GDPR, IAB Consent Framework, and 'Do Not Track'
GDPR and IAB Consent Framework introduction
The General Data Protection Regulation (GDPR) and ePrivacy directive, created to protect EU (European Union) data subjects' right to privacy and protection of their personal data, took effect on 26 May 2018. In light of these regulations, the Interactive Advertising Bureau (IAB) has developed the Transparency and Consent Framework (TCF) for all parties involved in the digital advertising chain to communicate in a unified way and comply to these regulations when processing personal data or accessing and/or storing information on a user’s device.
The TCF creates an environment where publishers can tell their users what data is being collected, and how their website, app, and the companies they partner with intend to use it. The TCF gives the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.
- registered with IAB and is listed in the TCF v2 Global Vendor List,
- implemented a general INVIDI Pulse account setting for publishers to enforce their GDPR stance account-wide, and
- implemented GDPR parameters and macros for the publishers to pass in their viewers' consent settings.
Based on the account setting and the GDPR parameters, a viewer is served personalised or non-personalised ads.
TCF v2.0 was released 21 August 2019 with industry adoption commencing first half of 2020. It introduces significant changes and is not backward-compatible with the earlier version. TCF v1.1 is deprecated and superseded by TCF v2.0.
IAB Europe will continue to support TCF v1.1 until 15 August 2020 and post that date support will be removed, which means support in Pulse ends at the same time.
For more information on the IAB Transparency and Consent Framework v2.0, see Transparency and Consent Framework v2.0 and the associated links.
Registration with IAB as a vendor
Transparency and Consent Framework v2.0
- Vendor List Version: 34 or higher
- Vendor ID: 438
- Purposes for which personal data will be processed and the legal bases to
justify the processing:
- ID = 1, Store and/or access information on a device
- ID = 2, Select basic ads
- ID = 3, Create a personalised ads profile
- ID = 4, Select personalised ads
- ID = 7, Measure ad performance
- ID = 9, Apply market research to generate audience insights
- ID = 10, Develop and improve products
For purpose 1, consent is the sole legal basis. For purposes 2,3,4,7,9, and 10, the legal basis is consent (default) or legitimate interest, meaning they are flexible purposes.
- Features INVIDI relies on in support of one or more purposes:
- ID = 1, Match and combine offline data sources
- ID = 2, Link different devices
For more information on the purposes and features in TCF v2.0, see Appendix A: Purposes and Features Definitions.
(Deprecated) Transparency and Consent Framework v1.1
In the TCF v1 Global Vendor List (deprecated), INVIDI has:
- Vendor List Version: 65 or higher
- Vendor ID: 438
- ID = 1, Storage and access of information
- ID = 2, Personalisation
- ID = 3, Ad selection, reporting and delivery
GDPR stance account setting
- Disabled (default setting): you have no immediate stance on GDPR, but when you send to enable GDPR and/or the consent string with your ad request, targeting is turned on or off accordingly. If these parameters are not sent in with the ad request, then viewers receive personalised ads.
- IAB Consent Framework: you need to send in the explicit consent from your viewers or explicitly disable GDPR in your ad requests to enable personalised ads. If these parameters are not sent in with the ad request, then viewers only receive non-personalised ads.
- Legitimate interest: you do not have to send to enable GDPR and/or the consent string with your ad requests, and targeting is turned on by default. However, if these parameters are sent in with the ad request, then targeting is done accordingly.
To know, set, or alter your GDPR stance, please contact your Account Manager.
GDPR parameters and macros
gdpr: to indicate whether or not the ad request is subject to GDPR.
gdpr_consent: to pass in the URL safe and base64 encoded GDPR consent string.
gdpr_pd: to indicate whether or not any of the URL parameters in the ad request contains any personal data.
To pass on the GDPR parameters in third-party ad requests (as third-party tags), external trackers, and click-through URLs, use the GDPR macros. For real-time bid requests through Pulse, the GDPR parameters are forwarded automatically to DSPs (Demand Side Platform) when present in the original ad request. For DSPs, see the supported bid request fields in the Pulse OpenRTB Integration Documentation.
'Do Not Track' Setting in Browsers
When a viewer has enabled the 'Do Not Track' option in their browser, then DNT=1 is automatically added in the header of all their HTTP and HTTPS requests. The intention of this setting is to opt out of user tracking, but it is up to the requested sites to implement something respecting this setting. When 'DNT=1' is found in the header for any requests to Pulse, then the personal data used for targeting is stripped from the request, and the viewer only receives non-personalised ads. This behaviour is the same as when the viewer opts out for targeted ad delivery through the implementation of the IAB Consent Framework.
Ad Selection Implications of GDPR and 'Do Not Track'
When a viewer has given consent for a third-party ad server or a DSP, but not for Pulse, then:
- campaigns and/or goals related to these third parties are not selected when they have any targeting set in Pulse related to location, platform/device and/or audience, and
- information needed by these third parties to do personalisation may not be present in the third-party ad request when they are selected by Pulse, because certain macros are not expanded.
- location information
- personal identifier used for:
- frequency capping,
- ad sequencing,
- clash protection, and
- forwarding to DSPs for their identification
- platform or device information
- audience information
The decision flow to select personalised ads or not, taking the GDPR parameters and the account setting into account, looks as follows:
Reporting Implications of GDPR and 'Do Not Track'
When the viewer has opted out, or the consent information is missing when it is required, Pulse also anonymises the tracking (impressions, click-throughs, ...) for the viewer. Due to this, the amount of unique impressions is lower, and reporting on frequency capped campaigns may give unexpected results when comparing impression counts with unique impression counts.
For example, assume you have a campaign where you set that there can be maximum one ad impression for each viewer over the campaign's lifetime:
If a viewer has opted out, and has seen the campaign already, they are still treated as another 'unique' viewer by Pulse and may be served the same campaign. For this specific campaign, you would expect that the amount of unique impressions is the same as all impressions. However, in the tracking, each anonymous viewer is given the same identifier, which results in less unique impressions delivered compared to all impressions.