With GDPR in full effect since 25 May, marketers, publishers, and advertisers continue to work diligently to interpret the law and be GDPR compliant, even as they continue to try and deliver high-quality products and services. As many organizations have discovered, achieving both of those objectives can be a challenge.
Some of that challenge comes from within the advertising industry. Advertising giants Google and Facebook’s official stance on GDPR continues to frustrate and concern advertisers and publishers globally.
Given Google and Facebook’s extraordinary influence, how they respond to GDPR will undoubtedly affect the rest of the ad tech ecosystem – both for good or for bad. While Google’s director of product management, Scott Spencer, was recently on record saying, “we absolutely want to be part of the IAB Framework,” the lack of firm details continues to create uncertainty.
What Google products will be in the framework? When will Google join? And while Google’s recent announcement lifting their 12 vendor list limitation is an encouraging step, it leaves many industry leaders wondering, are the letters in Alphabet talking to each other? And who is steering the boat when it comes to GDPR?
What is a small to medium-sized website operator who just wants to get back to creating quality content, making money, and being GDPR compliant to do?
Friendliness of the Framework
Quantcast believes the open source IAB framework is the best way for everyone — advertisers, publishers, and consumers — to be on the same page concerning GDPR and consumer consent. Not only does the IAB Europe Transparency & Consent Framework provide out-of-the-box transparency, but it also offers easy administration for website operators and its open-source structure decreases the reliance the digital ecosystem has on any one provider for a CMP solution.
Quantcast Choice is proud to be one of the first CMPs to fully adopt the IAB Europe Framework along with many other incredible vendors, and we are hopeful that CMPs and vendors continue to support the IAB initiative.
One of the many benefits of the IAB Framework is that the process to apply to become part of the Global Vendor list is straightforward. With minimum friction to apply, any CMP or vendor can request to become a Global Vendor, which when accepted, allows for seamless communication among publishers and advertisers. Today there are more than 300 vendors who have registered for the Global Vendor list. It is a requirement for all CMPs and vendors to be compliant with the policies of the Framework in order to remain on the IAB lists.
Speaking The Same Language of Consent
One of the most powerful components of the IAB Europe Framework is that it allows all vendors who do business online (ad exchanges, verification vendors, analytics companies, etc.) to communicate in the same language concerning consumer consent. Without a communications standard, it is virtually impossible for vendors to obtain consumer consent and transmit it across a multitude of integrations and third-party data services.
As stated by IAB Europe, the sole objective of the Framework is “to help all parties in the digital advertising chain ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.” By choosing to be a part of the IAB ecosystem as an organization, you are committing to use the best available information regarding GDPR to ensure compliance. CMPs that adhere to the IAB Europe Framework will provide transparency into the ways companies intend to comply with GDPR requirements and allow publishers and advertisers to get a clear view of which organizations are committed to being GDPR compliant.
Unfortunately, not everyone is speaking the same language yet. When evaluating your options for a CMP, make sure the solution is 100% compliant with the IAB Europe Framework. In the early days of CMP adoption, there are a number of CMPs that are still not fully conforming to the spec. Using a service like BuiltWith, you can see a number of vendors whose CMP solutions are not properly setting or storing the consent signal so that vendors can read it. In looking at compliance, we’ve seen the following common mistakes that website operators need to make sure that CMPs on their short-list are doing:
- Look at the code, make sure that the CMP is delivering their code from the .consensu.org domain. If they’re not, that CMP is not compliant with the spec.
- Make sure the name of the cookie is “euconsent” or “eupubconsent.” If that is not the name of the cookie, then other IAB Framework CMPs will not be able to find and read the cookie.
- Check the contents of the cookie itself to make sure the data contained in it is properly compressed per the IAB framework specification. If not, other CMPs will not be able to unpack it to read or share the signal throughout the ecosystem
The Flow of Consumer Consent – How does it work?
What people tend to forget is that gaining consent is only half the challenge. The “flow” of this consent through the ecosystem is why the IAB Framework matters so much. Consider the two scenarios:
Scenario 1: User grants full consent (at purpose and vendor level) via a CMP
Result: Consent is given via the Publisher and communicated to the Ad Server and all vendors throughout the daisy chain that can read the consent. DSPs receive the consent, are able to make bids, and communicate back through the ad exchange to the Publisher (or programmatic inventory source) to serve an ad and fire pixels for any of the relevant vendors/purposes.
Scenario 2: User grants partial consent (at purpose and vendor level) via a CMP
Result: Similar to the first scenario however some of the vendors or purposes do not receive granted consent. In this illustration, the user only grants consent to two DSPs, therefore the ad server is not able to use that user’s cookie information, but two of the three DSPs are able to use the consent signal to make a bid and serve the content.
This is a basic illustration of how consent flows using a CMP – where all ad servers, DSPs, etc. speak the same language. If another vendor were part of this process and not on the Framework – they would be a stand-alone in the diagram with no connected line. Basically, they’d be disjointed.
CMPs and vendors which have adopted the IAB Europe Framework set a strong precedent that the advertising and publishing industry is taking consumer privacy seriously, which can only improve the tech industry as a whole. Furthermore, those that comply with the IAB Europe Framework will be heavily sought by publishing and advertising partners all around the globe.
Watch my interview with the IAB about the benefits of CMPs and the IAB Framework.
The Consequence of Divergent Paths
One of the more concerning parts about the lack of communication from Google and Facebook regarding GDPR is that if they ultimately do not end up adopting the IAB Europe Framework, other adtech vendors will receive no consent signal from their services. Without consent signals from Google and Facebook, vendors would be unable to serve campaigns where their products are included DCM, DFP, Adx, etc.). While Google and Facebook have no doubt done many great things for the advertising industry, not adopting the IAB framework could be simply a play for complete tech dominance.
Because the ad tech ecosystem relies heavily on the interaction between third parties and other vendors, it’s essential for the industry to agree on a standard language of consent for all of us to communicate. If one thousand vendors speak the same language, but one or two do not, then consent cannot translate between them.
As I recently shared in my Forbes article Seven Tough Questions Publishers Should Be Asking Google On GDPR, “There are plenty of reasons to admire Google as an organization. There’s no arguing that it’s had a positive impact on our world in many ways. On this occasion, however, they’ve got it wrong. I’d encourage publishers to hold them to account if they are to avoid facing insurmountable challenges when it comes to building sustainable businesses now and in the future.”
For publishers and advertisers to continue to innovate while remaining GDPR complaint, we believe it is in the best interest of everyone in the digital content ecosystem — publishers, advertisers, and consumers — to fully adopt the IAB framework, so all parties can communicate seamlessly. Only then can we get back to delivering products and services that bring value to both businesses and consumers around the world.