It’s been almost a year since GDPR was introduced (May 25, 2018) to strengthen the data privacy of online users. To do so, GDPR rolled out two routes viz. legitimate-interest and consent. Both routes were aimed at informing users/website visitors about ‘when and how their data will be used’. The term GDPR consent string was devised just around this time. But why?
In order for publishers to remain GDPR compliant, they had to choose either the legitimate-interest or the consent route. Legitimate-interest means websites which give legally justified reasons of gathering and using their user data. While, consent means websites which have to ask for the users’ permission before starting to use their data.
Consequently, a lot of publishers had to take the consent route thanks to the guidelines defined by EU GDPR. This is how the industry got GDPR consent string. Let’s find out more about it.
What is GDPR Consent String?
GDPR consent string is information generated by the publisher’s consent management platform. The string is used to identify the consent status of the ad tech vendor(s) who work with the publishers. Meaning, the information shows whether the vendor has or does not have the consent to use the user data for serving personalized ads or other purposes
The information in consent string is often also called daisybit, the technical name of it. Daisybit is the binary form of information which is taken as the consent status of a user visiting the website. It looks like a series of numbers made of ones and zeros一1 and 0 (we’ll discuss it in detail).
When the information is received and converted into daisybit, it is passed on to all vendors in the ad supply chain. The daisybit establishes ‘which vendor can serve the users with personalized ads, and which cannot.’
GDPR consent string a.k.a. daisybit lies in the GDPR consent framework. Hence, the intent is to help publishers work with the consent process. Also, to make everyone in the digital ad ecosystem GDPR compliant.
Composition of GDPR Consent String
A GDPR consent string stores the following information:
- Who are the vendors
- Do the vendors have user consent or not
- What are vendors’ purposes with the user data
Who are the vendors
The IAB Europe keeps a refreshed list of vendors called the global vendor list. The vendor names mentioned in the GDPR consent string are usually vendors who are part of the global vendor list. All these vendors are a part of the IAB Europe’s transparency and consent framework, hence they are compliant.
Publishers who follow the consent route also maintain a public list of vendors called pubvendors.json. This list declares the data rights which publishers grant to their existing partners and invited vendors.
Do the vendors have user consent or not
As discussed above, the GDPR consent string/daisybit is a series of ones and zeros. This series helps identify whether the vendor has been given consent or not. Here, the ones and zeros are known as bits.
For instance, a publisher might work with 10 different vendors. These vendors can access his/her visitor data and target them with personalized ads. Here, the users get the leverage to allow or deny consent to each vendor separately.
Going by the process, a daisybit or consent string is generated on the basis of user input which may look like this: 1100100101. This is a ten digit combination where each number implies the content status given by the user for a vendor.
Looking at this number combination, we can understand 1 is equal to ‘Yes’ (consent allowed), while 0 is equal to ‘No’ (consent denied).
What are vendors’ purposes with the user data
In the GDPR consent string, a ‘purpose’ means the vendor’s reason to collect the user data. The purpose could be anything like user tracking across the web for retargeting, serving personalized and targeted ads, tracking user web sessions, etc. The IAB assigns a separate ID to identify data purposes also.
How Does it Work for Publishers?
GDPR consent string starts with a publisher’s consent management platform before it goes through the vendor(s) and finally reaches the DSP. Once the string gets generated, IAB looks into the inputs to identify which ad tech vendors have been allowed or denied consent.
Generally, there’s a huge volume of vendors to identify from bulk consent strings sent by multiple publishers. Hence, IAB initially assigns unique IDs to all the participating vendors in its global vendor list to easily identify each vendor.
The initially assigned list of IDs is integrated with the received consent string to identify each vendor at once. As soon as vendors are identified, the syntax of numbers in the string, like 1100100101, helps them confirm which vendors have received user consent and which ones have not. The information also shows the vendor’s purpose of collecting the data.
Through this process, the final consent status for each ad tech vendor is communicated to the vendors and the publishers. The consent string is usually visible. Both publishers and vendors can see the consent status of other publishers and vendors.
However, vendors cannot see the purposes of other vendors and publishers. Both the consent status and purpose belonging to any domain, be it publisher’s or vendor’s, is only readable by the CMP.
The Role of Cookies in GDPR Consent String
There are some more aspects for publishers to know about GDPR consent string.
So what if there’s no input received? When an input is received, a cookie is generated which contains the user response (1 or 0). Therefore, in case of no input or a first-time visitor, no cookie is generated. As a result, the content string does not get initiated and the user is again prompted to input his/her response.
Also to note, the user input received on the website is cookie-information which is further used by the CMP to generate the consent string. Therefore, the cookie becomes subject to cookie erasing or cookie clearing.
When do Publishers Require Consent String?
Also, publishers work with multiple vendors. They know each vendor has access to their user data, which they can use for their own purposes. Hence, defining a point of control is necessary in order to ethically operate in the digital ad ecosystem.
To do so, publishers refer to consent string. The string acts as a chart which helps them keep track of what data usage rights should be given to which vendor. Lastly, publishers who fail to do so become vulnerable to GDPR non-compliance and liable to hefty penalties/fines.
Publishers who have actively engaged with GDPR consent string/daisybit process have raised concerns about GDPR consent string fraud. The main area of problem is that whether tampering with GDPR consent string is threatening or not.
Is it possible to change a ‘consent denied’ input into a ‘consent allowed’ input while processing the consent string; all the way from a CMP to a vendor to a DSP? Technically, yes. However, industry experts also say that new security measures are on their way to make meddling with GDPR consent string difficult, if not impossible.
Going forward, the consent framework is expected add a new layer of protection and increase adoption amongst small- and medium-sized publishers, and help them settle with a consent management solution and follow a standard process.