During this consultation period, IAB Europe hosted a webinar for Publishers, to provide a full overview on the TCF v2.0. This 1.5-hour information session includes a 45-minute presentation from key contributors to TCF v2.0 and a 45-minute Q&A session to answer questions from participants.

Download the Presentation slides HERE. And watch the Video recording HERE.

• To get more information, please visit www.stg-iabeurope-iabeuropeold.kinsta.cloud/tcf
• To submit feedback on the TCF v2.0 Policies, please email tcfpolicy@iabeurope.eu
• To submit feedback on the TCF v2.0 Technical specifications, please email transparencyframework@iabtechlab.com

Note: Due to the technical issues encountered in the first webinar, the webinar here above is a second recording. As a result the names or titles of the speakers may have changed between the first and the second recording.

Last year’s enforcement decision by the CNIL against French mobile ad tech company Vectaury has sent shockwaves through the CMP community, due to Vectaury’s CMP being deemed by the French regulator to be in breach of GDPR requirements for valid consent. Key shortcomings of Vectaury’s CMP could have been easily avoided had it followed TCF Policies for CMPs more closely. We therefore urge all CMPs to ensure that they are implementing TCF Policies correctly. This is even more important given the responsibility CMPs have for the Publisher’s they work for, as well as for the Vendors who rely on the consent signals they create.

In addition to the need to register CMPs with the Framework in order to be able to send TCF-compliant consent signals, the signals CMPs generate are only reliable if they comply with the law. IAB Europe and its members have been making considerable efforts in understanding legal requirements of the GDPR with respect to consent and published a Working Paper on Consent since adoption of the GDPR in 2016. These efforts have been woven into the TCF Policies, notably into Appendix B on UI/UX Guidelines and Requirements. The TCF FAQs give further clarity on UI requirements (see p. 11-13 and p. 22).

In summary, these are some key elements of a compliant CMP UI under the TCF Policies:

• Initial layer of the UI must be prominently displayed, covering all or substantially all of the content of the page or app. Information to be provided on this initial layer of the UI must at minimum include:
  • Multiple parties will be accessing and/or storing information, such as cookies, on the user’s device and process their personal data and examples of the type personal data.
  • A link to the enumerated list of named third parties (Vendors).
  • The Purposes for which the Publisher and its third party Vendors wish to access and/or store information, such as cookies, on the user’s device and process their personal data using the standard names provided in the Vendor List.
  • An explanation that the user is asked to provide their consent and can change their mind at any time and withdraw consent, as well as an explanation of how to do so (e.g. link at the footer of the page or in the privacy policy that allows resurfacing the CMP UI). A user should also be informed of the consequence of consenting and/or not consenting.
  • Calls to action of equal visual prominence that at a minimum include a way to consent and a way to access advanced options and information.

• Options and information that must at minimum be provided in secondary layers of the UI includes:
  • Users must be able to review the Purposes, including their standard definitions, and (if applicable) exercise granular choices regarding these Purposes.
  • Users must be able to review the enumerated list of named third parties (Vendors), and have access to information made available on the Vendor List by Vendors. This information must at a minimum, include:
    • Vendor’s name
    • Link to Vendor’s privacy policy
    • The Purposes for which the Vendor processes personal data
    • The legal basis or bases relied upon by the Vendor by Purpose
    • The Features the Vendor relies on when processing personal data

Moreover, it should be noted that consent signals, by their very nature can only be created on the basis of a clear affirmative user interaction with the CMP that unambiguously signifies their consent to the processing. Creation of consent signals by CMPs or others absent such a clear user interaction is therefore not permitted.

Last week, IAB Europe communicated to Vendors and CMPs registered for participation in the TCF a reminder that the Framework’s Policies requires that all CMPs register with IAB Europe, and that Vendors only work with CMPs in compliance with the Policies. The communication alerted TCF participants to the fact that any signals not associated with a valid CMP ID should be considered invalid for purposes of the TCF. This means that Publishers who operate or use CMPs that have not registered their CMP with IAB Europe, or have failed to tag their consent strings with their assigned CMP ID, will very likely see a change in Vendor behavior moving forward.

The requirement that CMPs register with IAB Europe is necessary because of CMPs’ importance in the TCF as the entity that provides transparency to users about how their data is processed and request users’ consent to data processing. Vendors rely on the signals created by CMPs to know whether information has been disclosed to users and whether users have given their consent to processing. These signals are only reliable when generated by CMPs in accordance with the technical specifications and Policies of the Framework, including UI/UX requirements. As originators of consent strings, CMPs must be clearly identified by their CMP IDs to enable Vendors reading consent strings to trace their origins. The CMP ID is only assigned to a CMP once registration is completed and approved by IAB Europe.

