Risks in IAB Europe’s proposed consent mechanism

Dr Johnny Ryan GDPR

This note examines the recently published IAB “transparency and consent” proposal. Major flaws render the system unworkable. The real issue is what should be done with the vast majority of the audience who will not give consent. 

Publishers would have no control (and are expected to blindly trust 2,000+ adtech companies)

The adtech companies[1] who drafted the IAB Europe proposal claim that “publishers have full control over who they partner with, who they disclose to their users and who they obtain consent for.”[2] But the IAB Europe documentation shows that adtech companies would remain entirely free to trade the personal data with their business partners if they wish. The proposed system would share a unique[3] consent record “throughout the online advertising ecosystem”, every time an ad is loaded on a website:[4]

“the OpenRTB request [from a website to an ad exchange] will contain the entire DaisyBit [a persistent cookie],[5] allowing a vendor to see which other vendors are an approved vendor or a publisher and whether they have obtained consent (and for which purposes) and which have not.”[6]

There would be no control over what happens to personal data once they enter the RTB system: “[adtech] vendors may choose not to pass bid requests containing personal data to other vendors who do not have consent”.[7] This is a critical problem, because the overriding commercial incentive for many of the companies involved is to share as many data with as many partners as possible, and to share it with parent companies that run data brokerages. In addition, publishers are expected to trust that JavaScript in “ad creatives” is not dropping trackers, even though no tools to police this are proposed here.

IAB Europe is asking publishers and brands to expose themselves to the legal risk of routinely sharing these personal data with several thousand adtech companies. What publishers and brands need is a “trust no one” approach. IAB Europe is proposing a “trust everyone” approach. Indeed, the proposed system looks like the GDPR’s description of a data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.[8]

Publishers have no control over personal data once they send them into the RTB system. All publishers have is liability.

“OK to everything” jeopardises the publisher’s own opt-ins

The proposed system would also jeopardise the chance of websites obtaining essential opt-ins for their own data processing purposes, such as commenting widgets, video players. IAB Europe proposes that websites bundle all consent under a single “OK”/”Accept all” button. Our wireframe below shows the text and buttons recommended by IAB Europe.[9]

Broadly speaking, websites might expect to receive consent from four out of every five of users for their own data processing.[10] Whereas the opt-in rate for ad tech tracking is tiny in comparison. Our research found that only 3% of people say they would opt in to 3rd parties tracking them across the web for the purposes of advertising.[11] IAB Europe’s commissioned research found that only 20% would do so.[12] The ad tech vendors who drafted the IAB Europe proposal have an incentive to ask publishers to take risk on their behalf: they must realize that there is no chance that Internet users will agree to the cascade of opt-ins that the GDPR requires.[13] A website would be ill advised to jeopardise its own consent requests in a vain effort to get consent for ad tech companies, particularly if those ad tech companies plan to use that same consent to work with the website’s competitors.

Conflation and other matters of presentation

The proposal appears to breach Article 5, Article 6, and Article 13 of the GDPR, for several reasons.

First, Article 5 requires that consent be requested in a granular manner for “specified, explicit” purposes.[14] Instead, IAB Europe’s proposed design bundles together a host of separate data processing purposes under a single opt-in. A user must click the “Manage use of your Data” button in order to view four slightly less general opt-ins, and the companies[15] requesting consent. These opt-ins also appear to breach Article 5, because they too conflate multiple data processing purposes into a very small number of ill defined consent requests. For example, a large array of separate ad tech consent requests[16] are bundled together in a single “advertising personalisation” opt-in.[17] European regulators explicitly warned against conflating purposes:

“If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. This granularity is closely related to the need of consent to be specific …. When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.”[18]

Second, the text that IAB Europe proposes publishers display for the “advertising personalisation” opt-in appears to severely breach of Article 6[19] and Article 13[20] of the GDPR. In a single 49 word sentence, the text conflates several distinct purposes, and gives virtually no indication of what will be done with the reader’s personal data.

“Advertising personalisation allow processing of a user’s data to provide and inform personalised advertising (including delivery, measurement, and reporting) based on a user’s preferences or interests known or inferred from data collected across multiple sites, apps, or devices; and/or accessing or storing information on devices for that purpose.”[21]

This fails to disclose that hundreds, and perhaps thousands, of companies will be sent your personal data. Nor does it say that some of these companies will combine these with a profile they already have built about you. Nor are you told that this profile includes things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. Nor do you know whether or not some of these companies will sell their data about you to other companies, perhaps for online marketing, credit scoring, insurance companies, background checking services, and law enforcement.

Third, a person must say yes or no for all or none of the companies listed as data controllers.[22] Since one should not be expected to trust all controllers equally, and since it is unlikely that all controllers apply equal safeguards of personal data, we suspect that this “take it or leave it” choice will not satisfy regulatory authorities.

Fourth, there appears to be no way to easily refuse to opt-in to the consent request that IAB Europe proposes, which would also breach the GDPR.[23] It is possible that this last point is simply an accidental oversight in the drafting of IAB Europe’s documentation.

