What is the IAB Framework, and how does it meet the requirements of the GDPR? What should you do when it comes to consent management and cookie consent if you use the IAB Framework?
What is the IAB Framework and how does it deal with the GDPR requirements?
IAB, the Interactive Advertising Bureau, is a business organization that develops and governs industry standards and best practices, conducts research, and provides legal support for online advertisers and marketers.
In preparation to the enforcement of the EU law on data protection and privacy, The General Data Protection Regulation (GDPR) in May 2018, the IAB Tech Lab developed a Framework in collaboration with IAB Europe.
The Framework is called The IAB Europe Transparency & Consent Framework.
It is created in order to establish a common ground of cooperation between publishers, advertisers, and consent management providers, that can help smoothen the process of meeting the requirements of the GDPR.
The Framework especially works as a standardized means for communicating the state of user consent between first parties such as publishers, third parties such as advertisers, and the consent management system in use on the first party’s website.
What are the requirements of the General Data Protection Regulation and what does it mean for advertisers?
The General Data Protection Regulation sets out strict requirements for how one may record, store, use and share personal data.
With the GDPR, businesses, organizations and websites may only handle their users’ data if they have their specific consent to it, or if the purpose falls under one of the other categories in the six lawful reasons for processing data.
The GDPR is extremely wide-ranging both geographically, in scope, and in severity.
Geographically, because it not only covers all organizations operating within the EU nations, but also all organizations outside of the EU, that have EU citizens as users.
In scope, because of its broad definition of personal data:
Personal data in the GDPR is not only data that is directly related to an individual, such as a name or an identification number, but also data, that can be singled out or connected with other data in order to identify a concrete person.
For example location data combined with data on personal or professional interests, or data relating to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
This broad definition means, in practice, that marketing cookies and all other types of tracking, that e.g. record, store or share users’ behaviour and preferences, are subject to the GDPR.
This affects practically the entire industry of online advertisers and marketers, and everyone involved in that ecosystem, including, in broad scale, publishers on the internet, that make use of ad networks as an important source of income.
In severity, because the fines for non-compliance are very high: 4% of the global yearly turnover, or 20 million €, whichever is higher.
What is the purpose of the IAB Framework?
The purpose of the IAB Framework is to create a standardized cooperation between online publishers, advertisers, and the tech companies supplying consent management, when it comes to meeting GDPR requirements for transparency and user consent.
Within the Framework, these three groups are called “publishers”, “vendors”, and “CMP’s” (consent management providers).
What are publishers, vendors and CMP’s in the IAB Framework, and what is the relation between them?
- Publishers in the IAB Framework are digital media that publish content on the internet. In general, the publishers represent the first party: i.e. the website that the user has sought access to. In the digital advertising industry, publishers often are dependant on displaying third party advertisement on their websites in order to monetize views. This usually is resolved by using an ad network that directs relevant ads to the users that are accessing the publishers’ content. In the context of the IAB Framework, ad networks and advertisers are called “vendors”.
- Vendors in the IAB Framework are the third party advertisers that the publisher has chosen to partner with. The vendors display third party content on the publishers’ website. They are the ones setting marketing cookies on the end-user’s browser, in order to display relevant ads to potential customers.
- Consent management providers (CMP’s) supply the technology that enables user consent for processing data on the publishers’ website. In the IAB Framework, they signal the end-users’ consent settings to the vendors operating on the current website.
How the IAB Framework works
In practice, the IAB Framework functions as a system for communicating the state of user consent between first parties (i.e. publishers), third parties (i.e. advertisers), and the consent management provider in use on the first party’s website.
In the IAB Framework, publishers select their vendors of choice from a list of vendors that have enrolled in the Framework.
This list is called the Global Vendor List or “GVL”.
In order to participate in the Framework, the vendor has agreed to a set of conditions, such as…
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose.
Hence, one may think of the Global Vendor List as a sort of registry of “whitelisted” vendors, that have adhered to the rules of the Framework.
When a publisher enrols in the IAB Framework, they select one or more vendors from the Global Vendor List, that they want to partner with.
The consent status of the user is stored in a first-party cookie in the user’s browser, and shared down the advertisement chain of information in the IAB Framework.
Once the user has made their selection, these vendors (and not others) have access to processing the user’s data for the relevant purposes.
It is worth to be aware of the fact that the IAB Framework is built on a principle of voluntariness. The consent status of the user is signaled to the vendors, but there is no guarantee that the vendors will actually respect these choices.
