With the Privacy review now well under way here in Australia, discussions related to the collection, management and adherence to consumer consent for digital advertising are becoming more prevalent across the industry. As result, we felt it timely to provide some background on how this is managed in a couple of other global markets through various frameworks to help support more meaningful local discussions on this topic moving forwards.
In order to do this we’ll look at both GDPR (General Data Protection Regulation) in Europe and CCPA (California Consumer Privacy Act) in California and how industry meets the differing requirements through the technical support of IAB Tech Lab.
Just a quick reminder about IAB Tech Lab, which develops, oversees and updates critical global technical standards and solutions – designed to enable and support a healthy and sustainable digital media and advertising industry. Key areas of focus are transparency, fraud, identity, data, consumer privacy, ad experiences & measurement, and programmatic effectiveness.
Quick note also on the Accountability Platform specs, which IAB Tech Lab released in draft on 14th December 2023. The objective of the Accountability Platform is to provide a consistent means by which digital ad industry participants, self-regulatory regimes, auditors and other interested parties can evaluate the correctness and completeness of communication of user preference signals (such as consent signals and GPP strings) within the digital ad supply chain. The general intent of the platform is to encourage responsible use of identifiers in ad delivery and measurement use-cases by providing support for employing them in accordance with user preferences.
To read a dedicated explainer on the Accountability Platform simply click here
GDPR & CCPA
The General Data Protection Regulation (GDPR) is is key European legislation that unified and significantly updated the data privacy laws across the European Union. GDPR was approved by the European Parliament in April 2016 and came into effect in May 2018.
For the purposes of digital advertising, under GDPR companies can’t legally process any individual’s personally identifiable information (PII) without meeting a number of conditions. These include businesses providing consumers with clear and concise information about their data practices and obtaining an individual’s explicit consent before using any of their data and resulting attributes for advertising purposes. As a result GDPR requires a consent framework which can handle both a opt-in and opt-out signals from a consumer and ensure that these can be responsibly passed through to tech vendors and adhered to consistently and persistently throughout the online advertising ecosystem.
Meanwhile, the CCPA (California Consumer Privacy Act) was passed in 2018 and came into effect in January 2020, giving Californian consumers specific rights over the personal information that businesses collect about them. It also requires businesses to inform consumers about how they collect, use, and retain their personal information. This legislation was the first comprehensive consumer privacy law passed in the United States – and 4 other US states (Colorado, Connecticut, Virginia, and Utah) have since followed suit. In 2020, California voters also approved the California Privacy Rights Act (CPRA) as an amendment to the CCPA by adding additional consumer privacy rights and obligations for businesses – and this came into force in January 2023.
In terms of consent the CCPA is based primarily on an opt-out consent framework giving Californian consumers the ability to opt-out of the sale or sharing of their personal information, including opting out from any cross-contextual behavioral advertising, and the right to limit the use or disclosure of sensitive personal information. To ensure compliance, businesses are required to provide a very clear and conspicuous link titled ‘Do Not Sell or Share my personal information’ that lets consumers opt-out of the sale or sharing of their personal information.
image source: datahash.com
Global Privacy Platform (GPP)
The Global Privacy Platform (GPP) is part of a portfolio of solutions developed by IAB Tech Lab, to help industry solve for the challenges that come with the need to address differing and evolving privacy regulations worldwide.
The GPP is a protocol and set of APIs designed to enable digital advertising supply chain participants to signal user privacy consent and choice through the digital ad supply chain. The GPP offers the industry a sustainable way to adapt to changes in existing privacy regulations and adopt new ones with its flexible, channel-agnostic, and open architecture. The GPP will ultimately reduce costs by eliminating the need to implement different, bespoke technologies for privacy signaling for every jurisdiction and every digital media channel, including browser, mobile (app & web), and CTV.
Currently the GPP supports three key consent strings currently in use:
US State Signals – these are a set of specifications for privacy strings for multiple US states that have been developed to support privacy signals from five US states (California, Virginia, Colorado, Utah, and Connecticut). These are used to support the IAB CCPA Compliance Framework, which includes specifications for the creation and transport of privacy strings as well as data deletion request handling.
