DIGITAL ADVERTISING TRANSPARENCY, CONTROL, CONSENT:

Transcription

1 DIGITAL ADVERTISING TRANSPARENCY, CONTROL, CONSENT: CMPs IN THE IAB EUROPE TRANSPARENCY & CONSENT FRAMEWORK AOP CMP Show & Tell Friday 13 th April 2018 Townsend Feehan CEO, IAB Europe Technical standard in development and subject to change. 1

2 Agenda The Framework Role & operation of the CMP Tools to support CMP roll-out Upcoming milestones Where to go for more information 2

3 The Framework Architecture 3

4 The Framework Features, functionality Transparency for publishers & users By company By data processing purpose For different legal bases Control Publishers maintain control over vendors on their sites Publisher controls UI Accountability Demonstrate GDPR compliance Audit trail Flexibility for different business models Supports both legitimate interest and consent Light-weight, de-centralised solution Single, open-source standard will deliver efficiencies 4

5 The Framework Legal bases - legitimate interest Framework provides for disclosures in compliance with GDPR Scenarios include direct marketing Interests and rights of the user are not over-riding (data controller conducts balancing test) User has GDPR-compliant right to object (cf. reversal of burden of proof under GDPR v 95/46/EC) 5

6 The Framework Legal bases consent Consent must be unambiguous and requires an affirmative act Data controllers relying on consent must be disclosed by name Processing purposes must be disclosed at granular level that satisfies the specificity test Data controller must be able to demonstrate consent was obtained 6

7 The Framework eprivacy Directive compliance Storing or accessing information on a user s device, such as cookies, requires consent under the eprivacy Directive. The eprivacy Directive still applies on May 25 The eprivacy Directive will use the GDPR s definition of consent on May 25 Scope is both personal and non-personal data 7

8 Role & operation of the CMP Publishers can be CMPs CMP is the connecting tissue between the publisher, the vendors and the user Not strictly speaking part of the Framework This said, key requirements pertain Auditability requirement & need to be able to rely on the signal means all CMPs must register, get an ID and commit to adhere to the policies Assigned sub-domain enables CMP to read & write global consent 3 rd party cookies IAB Europe and IAB Tech Lab providing tools to support CMPs 8

9 Role & operation of the CMP Connecting to the Global Vendor List Centralised, dynamic list of vendors (e.g. ad tech, agencies), their data processing purposes, their legal bases, their privacy policy URLs, etc. Versioned to allow for audit trail Publishers will use vendor list as basis for disclosure and consent requests Both vendors and publishers will need to adhere to baseline principles and minimum standards 9

10 Role & operation of the CMP Interaction with the GVL JavaScript library/api that enables publishers to customise the experience of disclosing vendor permissions and requesting user consent Implements standardised minimum disclosure language Ensures that vendor list and disclosure language are updated to latest version Abstracts complexities of consent-checking and storage Integrates with user identification mechanism Makes consent data available for downstream use via daisy chain 10

11 Tools to support CMP roll-out CMP technical specification V 1.0 for public comment is available here Specification for DaisyBit V 1.0 for public comment (cookie and vendor list format) is available here CMP registration portal is here CMP reference implementation on GitHub here Implementation Guide available online here (work in progress & subject to iteration) Roster of CMPs will be publicly available on FAQs may be consulted on 11

12 CMP registration requirements Legal name Subdomain Prefix Administrative details e.g. contact info Website CMP to be used for own purposes CMP services to be offered to others Agree to Framework Terms & Conditions Agree to comply with applicable law Agree to comply with Framework Policies Attest to existence of company privacy and data protection compliance programme covering GDPR and eprivacy Directive Agreement to pay nominal administrative fee 12

13 CMP registration process CMP completes online application form at Validity of application verified by TCF Administrator CMP notified of approval and invited to make payment of administrative fee Once payment received, CMP is awarded ID and sub-domain (if relevant) List of registered CMPs to be updated daily in first four weeks of programme operation and published on 13

14 Policies for CMPs CMP must support the full TCF Specification, including providing consent revocation services and a revocation mechanism CMP must disclose vendors legal bases as declared, and update this info wherever it is stored, without extension, modification or supplementation CMP must not read, write or communicate any vendor s legal bases except according to the Specification, using the standard API CMP will use 13 months as maximum lifetime of user consent WRT any vendor and purpose CMP must resolve conflicts in the DaisyBit before transmitting (e.g. reconciliation between service-specific and web-wide transparency & consent CMP must only work with registered vendors 14

15 Policies for CMPs CMP may not exclude, discriminate against, or give preferential treatment to a vendor except pursuant to explicit instructions from the publisher or other provider of an online service Obligation to maintain records of consent and disclosure, and to provide the Administrator with access to such records on request Administrator may suspend or expel a CMP from participation in the Framework for failure to comply with Framework policies Obligation to flag to the Administrator if a CMP has reason to believe a vendor is not in compliance with the Specification, Policies or applicable law Publishers must commit to work only with CMPs that comply fully with the Policies and Specification Publishers may operate private CMPs still subject to Policies 15

16 Publisher obligations Publishers determine when the Framework UI is shown Publisher will typically be aided by a CMP Baseline requirements for language, design and other elements of the UI may be developed but are not prescribed yet List of vendors generated from the GVL must display at least minimum information for each vendor If the UI includes non-gvl vendors, party deploying it must ensure that the non-gvl vendors are clearly distinguished from the GVL vendors UI must not mislead as to vendors chosen legal bases UI may be used for transparency & consent for publisher s own data processing Users must have clear & prominent instructions for revoking consent or objecting to processing, as applicable 16

17 Data processing purposes in V 1.1 Storage and access of information on a user terminal device Personalisation Ad selection, delivery, reporting Content selection, delivery, reporting Measurement 17

18 Example of custom consent UI Layer 1 Layer 2 NB: Graphics are for illustration purposes only. 18

19 Upcoming milestones Public release of V 1.1 of the technical specifications in w/c 19 th April Formal launch of the Framework Enforcement of the GDPR as from 25 th May Ongoing iteration on the specifications 19

20 CMP sign-up is live 20

21 Registered CMPs as of 12 th April Affilinet Chandago Faktor BV AdSpirit GmbH Usercentrics GmbH Sourcepoint Technologies Didomi Baycloud Systems Ltd Admiral Quantcast International Sovrn Holdings Inc Germantag Web Services 21

22 Stay informed 22

23 Thank you! 23