What is the IAB Framework? How does IAB meet the requirements of the GDPR? What should you do when it comes to consent management and cookie consent if you use the IAB Framework? Is the IAB framework GDPR compliant?
This article answers all those questions, so stay with us.
IAB Europe, (Interactive Advertising Bureau), is a business organization for online advertisers and marketers, that develops and governs industry standards and best practices, conducts research, and provides legal support.
In preparation to the enforcement of the EU law on data protection and privacy, The General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.
The Framework is called the IAB Europe Transparency & Consent Framework.
The IAB Framework establishes a common ground of cooperation between publishers, advertisers, and consent management providers that can help smoothen the process of meeting the requirements of the GDPR.
The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.
According to IAB, their new and updated Transparency & Consent Framework 2.0 will enable consumers to grant or withhold consent but they can also exercise their right to object to data being processed. Consumers also gain more control over whether and how vendors may use certain features of data processing (for example, the use of precise geolocation).
The updated IAB Framework will open for registration on September 10th 2019.
The General Data Protection Regulation sets out strict requirements for how one may record, store, use and share personal data.
With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.
The GDPR is extremely wide-ranging both geographically, in scope, and in severity.
Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.
In scope, because of its broad definition of personal data:
Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.
For example, location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.
This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.
In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover or €20 million - whichever is higher.
The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.
Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).
In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.
In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.
This list is called the Global Vendor List or “GVL”.
In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…
Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.
When a publisher enrolls in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.
The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.
Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.
It is worth to be aware of the fact that the IAB Framework is built on a principle of voluntariness. The consent status of the user is signaled to the vendors, but there is no guarantee that the vendors will actually respect these choices.
This is worth noting, because in the case of a breach, the GDPR will hold the first party whose website the user has accessed responsible.
Therefore, even though one has committed to the Framework, it is a good idea to be extra thorough when implementing a consent management software on one’s website.
Cookiebot blocks non-consented vendors and gives control back to the publisher who at the end of the day is the one held liable by the GDPR for all tracking performed by third parties on their website.
As a publisher participating in the Framework, first you choose what vendors you want to cooperate with from the Global Vendor List in the IAB.
Then, you can partner up with a consent management provider (CMP). This is not compulsory: you may also operate without a CMP and take care of the consents yourself.
Either way, it is very important to ensure that the setup for obtaining consents is compliant with the GDPR.
The Framework is a step towards standardized compliance, but it does not in and by itself guarantee compliance.
As mentioned above, within the IAB Framework, the consent status is only signaled to the vendors, but in reality, it is up to vendors and advertisers whether they choose to respect it.
Be careful when choosing your consent management provider (CMP) in the Framework (or when taking care of the consents, if you choose to do so yourself), and make sure that the requirements listed below are met.
In order for your consent management to comply, it has to be…
Cookiebot is one of the few fully compliant consent management software solutions on the market.
In response to requests made by Cookiebot users and resellers, an integration between Cookiebot and the IAB framework has been developed as an optional supplement to the core consent framework in the Cookiebot solution.
The integration consists of an extra panel in the consent banner of websites registered with the IAB, see picture above.
The panel is called "Ad Settings", and from it, end-users can choose between IAB purposes and vendors before submitting their consent.
We recommend to regard the integration as a supplement, and not a replacement for the regular Cookiebot solution.
This is due to the principle of voluntariness of the IAB Framework, where the state of consent is signaled to the vendors, but where there is no guarantee that the vendors will actually respect these choices.
In the case of a breach, the GDPR will generally hold the first party, whose website the user has accessed, i.e. the publisher, responsible.
Therefore, even though one has committed to the Framework, it is a good idea to be thorough when implementing a consent management software on one's website.
Also, in the standard setting of the Framework, the user is presented with a potentially long list of vendors, that they might not even have heard of before, and decide whether they want to share their data with them.
When implementing Cookiebot as a consent management provider (CMP), non-consented cookies are blocked, thereby restoring the control to the website owner, who is the responsible party for the cookies that are set on their users’ browser.
With Cookiebot, all cookies and tracking in use on a website is paused until consent has been given.
This functionality corresponds to the requirement for prior consent.
All cookies and tracking in use on the website is detected by the Cookiebot scanner, and grouped into four intelligible categories. In the case of the multilevel template illustrated below, the user may check or uncheck categories directly from the consent banner that appears upon their first visit to the website.
This way, the user gets full insight and control without being overwhelmed by information or unnecessarily interrupted in their browsing experience.
Should a user want a detailed overview of the cookies, he or she can simply click ‘Show details’, whereby all cookies are displayed in a folded-out version of the banner, showing every cookie, where it comes from, its purpose and other relevant information.
When a user has made their choice, let’s say they have opted out of marketing cookies, these types of cookies will stay paused and will never be activated, for as long as the user does not change their setting.
This way, the website owner has full control over the compliance of the cookies set from their website, whether they are of own or of third party provenance.
Once a month, Cookiebot performs a scan of the entire website and subpages for cookies and other tracking in use, and sends a report to the website owner.
The user has access to easily change their setting of cookies from within the cookie declaration on the website.
Once a year, the consent will automatically be renewed.
All given consents are securely stored as proof that the consent was given.
The free scan audits up to five subpages of your website and sends a report of all of the cookies and tracking in use and their compliance with the GDPR and the ePrivacy Directive, thereby giving a pretty good indication on whether your website is compliant or not.
Sign up to Cookiebot to get the full picture and peace of mind. The first month is free.