GDPR, IAB Consent Framework and 'Do Not Track' in Pulse

GDPR and IAB Consent Framework Introduction

The General Data Protection Regulation (GDPR) and ePrivacy directive, created to protect EU (European Union) data subjects' right to privacy and protection of their personal data, took effect on 26 May 2018. In light of these regulations, IAB has developed the Transparency and Consent Framework for all parties involved in the digital advertising chain to communicate in a unified way and comply to the regulations.

As a vendor, according to the consent framework, we have:
  • registered with IAB and are listed in the Global Vendor and CMP list,
  • implemented a general site setting for publishers to enforce their GDPR stance site wide, and
  • implemented GDPR parameters and macros for the publishers to pass in their viewers consent settings.

Based on the site setting and the GDPR parameters, a viewer is served personalised or non-personalised ads.

Registration with IAB as a Vendor

In the Global Vendor and CMP list, we have:

  • Vendor List Version: 65 or higher
  • Vendor ID: 438
  • Purposes:
    • ID = 1, Storage and access of information
    • ID = 2, Personalisation
    • ID = 3, Ad selection, reporting and delivery

For more information on the purposes, see What are the purposes and features being supported.

GDPR Stance Site Setting

Your Account Manager can set one of the following values for the GDPR stance:
  • Disabled (default setting): you have no immediate stance on GDPR, but when you send to enable GDPR and/or the consent string with your ad request, targeting is turned on or off accordingly. If these parameters are not sent in with the ad request, then viewers receive personalised ads.
  • IAB Consent Framework: you need to send in the explicit consent from your viewers or explicitly disable GDPR in your ad requests to enable personalised ads. If these parameters are not sent in with the ad request, then viewers only receive non-personalised ads.
  • Legitimate interest: you do not have to send to enable GDPR and/or the consent string with your ad requests, and targeting is turned on by default. However, if these parameters are sent in with the ad request, then targeting is done accordingly.

To know, set or alter your GDPR stance, please contact your Account Manager.

GDPR Parameters and Macros

In IAB's Transparency and Consent Framework, the following GDPR parameters are described:
  • gdpr: to indicate whether or not the ad request is subject to GDPR.
  • gdpr_consent: to pass in the URL safe and base64 encoded GDPR consent string.
  • gdpr_pd: to indicate whether or not any of the URL parameters in the ad request contains any personal data.
To pass in the viewers consent settings, and enable Pulse to honour those settings while doing ad selection, use the GDPR parameters according to the integrations you have:
  • VAST and VMAP integration: use these URL GDPR Parameters
  • SDK or plugin integration (HTML5, iOS, and Android): use the request setting GDPR Parameters

To pass on the GDPR parameters in third-party ad requests (as third-party tags), external trackers and click-through URLs, use the GDPR macros. For real-time bid requests through Pulse, the GDPR parameters are forwarded automatically to DSPs (Demand Side Platform) when present in the original ad request. For DSPs, see the ext{} fields in the Pulse OpenRTB Integration Documentation.