IAB Transparency and Consent Framework

From IIW
Jump to: navigation, search

IAB EU Transparency & Consent Framework

Wednesday 3L

Convener: Wendell Baker

Notes-taker(s): Wendell Baker

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Transparency & Consent Framework, Interactive Advertising Bureau (IAB)

  • Frequently-Asked Questions (FAQ); 2018-03-08.
  • Cookie and Vendor List Format, Version v1.0a
  • CMP.js API, Version v1.0, hosted at Github


  • Accessing a device allow storing or accessing information on a user’s device.
  • Advertising personalisation allow processing of a user’s data to provide and inform personalised advertising (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose
  • Analytics allow processing of a user’s data to deliver content or advertisements and measure the delivery of such content or advertisements, extract insights and generate reports to understand service usage; and/or accessing or storing information on devices for that purpose.
  • Content personalisation allow processing of a user’s data to provide and inform personalised content (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose.


  • Matching data to offline sources combining data from offline sources that were initially collected in other contexts.
  • Linking devices allow processing of a user’s data to connect such user across multiple devices.

Precise geographic location data allow processing of a user’s precisegeographic location data in support of a purpose for which that certain third party has consent.

Purpose versus Feature

  • Purpose is a data use that drives a specific business model and produces specific outcomes for consumers and businesses. Purposes must be itemised at the point of collection, either individually or combined.
  • Feature is a method of data use or data sourcing that overlaps across multiple purposes. Features must be disclosed at the point of collection, but can be itemised separately to cover multiple purposes.


  • InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework, at GitHub
  • The Advertising Industry’s GDPR Transparency & Consent Framework, IAB Europe; also advertisingconsent.eu

Transcription of the session by Mei Lin Fung

Organizer, People Centered Internet, co-founded with Vint Cerf

External advisor to the Stanford Center for Population Health Science

Member of the Global Future Council on Digital Economy and Society, World Economic Forum

Member of the Steering Committee, World Economic Forum, Internet for All

Vice Chair, Internet Inclusion, IEEE Internet Initiative 

(e) mlf@alum.mit.edu ; mlfung@gmail.com 

(t) meilinfung

IAB report discussion – Wendell Baker

There is another permissions level –

Consumers who have their consent cookie will participate, defacto is ‘no consent.

On a chain of custody basis – to signify that consumer had given consent to …..

List permissions defined to date on Pg 18

Consumer can state this in their browser as defined by a publisher

Thru real time bidding – server to server – can signal what consumer has consented to along the way

Because all members of IAB have signed agreement – this is a voluntary group creating a conforming standard

This allows IAB members to speak to each other

Consumer must consent to be tracked otherwise GDPR will not allow it

Doc – Adtech system defacto becomes an identity provider about consumers who have given consent – by solving the cookie mapping problem

Wendell – IAB says we are only doing consent.

Cookie tracking problem – fall out, people hate it, if consumers have an ID.,.. could be helpful

Sam – will content be held hostage – consumers will not consent otherwise

Iain – have to have equivalent service for those who do not consent

Wendell – who is going to sign up for this? At OATH we will launch a dialog to fill in this stuff – 3rd party publishers have to conform to GDPR in Europe – have to ask invasive questions (once provided you log in thereafter)

Cookies will time out – may be very short

Sam – law requires that equivalent service must be provided for those “unwilling to consent”

Wendell – debates with engineers who think only a few will not consent. There will be a wall

Iain – 1 minute part midnight after GDPR – we should expect things to half

Wendell – we expect to be QA’d before going live. Usually on Internet – its as its rolled out – we will this time, build tests ahead of time – its no longer cheap on the web – we will  have to insist on provenance tracking

Doc – on commercial web (which is not the whole web – not Wikipedia, not universities) – we will see a new front door on every website

When people see all these front doors – all different – der Spiegel, Wikipedia, google – and all have a different consent gauntlet…

Will people hate

The sites

The advertising business

European regulators

Or will there be a universal log in ?

