IAB Transparency and Consent Framework

From IIW

IAB EU Transparency & Consent Framework


Wednesday 3L

Convener: Wendell Baker

Notes-taker(s): Wendell Baker


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Transparency & Consent Framework, Interactive Advertising Bureau (IAB)

  • Frequently-Asked Questions (FAQ); 2018-03-08.
  • Cookie and Vendor List Format, Version v1.0a
  • CMP.js API, Version v1.0, hosted at Github


Purposes

  • Accessing a device allow storing or accessing information on a user’s device.
  • Advertising personalisation allow processing of a user’s data to provide and inform personalised advertising (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose
  • Analytics allow processing of a user’s data to deliver content or advertisements and measure the delivery of such content or advertisements, extract insights and generate reports to understand service usage; and/or accessing or storing information on devices for that purpose.
  • Content personalisation allow processing of a user’s data to provide and inform personalised content (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose.


Features

  • Matching data to offline sources combining data from offline sources that were initially collected in other contexts.
  • Linking devices allow processing of a user’s data to connect such user across multiple devices.

Precise geographic location data allow processing of a user’s precisegeographic location data in support of a purpose for which that certain third party has consent.


Purpose versus Feature

  • Purpose is a data use that drives a specific business model and produces specific outcomes for consumers and businesses. Purposes must be itemised at the point of collection, either individually or combined.
  • Feature is a method of data use or data sourcing that overlaps across multiple purposes. Features must be disclosed at the point of collection, but can be itemised separately to cover multiple purposes.


Promotional

  • InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework, at GitHub
  • The Advertising Industry’s GDPR Transparency & Consent Framework, IAB Europe; also advertisingconsent.eu


Transcription of the session by Mei Lin Fung

Organizer, People Centered Internet, co-founded with Vint Cerf

External advisor to the Stanford Center for Population Health Science

Member of the Global Future Council on Digital Economy and Society, World Economic Forum

Member of the Steering Committee, World Economic Forum, Internet for All

Vice Chair, Internet Inclusion, IEEE Internet Initiative 

(e) mlf@alum.mit.edu ; mlfung@gmail.com 

(t) meilinfung


IAB report discussion – Wendell Baker


There is another permissions level –


Consumers who have their consent cookie will participate, defacto is ‘no consent.


On a chain of custody basis – to signify that consumer had given consent to …..


List permissions defined to date on Pg 18


Consumer can state this in their browser as defined by a publisher


Thru real time bidding – server to server – can signal what consumer has consented to along the way


Because all members of IAB have signed agreement – this is a voluntary group creating a conforming standard


This allows IAB members to speak to each other


Consumer must consent to be tracked otherwise GDPR will not allow it


Doc – Adtech system defacto becomes an identity provider about consumers who have given consent – by solving the cookie mapping problem


Wendell – IAB says we are only doing consent.


Cookie tracking problem – fall out, people hate it, if consumers have an ID.,.. could be helpful


Sam – will content be held hostage – consumers will not consent otherwise


Iain – have to have equivalent service for those who do not consent


Wendell – who is going to sign up for this? At OATH we will launch a dialog to fill in this stuff – 3rd party publishers have to conform to GDPR in Europe – have to ask invasive questions (once provided you log in thereafter)


Cookies will time out – may be very short


Sam – law requires that equivalent service must be provided for those “unwilling to consent”


Wendell – debates with engineers who think only a few will not consent. There will be a wall


Iain – 1 minute part midnight after GDPR – we should expect things to half


Wendell – we expect to be QA’d before going live. Usually on Internet – its as its rolled out – we will this time, build tests ahead of time – its no longer cheap on the web – we will  have to insist on provenance tracking


Doc – on commercial web (which is not the whole web – not Wikipedia, not universities) – we will see a new front door on every website


When people see all these front doors – all different – der Spiegel, Wikipedia, google – and all have a different consent gauntlet…


Will people hate


The sites

The advertising business

European regulators


Or will there be a universal log in ?