IAB Europe’s TCF for GDPR – IAB Europe, supported technically by IAB Tech Lab, in April 2018 developed the Transparency & Consent Framework (TCF) to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR when processing personal data or accessing or storing information on a user’s device, such as cookies, advertising identifiers and device identifiers. The latest version was released in May 2023 (TCF v2.2) to respond to the changing needs of the industry in terms of transparency and compliance.
image source: iabeurope.eu
IAB Canada’s TCF – The Transparency and Consent Framework Canada (TCF Canada) acts as a roadmap for publishers, technology vendors, agencies, advertisers and digital marketers to ensure they are working under appropriate legal purposes for processing personal data in the Canadian market. TCF Canada provides technical specifications and policy documents to help players in the digital marketing and advertising ecosystem clearly and consistently communicate with end users about how their data is being used, while also providing an opportunity for users to object and manage their consent preferences.
Other markets (such as India, Brazil & Australia) are also in consideration for consent strings to be developed using the GPP and GPP strings in the future, once the legislation in these markets move from proposals into draft form. Also note that previously the US Privacy specifications had been used to support the IAB CCPA Compliance Framework, but from January 31st 2024 all current and future US State Signals will only be available using the GPP.
GPP String
The GPP string allows for communicating a user’s privacy preferences across jurisdictions. It combines all the user preferences for all and any jurisdictions into one single string. The privacy signals will not change for existing signals like USPrivacy and TCF as they will become a section within the GPP. For new signals, the GPP has a taxonomy that includes all known data purposes and data uses that can be combined to create manifests for any given jurisdiction. Policy bodies maintain governance over what must be included in a privacy string for a given jurisdiction, but a standard way to encode them makes it easier for industry to adopt.
CMP API Specification
The GPP CMP APIs formalise a standard way for participants in the digital advertising ecosystem to expose and retrieve privacy signal details. For existing privacy signals, the CMP API is a bridge. For anything new, for example a privacy string in support of Canada’s Transparency and Consent Framework, a new API definition is not needed and no new JavaScript logic is needed, so IAB Tech Lab would only need to specify the commands that are needed for that jurisdiction.
For more information on IAB Tech Lab’s GPP simply click here
What is A Consent Management Platform (CMP)?
Consent Management Providers (CMPs) provide a user interface to establish transparency to users, and obtain consent or register objections from end users, and capture their preferences in consent signals. This helps companies to collect, manage, and track user consent for data processing and comply with data privacy regulations, such as GDPR and CCPA.
For the purpose of adherence to GDPR these consent signals are packaged in a standardised, easily-communicated payload called a Transparency & Consent String (TC String) and we’ll look more closely at these and how they work in the next section. As a simple example of an interface, see below:
image source: cookiefirst.com
CMPs generally must provide these key features to satisfy requirements:
Consent Collection – CMPs must provide user-friendly interfaces for websites and apps to gather consent from their visitors. This includes obtaining granular consent for specific data collection (both PII & non-PII) and processing purposes, such as personalised advertising, location tracking, and social media integration. This ensures that users have full transparency and choice regarding the ad tech vendors that a publisher has selected to work with.
Consent Storage and Management – CMPs must securely store and manage user consent records, ensuring that they are readily accessible and auditable. This allows companies to demonstrate compliance with data privacy regulations and if required a CMP can provides access to log data for auditing and compliance.
Consent Enforcement – CMPs must capture and store users’ choices in the form of a TC String and integrate with ad tech vendors such as ad servers, SSPs, analytics platforms to enforce user consent preferences. This means that data processing activities only occur in accordance with the user’s granted consent.
Consent Preference Management – CMPs must provide users with the ability to review, update, or revoke their consent preferences at any time. This empowers individuals to control their data privacy and make informed decisions about how their data is used.
For a full list of approved CMPs for IAB Europe’s TCF you can review their Global Vendor List
What are Consent Strings?
A consent string is a standardised way of communicating a consumer’s consent preferences through to the online advertising ecosystem. It is a string of characters that is generated by a CMP and passed along with ad requests. The consent string contains information about the individual’s consent for various purposes, such as targeted personalised advertising, location tracking, and data sharing.
The use of consent strings ensures that online advertising can be compliant with regulations such as GDPR & CCPA, and by using a consistent format, consent strings can be easily interpreted by ad exchanges, ad networks, and other parties throughout the advertising ecosystem. This helps to ensure that user data is only used in accordance with the user’s consent preferences.
As mentioned previously, the consent string for IAB Europe’s TCF is called a Transparency & Consent String (TC String) and is composed of flexible and discrete segments which can also be be transported via OpenRTB. A TC String’s primary purpose is to encapsulate and encode all the information disclosed to a user and the expression of their preferences for their personal data processing under the GDPR.