Iain – this is about competitive play for Europe – people expect innovation to spring up in Europe – on the side of the individual

Wendell – log in providers springing up – Universal SSO using SAML will happen – ifts a paywall, what do you pay, what do you give people who don’t pay – can have tiers of service

Consortia for Universal log in - VIANT

Doc – this table will be half this conference in IIW October

Brides magazine – very confined customer basis

Wendell – lots of niche blocks – ADSENSE will come back – problem in industry is how to show auditing for circulation which we say we have – alternatives to current estimates – working out what is the right balance

Login requirements and Sarbanes Oxley requirements are more onerous

Adblock – was 10-15% then became inflammatory  when people emerged using beacons to see if ad was above the fold or not, or whether it appeared or not

In the old days, you could bill for adblock – now viewability tracking is possible for campaigns

Now adblock is untenable to all the industry

See business insider article about the consortia – Axel Springer, VIANT, French newspaper

Imagine you need to log in to newspaper with auditable logs

Andrew – I already do – I have a subscription

Wendell- now the law will require it

Sam – people will have a huge burden – some consent is worth it and some is not going to be worth it

Paywalls, etc – have to move barriers far enough “gauntlet required content” or “gauntlet not required content” that division is going to be really obvious

Wendell – a lot of content is written by robots – eg spammers create content.. financial earnings

Propublica deep dive – real journalism costs a ton of money and risk for a person…

So less material to read – people will recognize the robots – ads will not be able to monetize the robot content in the old way – that could change the proportion of robot content – (MLF: up or down?)

Sam – people will feel it in terms of gauntlet and in terms of distinguishing between content that is robot generated vs human generated

……: What about cut and paste?

Wendell – not supposed to be doing it – that may show up for a while

Targeted audience buying was always odious to publishers…. Supply and demand are usually inverses in econ 101. Buy side is a lot smarter – they are not inverses in practice – changed through more information

Publisher mindset is not sophisticated – supply side is not keeping up with buy side sophistication

Doc – when ad tech came along and brand advertising entered the Internet – there is not a function at the publisher to do that… they will go to a 3rd party and say give us a front door to cover this for the GDPR

Andrew –yahoo portal may come back – if publishers are told by Google to manage the layer, one way to solve it is to publisher portal

Wendell – OATH family may offer publisher tools –

Doc – May 25th – will every app require it ?

All adware apps have this problem –

Wendell - data must be stuffed into adware SDK’s that will work with this

IAB is only display ads – not mobile apps

Consent string thru our apps – we will use the consent signaling string –some adware vendors will say “ we will do our own thing”

Its an IAB decision whether to deal with them

When someone says I’m not ready for IAB…. That’s one thig

When someone says I’m not going to use this – then we say Thank you, when you are ready to do business in Europe, come back

If you have a login system – you get this once. Without log ins – you will be asked everytime

Doc – it will be wild

Wendell – analytics will be split in consent and non consent

Doc – the answer is a simple and standard across individual side that says “here’s how I work” across all the stuff (google, etc)

Wendell – would have loved W3C and vendors took it on. Bake in all ideas into next gen browser

Separate cookie jar that holds this cookie

Doc – I followed DNT (do not track) which showed up at Berkman center – someone spoke up – John Mayer – like Do not Call – this became the “tracking preference”

Wendell – that’s Adblock baked in the browser – if the affordance is in the browser baked in at the sale of the device showing the browser – signaled up to the server to know consumer’s preferences

Our nightmare is 1 button – never see ads again – never happened

Tracking preferences for blocking ads – this is a permissions based thing – positive consent

Dave – only works if there is a common ontology

Wendell – IAB has members to develop this

There is a different group on the browser, phone and devices – not been involved.

We are 1 browser release away from universal ID and a cookie management process – they could make the problem go away

Apple instituted ITP – intelligent tracking protection – survey your cookies – if they detect a tracking cookie

If you are in a first party context – user preference prevails

Dave Huston– firefox had this – I worked on this at Mozilla  - not on, by default

Sam  - if it is really bad – gauntlet is bad – need to respond

Doc – what can customer commons do?

Wendell – standardize terms. Stand up a consent manager with your own terms

Dave – because you have an accounting piece – consider overlap with decentralized ledgers – they are trying to teach browsers to do authentication using ledgers – signal something to a browser that you are going to consent (or not) to terms

Merge the two ideas together – always have consent payload, sometimes have authentication payload

Wendell – could signal something benign, send it around – consent – if leaked is that a big deal?

Circulate to developers, first responders – if behavior is like a Cert

Dave – will look like when a Bank sends something to a phone – needs to be something on your phone – interactive consent

Sam – use TLS flex one (Evernym)

Andrew – Kantara – data format to report purpose and consent of user – transmit to others – like the cookie but full data format – consent receipt to fill gaps – need transport in, interfaces specified

What would it take to make a transport format (right now it's a data format)

Its just a spec – this is what a receipt looks like

Dave – could it be an RFC

Andrew – consent receipt envisions the activation of GDPR – this is a method to …..

Not cc

Iain - No uptake because not marketed well.

Mei lin – what can we do? IIW

Wendell – many generations of IIW address different needs – material economic, commercial knowledge of GDPR is not here. No one is talking – after GDPR everyone will be talking – IIW can address with incompleteness of industry solutions.