When CMPs register with IAB Europe, they contractually agree to adhere to the technical specification and Policies of the Framework, which allows IAB Europe to ensure and support CMP adherence to the Policies.

Without the Framework and its standardising function there is no scalable way of passing consent strings and other information in a reliable and interoperable way. Without registration, participation by CMPs in the Framework is not possible and CMPs cannot send TCF-compliant consent signals.

CMPs are therefore strongly urged to ensure that (1) they have completed registration with IAB Europe using the registration portal for CMPs; (2) they comply with the TCF’s technical specification and Policies; and (3) consent strings they generate include the CMP ID that has been assigned to them by IAB Europe. IAB Europe maintains a list of CMPs and their assigned CMP IDs, which can be consulted to determine which CMPs are registered and what their CMP ID is.

Since its release in Spring 2018, the IAB Europe Transparency & Consent Framework (TCF) has seen significant uptake. Already, it is the largest collaborative effort by the advertising industry to programmatically provide users with notice and choice about how their data is processed. It has been a key pillar in the advertising industry’s General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) compliance efforts. More than 460 registered Vendors are receiving and responding to consent signals created by Internet users interacting with over 170 registered Consent Management Platforms (CMPs) spanning thousands of websites and apps. EU users have more transparency and control than ever before.

Despite its success, the TCF remains a relatively new standard with potential for improvement. This is why IAB Europe and its members have been working on a Version 2 since the TCF’s initial release. Version 2 will add new capabilities, including some intended to provide  Publishers with greater control over how Vendors collect and process the personal data of Internet users visiting their websites or apps. It will also provide more flexibility to Vendors in supporting Publisher and Advertiser needs. And, of course, TCF Version 2 will further enhance transparency and control for Internet users.

IAB Europe and its members have also been monitoring the way companies implement the TCF and continue to identify opportunities for improvement. As the TCF is relatively new, it is only natural that despite best efforts some companies and implementations fall short of expectations. For the TCF to be successful, it is critical that all involved implement it correctly, which is why IAB Europe’s first priority is to ensure that CMPs are educated about the proper use and implementation of the Framework. We want to achieve this by continuing and improving our education efforts in the market. But to ensure adherence to technical specifications and Policies and enhance trust in the reliability of the Framework we must ultimately do even more. That is why in the coming months IAB Europe will also be leading a CMP compliance review program, working closely with CMPs to support adherence and compliance with TCF technical specification and Policies.

But what do we mean by CMPs? When IAB Europe refers to CMPs it refers to a defined term in the context of the TCF. Specifically, we mean the entity responsible for providing transparency to users about which Vendors want to process their personal data and for which Purposes using information published on the Global Vendor List (GVL), requesting user’s consent to the processing of their personal data, and creating and sending signals about user choices to Vendors in the form of a consent string.

CMPs must register with IAB Europe, and agree to adhere to TCF technical specifications and Policies, including UI/UX requirements. CMPs within the TCF receive a unique CMP ID that identifies a consent string as having been generated by a specific, identified, registered CMP. IAB Europe maintains a public list of registered CMPs and their assigned CMP IDs, which can be consulted to determine which CMPs are registered and what their CMP IDs are. It is not possible for non-registered CMPs to send TCF-compliant consent strings.

While IAB Europe will be providing more detailed formal implementation instructions to CMPs in the coming months as it finalizes updates to the TCF, this blog series will focus on some of the most common issues we have identified with respect to CMPs.

Is there a standardisation of data subject rights and how to handle them, i.e. the Right of Access, portability, rectification, restriction of processing, withdrawal and erasure?

Currently we are not aware of any initiative to standardise these data subject rights, nor has IAB Europe undertaken such an initiative. While it would be helpful, it is difficult to standardise this process across various different company types which use different technologies to offer their services.

Earlier this year, we have drafted a guidance paper together with members of our GDPR Implementation Working Group on the topic, providing guidance about whether to respond and how to respond to these requests. This working paper can be found on IAB Europe’s website here: https://iabeurope.eu/policy/iab-europe-gig-working-paper-on-data-subject-requests/.

“Do we expect tech partners to turn off/remove all inventory that doesn't gather consent using the Transparency & Consent Framework? A huge amount of inventory still available does not adhere to this framework. Right now, we get users who have consented, users who haven't, and everyone else (who haven't given consent as per the definition of the GDPR).”

The Framework is an ecosystem of parties which have all agreed to the same Terms and Conditions, as well as the same Policies. They make use of the same technical infrastructure to communicate consent (or other legal bases) to each other.

