc
Iain - No uptake because not marketed well.
Mei lin – what can we do? IIW
Wendell – many generations of IIW address different needs – material economic, commercial knowledge of GDPR is not here. No one is talking – after GDPR everyone will be talking – IIW can address with incompleteness of industry solutions.