Using a Consent Management Platform (CMP), the information is captured into an encoded and compact HTTP-transferable string. This string enables communication of transparency and consent information to vendors that process a user’s personal data. Vendors decode a TC String to determine whether they have the necessary legal bases to process a user’s personal data for their purposes. The concise string data format enables a CMP to persist and retrieve a user’s preferences any time they’re needed as well as transfer that information to any vendors who need it.
It’s also worth being aware that these consent strings are also referred to as a daisybit. This is because it is a series of ones and zeros, also referred to as ‘bits’ which in the context of online advertising acts as a piece of compressed binary information that can be passed throughout the online advertising ecosystem (through OpenRTB specification) to transfer the consent status of the user visiting a website. As an example, a publisher might work with 10 different vendors. Going by the process, a daisybit or consent string is generated on the basis of user input which may look like: 1100100101. This is a ten digit combination where each number implies the content status given by the user for a different vendor where 1 is equal to ‘Yes’ (consent allowed), while 0 is equal to ‘No’ (consent denied).
image source: adpushup.com
With regards to the TC String, the expectation is that it contains the following information:
General metadata: standard markers that indicate details about a TC String such as its encoding version, when it was last updated, and when it was initially created as well as details about the conditions of the transparency and consent values it contains such as the Global Vendor List version used, the CMP used, etc.
User consent: a user’s expression of consent given for processing their personal data. A user’s consent is expressed on two levels: per Purpose and per Vendor.
Legitimate interest: the record of a CMP having established legitimate interest transparency for a vendor and/or purpose and whether the user exercised their ‘Right to Object’ to it. This includes signals for Purposes in general and Purposes declared specifically for a given Vendor.
Publisher restrictions: the restrictions of a vendor’s data processing by a publisher within the context of the users trafficking their digital property.
Publisher transparency and consent: a segment of a TC String that publishers may use to establish transparency with and receive consent from users for their own legal bases to process personal data or to share with vendors if they so choose.
Specific jurisdiction disclosures: the country in which the publisher’s business entity is established or the legislative country of reference and a record of whether the purpose to ‘store and/or access information on a device’ was clearly disclosed to the user – since some jurisdictions handle this purpose differently.
Created timestamp: this indicates the time at which the consent string was generated.
When a user visits a website or uses an app that displays ads, the CMP will collect their consent preferences. The CMP will then generate a consent string based on the user’s preferences. This consent string will be passed along with ad requests to ad exchanges, ad networks, and other parties in the advertising ecosystem. The parties in the advertising ecosystem will use the consent string to determine how to use the user’s data.
It’s highly likely that sometime in 2024 IAB Tech Lab will work to consolidate all of the IAB compliance strings into one GPP string for consistency. For instance, the US Privacy signal will be deprecated on January 31st 2024 and all users of the US Privacy String are now being recommended to adopt the Global Privacy Platform specs in advance of the deprecation date. Just like for the other existing privacy signals (TCF and USPrivacy), the GPP string is also able to be transported via OpenRTB.
Frameworks for CCPA & GDPR
Having summarised the requirements of both the CCPA and GDPR in terms of legislation that impacts advertising and the GPP & TCF protocols that currently underpin various global frameworks, let’s look at both the CCPA and GDPR compliance frameworks in more detail.
IAB Europe’s TCF for GDPR
The TCF ensures that when a user visits a website or app, they are presented with a consent notice that asks them for their permission to allow certain data processing activities. The user can then choose to grant or withhold consent for each purpose. The consent or denial is then stored in a consent string, which can be seamlessly passed on to other parties throughout the advertising ecosystem.
image source: iabeurope.eu
It’s also worth noting the different versions that the TCF has gone through and a solid summary of these more major enhancements can been seen below. The most recent version (v2.2) was released in May 2023.
image source: iabeurope.eu
While the adoption of the GPP is underway, there will be a period of time where the TC string may be retrieved from more than one location; either the TCF-specific or GPP interfaces. IAB Tech Lab currently advises the industry, especially those who need to consider consent signaling across multiple jurisdictions, to adopt the GPP moving forwards as it will be the primary framework where future global user consent and preference signaling will be made available.
IAB CCPA Compliance Framework
The IAB framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide explicit notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given. It also requires publishers to include a “Do Not Sell My Personal Information” link on their digital properties.
When a user clicks that link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab.
image source: iabtechlab.com