With that said, it is not mandatory to use the Framework; companies are free to make their own decisions on how they implement their requirements under the GDPR, and how they communicate with their tech partners. It is not a requirement for vendors to stop working with any partners who are not using the Transparency & Consent Framework.

However, to protect the integrity of the Transparency & Consent Framework’s Global Vendor List (GVL), it is a requirement that vendors surfaced in a consent interface who aren’t part of the GVL are made clearly distinct from GVL-registered vendors. Consent cannot be communicated to non-registered vendors through the Transparency & Consent Framework as they would not appear as a slot in the consent string.

Are the "revised purposes" simply updates to the text of the existing purposes or are there also new purposes being added?

The revision of the standardized purposes has the goal of simplifying the language for users, while allowing more specificity in specific business models. In answer to the question, this means that the current purposes are being expanded into more specific purposes. The current five purposes were more general and all-encompassing, whereas the new purposes will look to break down into more specific descriptions of processing activities.

The intention is that this will make it clearer to users what is happening to their data, whilst also allowing companies to more specifically elucidate the type of processing they undergo.

Will CMP's and Vendors need to re-register when the new specs are rolled out, to demonstrate conformity?

Vendors and CMPs who are registered on the Global Vendor List will be notified directly of any technical and policy updates to the Framework but will not need to complete registration again if they are already registered.

“I understand the TCF is also open for Advertisers, who also collect data. Can you change the reference of "publishers" into "Website/app owners" to make that clear?”

The terminology of ‘publishers’ was chosen to reflect that publishers are the user-facing actors in the online advertising ecosystem. Advertisers who are collecting data would either do so on a landing page, in which they would be acting as a publisher, or as a third party on another publisher’s site, in which they would be considered a third-party vendor.

The Transparency & Consent Framework’s policies also provides the following definition:

“Publisher” means an operator of a website, app, or other content where digital ads are displayed or information is collected and/or used for digital advertising, and who is primarily responsible for ensuring the Framework UI is presented to users and  that legal bases, including consent, are established with respect to Vendors that may  process personal data based on users’ visits to the Publisher’s content.”

Have any questions? Please don’t hesitate to reach out! Contact us at framework@iabeurope.eu

How does the IAB Europe Transparency & Consent Framework support cross-publisher consent? What happens when a user consents to a vendor on one publisher, but doesn’t give consent for that same vendor on another publisher’s site?

The IAB Europe Transparency & Consent Framework’s policies do allow for the gaining of support across multiple publishers, which is called ‘global consent’ in the policies of the Framework. Server-specific (meaning for a particular site) disclosures and consent take priority over global consent. If a user makes a global consent choice first, and then later makes a service-specific choice, the service-specific choice will determine a user’s consent status for that service.

This means that for the second question, the consent that hasn’t been given on the other publisher’s site would take precedence over the first publisher’s site, because it is both more recent and more specific. The Consent Management Provider (CMP) has a duty to resolve any conflicts of this kind.

Do the companies collecting data on the basis of a legitimate interest also have to be called by name, i.e. in the privacy policy?

We believe that in order for processing of personal data to be lawful, the user must know who is processing their data and for what purpose.

Putting this information only in a privacy policy that the user is not directed to in the first instance runs the risk of not being considered a proper disclosure by data protection authorities. It would be more appropriate to surface this information in a CMP interface.

I'd like to understand what are the 6 co-equal legal bases [of the GDPR]? It wasn't clear in the presentation

The GDPR provides for six co-equal legal bases which are enumerated in Article 6(1). The six legal bases are, in order:

• The data subject gives their consent to the data processing.
• Processing that is necessary to perform a contract that the data subject is party to, or it is necessary to provide pre-contractual information requested by the data subject. For example, an online shop processing payment information and a home address of the data subject to receive payment and to deliver the goods.
• Processing that is necessary to comply with a legal obligation. For example, maintaining records of whether you have a legal basis to process personal data is in itself processing of personal data, but it is justified because the law requires this processing.
• Processing necessary to protect the vital interests of the data subject. The common example is processing medical data for an unconscious person - they are unable to give explicit consent, but it is in their vital interest that a doctor gets access to it.
• Processing necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller. This speaks to law enforcement.
• Processing necessary for the purposes of a legitimate interest pursued by the controller or a third party. This is the ‘legitimate interest’ legal basis, which requires a balancing test conducted by the controller. The legitimate interest must be balanced against the individual’s rights and freedoms, so it has to be justified by the controller. Any legal goal pursued by a controller could qualify according to case law (these interests may not be pre-defined) and the GDPR calls out direct marketing as an example of a legitimate interest.

