The IAB has put forward some admirable principles for giving publishers and users control over which ad tech firms track them around the web, process their personal data, and store cookies on their devices, and for what purposes. A new breed of ‘Consent UIs’ will be popping up on websites you visit starting May 25th. Unfortunately, the first version prompts serious questions over whether users will know what they're consenting to, which should be urgently resolved.

The ad tech transparency and consent conundrum

The Interactive Advertising Bureau (IAB), its members and supportive publishers, are banking on the success of the IAB Transparency and Consent Framework to maintain a significant element of status quo in the way the online advertising ecosystem operates.

Under GDPR, any company collecting, processing, or storing personal data must have a clear legal basis under which it does so and meet new standards of transparency for its processing operations. For many companies and types of processing, particularly those related to what's known as personalised advertising (or online behavioural advertising), consent of the data subject - which must be specific, informed, unambiguous and freely given - must be the legal basis they will operate under.

The problem is, the vast majority of the hundreds of ad tech firms employed throughout the ecosystem have no direct relationship with website users. With few exceptions, their names will be completely alien to users. Only a fraction of the firms are even employed directly by publishers. The rest are employed indirectly throughout the ecosystem, providing services to the ad exchanges/SSPs that serve publishers, or to the DSPs that serve buyers. Yet when these firms collect and process personal data on their own behalf, not the publisher's - as they do - they are acting as a data controller under GDPR and need to obtain their own consent. How then, are any of these firms supposed to request - let alone obtain - specific, informed, unambiguous and freely given consent from the users whose data they process?

It is in this context that the IAB took the brave move of surveying much of the entire ad tech industry (and other tech firms that provide content personalisation services - we'll just call them all ad tech to keep it simple) to find out what personal data they collect, process and store, with the aim of developing a standard framework through which publishers could facilitate ad tech vendors requesting and obtaining GDPR-compliant consent from users. The idea was, if publishers could surface a consent request just once, that covered many or all ad tech firms and their data processing requirements, consent could be obtained in one shot.

If it could be made to work, the benefits would be widespread: users would be specifically informed about what personal data processing was going on as they surfed the web, and they wouldn't mind consenting to it; personalised advertising, widely considered one of the most efficient ways of bringing the most relevant products and services to the attention of the people most interested in buying, could continue unabated; ad tech vendors could carry on processing personal data and plying their wares; publishers could continue to earn the revenues they so desperately need to continue providing free content to users who don't want to pay.

The result: the IAB Consent Framework was launched in March 2018. Here is a statement of principles we find hard to disagree with:

How the IAB Consent Framework works

To minimise the complexity of requesting consent from users, and maximise the consent that can be obtained in a single consent request, the IAB has asked the entire ad tech industry to register its data processing operations under eight headings, known as data processing 'purposes': Information storage and access; Personalisation; Ad selection, delivery, reporting; Content selection, delivery, reporting; Measurement; Matching Data to Offline Sources; Linking Devices; Precise Geographic Location Data.

These sound like things ad tech firms must be doing, right? They're broad headings, it’s true, but perhaps that doesn't need to be a problem, as long as these headings are well defined, unambiguous, and distinct from each other, and ad tech firms can disclose what specific processing they do under each heading. Then these disclosures can be surfaced to users in a 'consent UI', something like a glorified cookie banner, on publishers' websites (see images). Users can then freely choose whether to give their informed consent to personal data processing by specific ad tech firms for specific purposes.

So far so good?

That's the theory. Now what's the reality?

Success will be defined in terms of the take-up by ad tech firms and by publishers, what consent levels are obtained from users, and how satisfied regulators are that consent meets the GDPR requirements.

Initial indications are that ad tech firms have eagerly embraced the framework. At the time of writing, there are 166 firms on the IAB's Global Vendor List (JSON version), their central database of ad tech firms and their disclosures.

Live tests, conducted by NewsNow and Quantcast, have resulted in consent levels of around 70%. Publishers will jump at the chance to maintain their revenues. 70% is not bad at all, assuming the consent can be said to be informed.

And here's the rub. For consent to be informed, the information presented to users about the firms' data processing needs to be clear and specific.

So is it? Well we're publishing and ad tech industry insiders, and we're not sure. What, we’re asking, are ordinary people going to make of this?