This is worth noting, because in the case of a breach, the GDPR will hold the first party whose website the user has accessed responsible.
Therefore, even though one has committed to the Framework, it is a good idea to be extra thorough when implementing a consent management software on one’s website.
Cookiebot. e.g., blocks non-consented vendors, thereby giving the control back to the publisher who, in the end of the day, is the one held liable by the GDPR for all tracking performed by third parties on their website.
How do I get GDPR compliant cookie consent in the IAB Framework?
As a publisher participating in the Framework, first you choose what vendors you want to cooperate with from the Global Vendor List in the IAB.
Then, you can partner up with a consent management provider (CMP). This is not compulsory: you may also operate without a CMP, and take care of the consents yourself.
Either way, it is very important to ensure that the setup for obtaining consents is compliant with the GDPR.
The Framework is a step towards standardized compliance, but it does not in and by itself guarantee compliance.
As mentioned above, within the IAB Framework, the consent status is only signaled to the vendors, but in reality, it is up to vendors and advertisers whether they choose to respect it.
Be careful when choosing your CMP in the Framework (or when taking care of the consents, if you choose to do so yourself), and make sure that the requirements listed below are met.
Requirements for compliant consent in the GDPR
In order for your consent management to comply, it has to be…
- Informed: What data is processed and for what purpose? It must be clear for the user, what the consent is being given to.
- Based on a true choice: the user must not be coerced into accepting the cookies.
- Given by means of an affirmative and unambiguous action.
- Given before the initial data processing takes place.
- Withdrawable. It must be as easy for the user to withdraw the consent again, as it was to give it in the first place.
- The user has the right to be forgotten. At the user’s request, all of his or her personal data must be properly deleted.
- All given consents must be recorded as documentation that the consent was given.
How does Cookiebot integrate with the IAB Framework?
Cookiebot is one of the few fully compliant consent management software solutions on the market.
In response to requests made by Cookiebot users and resellers, an integration between Cookiebot and the IAB framework has been developed as an optional supplement to the core consent framework in the Cookiebot solution.
The integration consists of a “opt-in/opt-out to marketing cookies”-signal that is sent to all relevant vendors.
It can easily be implemented by means of a simple change in the cookiebot script on the website.
We recommend to regard the integration as a supplement, and not a replacement for the regular Cookiebot solution.
This is due to the principle of voluntariness of the IAB Framework, where the state of consent is signalled to the vendors, but where there is no guarantee that the vendors will actually respect these choices.
In the case of a breach, the GDPR will generally hold the first party, whose website the user has accessed, i.e. the publisher, responsible.
Therefore, even though one has committed to the Framework, it is a good idea to be thorough when implementing a consent management software on their website.
Also, in the standard setting of the Framework, the user is presented with a potentially long list of vendors, that they might not even have heard of before, and decide whether they want to share their data with them.
When implementing Cookiebot as CMP, non-consented cookies are blocked, thereby restoring the control to the website owner, who is the responsible party for the cookies that are set on their users’ browser.
With Cookiebot, all cookies and tracking in use on a website is paused until consent has been given.
This functionality corresponds to the requirement for prior consent.
All cookies and tracking in use on the website is detected by the Cookiebot scanner, and grouped into four intelligible categories. In the case of the multilevel template illustrated below, the user may check or uncheck categories directly from the consent banner that appears upon their first visit to the website.
This way, the user gets full insight and control without being overwhelmed by information or unnecessarily interrupted in their browsing experience.
Should a user want a detailed overview of the cookies, he or she can simply click ‘Show details’, whereby all cookies are displayed in a folded-out version of the banner, showing every cookie, where it comes from, its purpose and other relevant information.
When a user has made their choice, let’s say they have opted out of marketing cookies, these types of cookies will stay paused and will never be activated, for as long as the user does not change their setting.
This way, the website owner has full control over the compliance of the cookies set from their website, whether they are of own or of third party provenance.
Once a month, Cookiebot performs a scan of the entire website and subpages for cookies and other tracking in use, and sends a report to the website owner.
The user has access to easily change their setting of cookies from within the cookie declaration on the website.
Once a year, the consent will automatically be renewed.
All given consents are securely stored as proof that the consent was given.
The free scan audits up to five subpages of your website and sends a report of all of the cookies and tracking in use and their compliance with the GDPR and the ePrivacy Directive, thereby giving an indication whether the website is compliant or not.