Would you say consent to cookies provided by users using the IAB Europe Transparency & Consent Framework equals that provided by a user when using its web browser? E.g., yes to all cookies, no to third parties, etc.

The IAB Europe Transparency & Consent Framework allows users to express their consent, or lack thereof, granularly to (a) the setting of cookies under the rules of the ePrivacy Directive; (b) the processing of their personal data for each of the purposes standardized by the framework; by (c) specific Vendors setting cookies and/or processing personal data. It is therefore significantly more granular than an “all or nothing” approach.  defined purposes

Is there a complete definition of how IAB Europe has interpreted the 5 purposes?

The current five data processing purposes are fully defined in the Transparency & Consent Framework Policies, and expanded on in the FAQs document. The descriptions used represent the standardized interpretation of the current processing purposes. These five purposes were defined by IAB Europe in conjunction with our members as part of the launch of the Framework.

As part of a large update to the Transparency & Consent Framework, we are working with our industry partners to define more granular and ‘user-friendly’ purposes.

There appear to be a few growing pains with the initiative. A fair percentage of "consents" are obtained via pre-checked boxes and/or are binary (i.e., yes/no without listing the types of parties). What do you see as the path towards raising the bar on consents overall? Timeline?

It is complicated to define where to ‘set the bar’ on gathering of consent, due to different approaches by different data protection authorities in Europe. While the GDPR is clear in what it requires for valid consent (an affirmative action, freely given, specific, and informed), there is still room for interpretation by data protection authorities on what each of these factors requires. An affirmative action may in some markets constitute scrolling down after being served a consent notice, whereas others require an obvious yes/no choice to be presented. Authorities may also have different interpretations of when consent is considered freely given, and what level of granularity is considered specific enough.

Due to these differences, the IAB Europe Transparency & Consent Framework leaves freedom for publishers and their CMPs to interpret how best to adapt their interface to their relevant market(s). In terms of specificity of purposes, the Framework draws a very clear baseline of requiring proper disclosure of the relevant defined purposes.

In future, it is foreseeable that a more precise legal understanding will be developed through interpretations from judicial bodies. An EU-wide understanding is only likely to arise from a judgment at the Court of Justice of the European Union. If a clear standard is developed, then the Framework will be adapted if necessary to uphold this.

Some commentators have suggested that VECTAURY ended up in the CNIL’s cross-hairs because it built a Consent Management Provider (CMP) that implemented the IAB Europe Transparency & Consent Framework (TCF). VECTAURY registered itself as a TCF CMP in May of this year.

The suggestion is wrong: the CNIL’s investigation started prior to VECTAURY ever registering itself as a TCF CMP. In addition, on many of the points on which the CNIL considers VECTAURY’s conduct to have violated the General Data Protection Regulation (GDPR), it also violated the TCF’s policies. Indeed, had the company adhered to those policies, not only would it have been better-placed to meet its obligations under the law, but some of the most problematic of the concerns raised by the CNIL would have been addressed.

Why the CNIL found VECTAURY’s conduct to have breached the GDPR

In its notice, the CNIL finds that in two scenarios VECTAURY did not have a legal basis for the processing of personal data under the GDPR. First, where VECTAURY collected and processed geolocation data from mobile app users of mobile apps via its SDK, and a second where it collected and processed personal data received in real-time bids for inventory on mobile apps.

The legal basis claimed by VECTAURY was the consent of the users whose data was processed.  The CNIL’s notice declares that in both scenarios, VECTAURY and its partners failed to meet the conditions for valid consent – and as a result it could not serve as a legal basis for processing.

Conduct that failed to meet requirements of the GDPR

In the first scenario, where VECTAURY collected and processed geolocation data from mobile app users of mobile apps via its SDK, the CNIL noted that default Android OS or iOS notification windows asking for the user’s permission for geolocation data to be collected did not allow VECTAURY to obtain valid consent. VECTAURY then developed a CMP built on the basis of the TCF as a suggested way forward which it submitted to the CNIL. The CNIL opined that while VECTAURY’s CMP would improve transparency for users, it still did not meet the CNIL’s standard for valid consent, because it (a) failed to ensure that users were appropriately informed of the identities of companies that wished to process their data, and (b) failed to ensure that consent was expressed by a clear, affirmative action.

The notice states that in some circumstances, users were not made aware of the fact of VECTAURY (or other companies) seeking consent to process their data at all, and in a consent request UI developed by VECTAURY the default settings didn’t require users to toggle the settings or take some other action in order to convey their agreement.

