How The IAB And Ad Tech Plan To Transmit GDPR Consent In Programmatic
by James Hercher
The IAB Tech Lab is tackling the thorny problem of transmitting consent under the European Union’s General Data Protection Regulation.
On Friday, the Tech Lab debuted an openRTB feature to convey user consent through the digital supply chain and unveiled plans to launch a GDPR Technical Working Group tasked with helping programmatic advertisers deal with GDPR and the coming ePrivacy regulation.
GDPR presents a challenge to advertising technology companies “which must be overcome in order to produce a clear and compelling value proposition,” said MediaMath CTO Wilfried Schobeiri.
The problem for advertisers and their vendors is that under GDPR user consent is required in order to apply personal data to media. Users also need to clearly opt in before they can be targeted with ads, retargeted messages or email marketing.
But complexity in the programmatic universe makes that a difficult task, Schobeiri said.
The new IAB openRTB protocol introduces a bidstream data field that indicates if an individual is an EU data subject and whether the person has consented to see targeted ads, as well as what data is available as part of that consent, including age, gender, location and other information the EU considers sensitive.
The publisher supplies the consent and audience data to inform a buyer’s decision.
But this isn’t a magical checkbox for consent, said Oath CTO Jim Butler, a co-chair of the IAB’s openRTB working group since 2011.
The new consent data embedded in programmatic inventory won’t be authoritative. Rather, it’s a way for publishers to signal to bidders that data can be applied for targeting, meaning that inventory is likely to be considered more valuable.
But it’s still possible for an advertiser or ad tech company relying on openRTB consent data to violate GDPR.
In other words, adhering to the openRTB consent data isn’t a legal solution to GDPR, Butler said. It’s a functional solution for programmatic players looking for EU audiences they can feel comfortable targeting.
For now, at least, the string of openRTB consent data only moves one way along the supply chain, from publisher to buyer. More work is needed to connect the publisher data to opted-in audiences that vendors or brands bring to the table. That’s what advertisers will need if they want to target based on identity and not just demographic segmenting.
The GDPR working group and the IAB openRTB working group are also developing methods to keep media companies or tech intermediaries from tampering with the data transmitted in the consent string, which “must be immutable throughout the flow of a transaction,” according to the IAB Tech Lab’s GDPR consent update.
The word “immutable” is a veiled allusion to blockchain-based cryptographic solutions, which the IAB Tech Lab and the main openRTB working group have recently embraced as a way to transmit data and inventory without the possibility of distortion, like ad networks replacing URLs or fudging audience info to trick exchange buyers.