GDPR, IAB Consent Framework, and 'Do Not Track'

GDPR and IAB Consent Framework introduction

The General Data Protection Regulation (GDPR) and ePrivacy directive, created to protect EU (European Union) data subjects' right to privacy and protection of their personal data, took effect on 26 May 2018. In light of these regulations, the Interactive Advertising Bureau (IAB) has developed the Transparency and Consent Framework (TCF) for all parties involved in the digital advertising chain to communicate in a unified way and comply to these regulations when processing personal data or accessing and/or storing information on a user’s device.

The TCF creates an environment where publishers can tell their users what data is being collected, and how their website, app, and the companies they partner with intend to use it. The TCF gives the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.

As a vendor, according to the Consent Framework, INVIDI has:
  • registered with IAB and is listed in the TCF v2 Global Vendor List,
  • implemented a general INVIDI Pulse account setting for publishers to enforce their GDPR stance account-wide, and
  • implemented GDPR parameters and macros for the publishers to pass in their viewers' consent settings.

Based on the account setting and the GDPR parameters, a viewer is served personalised or non-personalised ads.

Note:

TCF v2.0 was released 21 August 2019 with industry adoption commencing first half of 2020. It introduces significant changes and is not backward-compatible with the earlier version. TCF v1.1 is deprecated and superseded by TCF v2.0.

IAB Europe will continue to support TCF v1.1 until 15 August 2020 and post that date support will be removed, which means support in Pulse ends at the same time.

For more information on the IAB Transparency and Consent Framework v2.0, see Transparency and Consent Framework v2.0 and the associated links.

Registration with IAB as a vendor

Transparency and Consent Framework v2.0

In the TCF v2 Global Vendor List, INVIDI has:
  • Vendor List Version: 34 or higher
  • Vendor ID: 438
  • Purposes for which personal data will be processed and the legal bases to justify the processing:
    • ID = 1, Store and/or access information on a device
    • ID = 2, Select basic ads
    • ID = 3, Create a personalised ads profile
    • ID = 4, Select personalised ads
    • ID = 7, Measure ad performance
    • ID = 9, Apply market research to generate audience insights
    • ID = 10, Develop and improve products

    For purpose 1, consent is the sole legal basis. For purposes 2,3,4,7,9, and 10, the legal basis is consent (default) or legitimate interest, meaning they are flexible purposes.

  • Features INVIDI relies on in support of one or more purposes:
    • ID = 1, Match and combine offline data sources
    • ID = 2, Link different devices

For more information on the purposes and features in TCF v2.0, see Appendix A: Purposes and Features Definitions.

(Deprecated) Transparency and Consent Framework v1.1

In the TCF v1 Global Vendor List (deprecated), INVIDI has:

  • Vendor List Version: 65 or higher
  • Vendor ID: 438
  • Purposes:
    • ID = 1, Storage and access of information
    • ID = 2, Personalisation
    • ID = 3, Ad selection, reporting and delivery

GDPR stance account setting

Your Account Manager can set one of the following values for the GDPR stance:
  • Disabled (default setting): you have no immediate stance on GDPR, but when you send to enable GDPR and/or the consent string with your ad request, targeting is turned on or off accordingly. If these parameters are not sent in with the ad request, then viewers receive personalised ads.
  • IAB Consent Framework: you need to send in the explicit consent from your viewers or explicitly disable GDPR in your ad requests to enable personalised ads. If these parameters are not sent in with the ad request, then viewers only receive non-personalised ads.
  • Legitimate interest: you do not have to send to enable GDPR and/or the consent string with your ad requests, and targeting is turned on by default. However, if these parameters are sent in with the ad request, then targeting is done accordingly.

To know, set, or alter your GDPR stance, please contact your Account Manager.

GDPR parameters and macros

In the IAB Transparency and Consent Framework, the following GDPR parameters are described:
  • gdpr: to indicate whether or not the ad request is subject to GDPR.
  • gdpr_consent: to pass in the URL safe and base64 encoded GDPR consent string.
  • gdpr_pd: to indicate whether or not any of the URL parameters in the ad request contains any personal data.
To pass in the viewers consent settings, and enable Pulse to honour those settings while doing ad selection, use the GDPR parameters according to the integrations you have:
  • VAST and VMAP integration: use these URL GDPR Parameters
  • SDK or plugin integration (HTML5, iOS, and Android): use the request setting GDPR Parameters

To pass on the GDPR parameters in third-party ad requests (as third-party tags), external trackers, and click-through URLs, use the GDPR macros. For real-time bid requests through Pulse, the GDPR parameters are forwarded automatically to DSPs (Demand Side Platform) when present in the original ad request. For DSPs, see the supported bid request fields in the Pulse OpenRTB Integration Documentation.