Conclusion: What about the people (80%-97%) who don’t opt-in?

The proposed system has no plan to make consent meaningful, by giving publishers and data subjects control over what happens to personal data. Nor does it have a plan for what happens when users do not give consent. It is time for the discussion to move on.

As the CEO of a Digital Content Next, a major publisher trade body, recent told members, “GDPR will create opportunity for audience selection based on cohorts and context”.[24] Non-personal data such as these are the only way for the industry to approach the GDPR.

PageFair has recently announced Perimeter, a regulatory firewall that enables websites (and apps) protect their ad business, running direct campaigns and use RTB without risk under the GDPR. It prevents unauthorized connections from 3rd parties, so that personal data can not leak through the RTB system, or anywhere else. (For extra peace of mind, PageFair’s SSP delivers guaranteed compliant programmatic display advertising). This is the consent-free approach.

We also believe that consent has a role. The next chapter for online advertising will be written by publishers who use consent-free RTB, and build up consenting audiences for premium advertising too.

Note: thanks to Andrew Shaw at PageFair. 

Feedback Wanted
Note: PageFair has just updated its online overview of Perimeter. Please review http://pagefair.com/perimeter and give us your feedback.

Perimeter is a robust regulatory firewall. It preemptively blocks unauthorized requests from 3rd parties, and tightly controls personal data on your website and app. It protects you, your advertising business, and your users. Perimeter makes sure that consent means something.

Learn more


[1] AppNexus Inc.; Conversant, LLC; DMG Media Limited; Index Exchange, Inc.; MediaMath, Inc.; Oath, Inc.; Quantcast Corp.; and, Sizmek, Inc. are named in the copyright notice of “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe (URL: URL-shortened), p. 3.
Note: PageFair is a member of IAB TechLab, and IAB UK.

[2] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018 (URL: http://advertisingconsent.eu/wp-content/uploads/2018/03/Transparency_Consent_Framework_FAQ_Formatted_v1_8-March-2018.pdf), p. 8.

[3] Our statistical examination of the data in the cookie showed a very high degree of uniqueness. The proposed cookie is itself a tracking cookie. See the specification of the cookie in “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe, pp 8 – 10.

[4] ibid., p. 3

[5] ibid., p. 8.
To see the content of the proposed consent cookie, see http://gdpr-demo.labs.quantcast.com/user-examples/cookie-workshop.html.
It is envisaged that the record may be server-based in the future, because this will work better. See p. 7.

[6] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 9.

[7] ibid., p. 10. And from the same page, when an adtech company gets personal data without consent, IAB Europe asks it “to only act upon that data if it has another applicable legal basis for doing so”.

[8] Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 4, paragraph 12.

[9] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 13.

[10] 20% would accept first party tracking only. An additional 56% would accept tracking that is strictly necessary for services they have requested. 5% say they would accept all tracking.
See “Research result: what percentage will consent to tracking for advertising?”, PageFair Insider, 12 September 2017 (URL: https://pagefair.com/blog/2017/new-research-how-many-consent-to-tracking/).

[11] ibid.

[12] “Europe Online: an experience driven by advertising”, GFK, 2017, p. 7. (URL: https://www.iabeurope.eu/wp-content/uploads/2017/09/EuropeOnline_FINAL.pdf).

[13] “GDPR consent design: how granular must adtech opt-ins be?”, PageFair Insider, January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/).

[14] The GDPR, Article 5, paragraph 1, b, and note reference to the principle of “purpose limitation”. See also Recital 43. For more on the purpose limitation principle see “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013.

[15] Note that the Article 29 Working Party very recently warned that this alone might be enough to render consent invalid: “when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent, unless the data controller can show that the data subject in question accessed that information prior to giving consent”.
Quote from “Guidelines on consent under Regulation 2016/679”, WP259, Article 29 Working Party, 28 November 2017 (URL: https://pagefair.com/wp-content/uploads/2017/12/wp259_enpdf.pdf), p. 15, footnote 39.

[16] See discussion of data processing purposes in online behavioural advertising, and the degree of granularity required in consent, in “GDPR consent design: how granular must adtech opt-ins be?”, PageFair Insider, January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/).

[17] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 18.

[18] “Guidelines on consent under Regulation 2016/679”, WP259, Article 29 Working Party, 28 November 2017, p. 11.

[19] The GDPR, Article 6, paragraph 1, a.

[20] The GDPR, Article 13, paragraph 2, f, and Recital 60.

[21] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 18.

[22] “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe, p. 5.
This is apparently “due to concerns of payload size and negatively impacting the consumer experience, a per-vendor AND per-purpose option is not available”, p. 22.

[23] The Regulation is clear that “consent should not be regarded as freely given if the data subject has no genuine or free choice”. The GDPR, Recital 42. See also, Article 4, paragraph 11.

[24] Jason Kint, “Why the IAB GDPR Transparency and Consent Framework is a non-starter for publishers”, Digital Content Next, 19 March 2018 (URL: https://digitalcontentnext.org/blog/2018/03/19/iab-gdpr-consent-framework-non-starter-publishers/)