Privacy & Consent

“Better Late than Never”: Google to Join IAB Consent Framework by August

Google is getting ready to make GDPR-compliance easier for AdX/AdSense publishers.

Before May 25th, publishers had two ways to collect and pass GDPR-compliant consent to Google demand. They could either create their own consent mechanism or use Google’s Funding Choices platform.

Neither was viable for two reasons:

  • Most publishers lack the resources to develop and implement custom consent mechanisms, and
  • Turns out, Funding Choices program is in closed beta.

In the week leading up to May 25th, Google announced that it will become a part of the industry-wide IAB Transparency and Consent Framework.

For those who don’t know it, here’s a little background on this IAB consent thingamabob:

What is IAB’s Consent Framework?

On April 25th, IAB Europe (Internet Advertising Bureau) released a set of technical guidelines for ad tech vendors, specifying how consent will be captured and transmitted across the programmatic labyrinth. It’s called the Transparency and Consent Framework (TCF).

What it does: Like OpenRTB specs standardized real-time bidding amongst all ad tech vendors, TCF aims to standardize how the entire programmatic supply chain handles consent. It applies to everyone – from advertisers (DSPs), DMPs, exchanges, networks, and ad servers; all the way to publishers.

The framework defines how all of these parties must 1.) capture explicit consent, 2.) read the user opt-ins/outs from within the ad requests – in a manner that is right and proper under GDPR.

How it works: There are two lists – one for demand and supply side vendors (called the Global Vendor List, or GVL), and another for CMPs that are registered with IAB and work as specified in the framework.

The CMPs will be responsible for, among other things:

  • Blocking all ad requests on page load
  • Displaying a consent message to visitors – which lists publisher’s demand sources/measurement partners, along with data they need and what they’ll use it for
  • Sending appropriate signals to the listed partners per the users’ opts-in/outs.

The Vendors in GVL will follow the framework’s protocol to, among other things:

  • Read the opt-in/out signal sent with the ad requests
  • conduct the auctions and revert with ads as per users’ choice of personalization

There are three IAB defined Data Purposes for publishers’ demand partners. Each vendor will need to ask for user consent for these three purposes to continue ad serving as before. These are important and listed on Page 11 of Transparency and Consent Framework – Version 2018-04-25.2) (PDF link):

1.) Information Storage and Access  (“cookie” permission) Where a vendor can store and read the following information on/from their device – cookies, device ID, advertising ID, city-level IP addresses, etc.

2.) Personalization Where a vendor can continuously collect user’s session information and use it to target ads to that user, across the web.

3.) Ad selection, delivery, reporting (non-personal information processes) Where a vendor can only use non-personal data to – keep track of ads rendered and their frequency,  measure views/ clicks on ads (on one site/app), etc.

What it means for Google publishers: It means freedom to use a readymade consent management solution to handle the practical/technical side of GDPR,  for all demand partners – including Google AdX/AdSense.

But before you rush to sign up with that CMP you’ve been eyeing for weeks, note that Google will fully integrate with TCF by August. Here’s a phase-by-phase breakdown of Google’s integration timeline and what publishers can expect from each phase-completion, summarized below:

Phase 1. Non-Personalized Ads from Google’s own Demand

By the end of Phase 1, publishers will be able to serve non-personalized ads if the user consents to IAB-defined Data Purposes 1.) and 3.) but not 2.).

Note that this solution will only bring non-personalized ads from AdX/AdSense, and not from third-party demand sources Google works with (listed in Ad Technology Providers). This may affect publishers whose inventory is often bought by 3rd-party-demand via open auctions, First Look, Exchange Bidding etc.

Phase 2. Personalized Ads from 3rd Party Demand

By early June, Google will be able to send ad requests with user choices to 3rd Party Buyers it works with, but only if the user consents to all three necessary IAB-defined data purposes.

By early June, we will add support to enable personalized ad serving for publishers using the IAB’s framework. This will be an interim solution that translates IAB managed consent to Ad Technology Provider settings and, when all Ad Technology Providers and required purposes (1, 2 and 3) are consented, enables personalized ads.

Phase 3. User’s Choice of Ads, from All the Demand

Google expects to finish integrating with the IAB consent framework by August.

This will let publishers serve personalized ads based on users’ consent for their choice of ad technology providers, or serve non-personalized ads.

What this means is that ad calls with user’s consent for one or more data purposes will reach the vendor they select it for.

For instance, say you ask a user for consent on behalf of your demand partners A, B, and C for all three purposes (1. cookies, 2. ad targeting, and 3. ad measurement). Suppose the user opts-out of 2, and opts entirely out of C. The resulting ad calls would contain a signal to show contextual ads only, which will go to A and B.

All that’s gotta wait until August. For the moment, Google’s GDPR-compliance options for publishers include using a non-IAB CMP or letting publishers build their custom consent solution. Both of these involve making some changes in code so ad requests sent to Google’s demand can be read (for personalized ads). Non-personalized ads, for most nations in European Economic Area, are a-okay.