Iain – this is about competitive play for Europe – people expect innovation to spring up in Europe – on the side of the individual


Wendell – log in providers springing up – Universal SSO using SAML will happen – ifts a paywall, what do you pay, what do you give people who don’t pay – can have tiers of service


Consortia for Universal log in - VIANT


Doc – this table will be half this conference in IIW October


Brides magazine – very confined customer basis


Wendell – lots of niche blocks – ADSENSE will come back – problem in industry is how to show auditing for circulation which we say we have – alternatives to current estimates – working out what is the right balance


Login requirements and Sarbanes Oxley requirements are more onerous


Adblock – was 10-15% then became inflammatory  when people emerged using beacons to see if ad was above the fold or not, or whether it appeared or not


In the old days, you could bill for adblock – now viewability tracking is possible for campaigns


Now adblock is untenable to all the industry


See business insider article about the consortia – Axel Springer, VIANT, French newspaper


Imagine you need to log in to newspaper with auditable logs


Andrew – I already do – I have a subscription


Wendell- now the law will require it


Sam – people will have a huge burden – some consent is worth it and some is not going to be worth it


Paywalls, etc – have to move barriers far enough “gauntlet required content” or “gauntlet not required content” that division is going to be really obvious


Wendell – a lot of content is written by robots – eg spammers create content.. financial earnings


Propublica deep dive – real journalism costs a ton of money and risk for a person…


So less material to read – people will recognize the robots – ads will not be able to monetize the robot content in the old way – that could change the proportion of robot content – (MLF: up or down?)


Sam – people will feel it in terms of gauntlet and in terms of distinguishing between content that is robot generated vs human generated


……: What about cut and paste?


Wendell – not supposed to be doing it – that may show up for a while


Targeted audience buying was always odious to publishers…. Supply and demand are usually inverses in econ 101. Buy side is a lot smarter – they are not inverses in practice – changed through more information


Publisher mindset is not sophisticated – supply side is not keeping up with buy side sophistication


Doc – when ad tech came along and brand advertising entered the Internet – there is not a function at the publisher to do that… they will go to a 3rd party and say give us a front door to cover this for the GDPR


Andrew –yahoo portal may come back – if publishers are told by Google to manage the layer, one way to solve it is to publisher portal


Wendell – OATH family may offer publisher tools –


Doc – May 25th – will every app require it ?


All adware apps have this problem –


Wendell - data must be stuffed into adware SDK’s that will work with this


IAB is only display ads – not mobile apps


Consent string thru our apps – we will use the consent signaling string –some adware vendors will say “ we will do our own thing”


Its an IAB decision whether to deal with them


When someone says I’m not ready for IAB…. That’s one thig


When someone says I’m not going to use this – then we say Thank you, when you are ready to do business in Europe, come back


If you have a login system – you get this once. Without log ins – you will be asked everytime


Doc – it will be wild


Wendell – analytics will be split in consent and non consent


Doc – the answer is a simple and standard across individual side that says “here’s how I work” across all the stuff (google, etc)


Wendell – would have loved W3C and vendors took it on. Bake in all ideas into next gen browser


Separate cookie jar that holds this cookie


Doc – I followed DNT (do not track) which showed up at Berkman center – someone spoke up – John Mayer – like Do not Call – this became the “tracking preference”


Wendell – that’s Adblock baked in the browser – if the affordance is in the browser baked in at the sale of the device showing the browser – signaled up to the server to know consumer’s preferences


Our nightmare is 1 button – never see ads again – never happened


Tracking preferences for blocking ads – this is a permissions based thing – positive consent

Dave – only works if there is a common ontology


Wendell – IAB has members to develop this

There is a different group on the browser, phone and devices – not been involved.


We are 1 browser release away from universal ID and a cookie management process – they could make the problem go away


Apple instituted ITP – intelligent tracking protection – survey your cookies – if they detect a tracking cookie


If you are in a first party context – user preference prevails


Dave Huston– firefox had this – I worked on this at Mozilla  - not on, by default


Sam  - if it is really bad – gauntlet is bad – need to respond


Doc – what can customer commons do?


Wendell – standardize terms. Stand up a consent manager with your own terms


Dave – because you have an accounting piece – consider overlap with decentralized ledgers – they are trying to teach browsers to do authentication using ledgers – signal something to a browser that you are going to consent (or not) to terms


Merge the two ideas together – always have consent payload, sometimes have authentication payload


Wendell – could signal something benign, send it around – consent – if leaked is that a big deal?


Circulate to developers, first responders – if behavior is like a Cert


Dave – will look like when a Bank sends something to a phone – needs to be something on your phone – interactive consent


Sam – use TLS flex one (Evernym)


Andrew – Kantara – data format to report purpose and consent of user – transmit to others – like the cookie but full data format – consent receipt to fill gaps – need transport in, interfaces specified


What would it take to make a transport format (right now it's a data format)


Its just a spec – this is what a receipt looks like

Dave – could it be an RFC


Andrew – consent receipt envisions the activation of GDPR – this is a method to …..

Not cc


Iain - No uptake because not marketed well.


Mei lin – what can we do? IIW


Wendell – many generations of IIW address different needs – material economic, commercial knowledge of GDPR is not here. No one is talking – after GDPR everyone will be talking – IIW can address with incompleteness of industry solutions.