IAB Standard Purposes

Information storage and access

"The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies"

To us, this doesn't sound like a purpose for processing personal data. 'Information' needn't contain any personal data whatsoever. It sounds like it's requesting consent for cookies under the ePrivacy Directive.

Still, could it have been any more scarily worded? Will users who don't understand the tech be forgiven for thinking they're being asked to consent to firms they've never heard of accessing their contacts and text messages?

Users who do know the tech may know that's unlikely. But will users realise that this consent - as written - could extend to ad tech firms reading first party cookies - through running JavaScript in the friendly iframe in which they render an ad? Will users be clear that they're consenting to this?

Personalisation

Everyone knows what personalisation is, don't they? It's when somebody tailors something for you, like what ads or which content you're going to see on a website, isn't it? If so, users will need to be careful what they consent to. The IAB has a different definition:

"The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content."

To us, this doesn't sound like it's about making the personalisation decision. It's about collecting data about you to make a decision in the future on other websites. In other words, it's about tracking your browsing behaviour in order to profile your interests.

Maybe you mind that. Maybe you don't. But how can you decide, without knowledge of what information is being collected? You may not be that sensitive about your browser version or city, but would you be so relaxed about a firm scraping your email address off the website you're signed into? Will users know they are consenting to that if they consent to this?

Does ‘interests’ clearly cover your gender, age range, income bracket?

Ad selection, delivery, reporting

"The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time."

It should sound alarm bells when you have to define something in terms of what it is not. But more importantly, what information is being collected? What is meant by 'combination'? How is this case different to the previous heading, 'personalisation' (which this purpose is said not to be)?

We're guessing that this is intended to describe using a profile, that has already been built, to inform ad targeting decisions - which we think is what people commonly mean when they refer to 'personalisation' (which this purpose is said to be not).

We could go on...

Similar concerns can be raised about other headings. Compare:

Content selection, delivery, reporting: "The collection of information, and combination with previously collected information, [...] to measure the delivery and effectiveness of such content. This includes using previously collected information [...]"

Measurement: "The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service."

Don’t these definitions significantly overlap?

Towards IAB Consent and Transparency Framework v2.0?

The IAB has put forward some admirable principles for giving publishers and users control over which ad tech firms assign users unique identifiers and store them in cookies, track them around the web, profile them from their browsing behaviour, link those profiles to other databases, and use those profiles to select targeted advertising or content.

Unfortunately, the first version raises as many questions as it answers about what ad tech firms will be doing with users' personal data and whether users will fully understand what they're consenting to.

This ambiguity presents reputational and compliance risks to publishers and ad tech firms, that we could all be doing without, and which we would like to see urgently resolved.

As far as we’re aware, the framework is under active development (e.g. the pubvendors.json extension, to let publishers control which ad tech firms are surfaced in their consent UI, was recently proposed), so we anticipate there may be scope for the IAB to produce a revised list of standard ‘purposes’.

Our recommendations

For a framework based on a standard set of data processing ‘purposes’ to be completely credible, the headings must be extremely clearly labelled and explained in layman's terms, avoiding using words in common usage (like 'personalisation') to mean anything different to what people normally expect.

Definitions should not overlap.

When a firm's data processing doesn't fit neatly into a standard category, a bespoke statement should be surfaced in the consent UI next to that firm’s name.

We're not sure it’s enough to just say ‘information’. The types of information processed should be standardised too into different classes - for example IP address, unique device id, the contents of web pages you visit including products and services - according to how intrusive users would consider those, and these categories be surfaced alongside to the standard purposes applicable to each ad tech firm.

Users shouldn't have to locate an ad tech firm's privacy policy to find out what cookies they're storing on their browser, when these cookies are storing personal data, or when consent is required under the ePrivacy Directive. For informed consent, these disclosures should be surfaced in the consent UI too.

Do you share our concerns?

Can you explain the IAB Transparency and Consent Framework 'purpose' definitions? If so, how? I’d like to hear from you and will happily amend this article with the best explanations received.

On the other hand, if you’re as confused as we are, perhaps the IAB needs to hear from you. You can submit feedback via the General Feedback form on http://advertisingconsent.eu/ or via email at feedback@advertisingconsent.eu.