Home Ad Exchange News Is The IAB’s Consent Framework In Trouble?

Is The IAB’s Consent Framework In Trouble?

SHARE:

The IAB Europe’s GDPR Transparency and Consent Framework – which many ad tech companies now depend on to pass user consent strings – could be on shaky legal ground.

On Nov. 9, France’s data protection authority, the Commission nationale de l’informatique et des libertés (the CNIL), issued a warning against a small French ad tech company called Vectaury that collects and processes geolocation data through a software development kit for programmatic advertising. [Read an English translation of the CNIL’s full notice here.]

At first glance, the warning seems vanilla enough. The CNIL calls out Vectaury because the consent management platform it created using the IAB’s framework to collect consent from its publisher and SSP partners doesn’t give users the opportunity to provide consent that is informed, specific and fully opt-in.

The company now has three months to purge any data that was collected without consent, to stop processing location data without a legal basis to do so and to prove to the CNIL that all of its practices are on the up and up.

“What comes out of this decision is that the CNIL does not appear opposed to consent as a legal basis for the processing data for digital advertising and targeting,” said Townsend Feehan, CEO of IAB Europe. “It’s just a question of whether the conditions for consent are met in the execution.”

But a closer examination of the language in the CNIL’s warning spells potential trouble, or least another wrinkle, for users of the IAB’s transparency and consent framework as it stands.

Through bid requests, Vectaury was able to collect data on 67.6 million users derived from over 32,000 apps. But when the CNIL audited Vectaury’s server logs, the company couldn’t provide a consent string through its CMP for every single ID.

Downstream partners in a supply chain – DSPs, SSPs and DMPs, for example – aren’t in a great position to collect user consent on their own, so if they want to comply with GDPR, they generally depend on consumer-facing publishers to get consent on their behalf and pass it along within a secure CMP.

That’s fine, if the controller – which is Vectaury, in this case – can prove that users have given consent to have their personal data processed. But this can’t, in the CNIL’s view, “be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected.”

In other words, the CNIL is implying that controllers can’t just rely on their partners to gather consent for them. If you receive a consent string, it’s also your job to verify it.

“This means that if someone gains consent for you, and you have a contract saying it’s their responsibility to do so, you *still* have the obligation to verify that the consent is valid,” Robin Berjon, executive director of implementation and data governance at The New York Times tweeted on Friday in reaction to the CNIL’s notice.

But there’s nothing wrong with the concept underlying the framework, according to the IAB.

“A story like this just reinforces to me the need for legal compliance, but also the degree to which the framework ticks all of those boxes,” Feehan said. “The conclusion I would draw from the CNIL’s decision is that it’s perfectly comfortable with consent at a legal basis – but you need to be in compliance with the rules.”

The CNIL recently expressed cautious approval of the work that the IAB has been doing with its consent framework. In September, during a panel at DMEXCO in Cologne, Armand Heslot, a privacy and security expert at the CNIL, said that although the framework is “of course not perfect, it’s going in the right direction.”

“Overall, that is a good approach, and that’s what we would like to see from the industry,” Heslot said, giving succor to an audience of ad tech folks.

But even with a perfect consent system, there are problems, said Johnny Ryan, chief policy and industry relations officer at open-source web browser Brave, who called the IAB’s framework “quicksand upon quicksand.”

“[Vectaury] is clearly just the tip of the iceberg,” Ryan said. “Billions of bid requests are broadcast each day, with no control over what ad tech companies do with the data.”

In September, Brave filed a complaint in the United Kingdom and Ireland arguing that real-time bidding and the systematic sharing of bid request data by Google and other ad tech companies constitutes a data breach under GDPR.

It’s worth pointing out that Google still hasn’t adopted the IAB framework, which many believe reflects that Google doesn’t consider it to be GDPR compliant. To get in line with GDPR, Google released its own CMP, called Funding Choices.

But if the CNIL is questioning the notion of how consent strings function, Google could find itself in the same, possibly leaky boat as the rest of the ad tech industry.

The warning against Vectaury is the fourth issued by the CNIL since August. In September, the CNIL cautioned two French geolocation data companies, Teemo and Fidzup, for processing data without consent. Teemo was cleared early last month, with no word yet on Fidzup’s progress. In late October, another French startup that collects geolocation data for advertising purposes, SingleSpot, was called out by the CNIL for not gathering informed consent.

[Updated 11/20/18 with a correction to the number of users in Vectaury’s database.]

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with. Behind all this change is a unanimous desire to capitalize on the rapid rise of on-demand streaming, according to Scott Schiller, adjunct professor of the entertainment, media and technology program at the NYU Stern School of Business.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.

Shopify Wades Deeper Into Advertising, But Not Ad Tech

Shopify is slowly but surely making its way into the ads business. But the ecommerce leader maintains its laissez-faire approach to ad monetization.