In both cases, VECTAURY’s CMP also failed to meet its obligations under the TCF’s policies.

In order to be valid under the GDPR, consent must be “informed” and “specific”. Users need to know which companies wish to process their data, and for what purposes.  Other information disclosures must accompany this transparency about who is requesting consent, and why. If VECTAURY's partners failed to disclose to their users the fact that VECTAURY was one of the companies seeking consent to process their personal data, the conduct of both the partners and VECTAURY was clearly non-compliant. The TCF’s policies require that a consent request conveys to the user both the identities of the companies who wish to seek to process a user’s personal data, as well as the purposes of the processing in a way that enables the user to appreciate that each purpose and company are distinct and separate from one another.

On the “affirmative action” item, the position is also unambiguous. VECTAURY appears to have implemented a consent UI in which a user would be considered to have consented to data processing despite taking no affirmative action of any kind to convey agreement.  This is a clear breach of the GDPR and of the TCF’s policies, both of which require a user to affirmatively consent.

Conduct that failed to reflect data protection authorities’ opinions

Some of the conduct that the CNIL interpreted as being in breach of the GDPR had to do with how information was presented in the UIs of the apps with whom VECTAURY partnered.  Here the CNIL relied on opinions from the Article 29 Working Party of European data protection authorities (DPAs) – and in some cases on its own interpretation of that guidance – to arrive at its finding of illegality.

For example, the CNIL found that the UI in the apps did not inform users of all the controllers who were seeking consent for data processing at the exact moment – or in the exact UI layer – as the request for consent.  Similarly, detailed information on the data processing for which consent was being requested was not provided simultaneously.  Also, the CNIL found the language used to explain to consumers why data needed to be processed to be hard to understand.

These are more subjective items on which reasonable people can disagree.  In the case of presentation to users of the details of the controllers seeking consent simultaneously with the consent request itself, CMPs need to make a judgement about how much information users can assimilate in a single screen.  It appears that the UI that VECTAURY implemented in the CMP it recommended to its app partners required the user to click on several links in order to navigate to the list of companies that wished to process their data (including VECTAURY).  Arguably a better implementation would have reduced the number of clicks required. Indeed, the TCF’s policies require a link to be provided to the list of companies and for the processing purposes to be disclosed on the first layer of a consent notice.

Helpful information for ongoing work of improving the TCF

In the case of the definitions of data processing purposes for which user consent was being sought, here the CNIL clearly has a point.  But striking the right balance between specificity and granularity, on the one hand, and simplicity and ease of comprehension, on the other, is not easy.  The definitions that seem to have prompted the finding of illegality include some of the five definitions currently included in the TCF. They are being revised, in a process that began during the summer following our first meetings with DPAs – including the CNIL – to present the Framework.  One objective of the revision is to make the definitions easier for users to understand.

Perhaps more importantly, we need to consider the best way forward for the Framework and for users on the points where the GDPR itself is silent or unclear, including how to reconcile the apparently conflicting imperatives of ease of user experience, on the one hand, and timely and complete information, on the other, when it comes to information disclosures to users in the context of consent requests.

The CNIL’s discussion of the second scenario where VECTAURY obtained and processed of data received through bid requests, has also made it evident that we will have to do more to support proper implementations by CMPs of the rules of the Framework and the GDPR. This is imperative if the TCF’s signals are to be trusted by the companies who rely on it to mean that appropriate transparency has been provided to users and valid consent has been obtained. The Framework’s signals need to be reliable since the CNIL confirmed that it expects a company to be able to ensure and demonstrate that the consent it relies on is valid at its source but putting in place contractual provisions does not meet the requirement of demonstrating that consent is valid. As it is entirely unfeasible for millions of websites and apps to be individually vetted by thousands of technology partners, we need a trusted Framework the proper implementation of which can ensure and signal that transparency and consent have been established in line with the GDPR.

Ongoing dialogue with DPAs

We welcome the prospect of discussing these issues with the CNIL and with other DPAs over the coming months.

VECTAURY is under review within the TCF

Having been made aware of a possible breach of the TCF’s policies by VECTAURY’s CMP, we will launch a review of the same. We expect to support the company in its efforts to adhere to the TCF’s policies, and accede to the CNIL’s order.

More info

For more information on TCF roll-out and GDPR legal compliance for the digital advertising industry, please write to us at matthiesen@iabeurope.eu or feehan@iabeurope.eu,  or check out https://advertisingconsent.eu.

The update exclusively addresses a paragraph under the heading “Working with Vendors” in the “Policies for CMPs”, that could have been understood as requiring CMPs to work exclusively with Vendors who participate in the Framework.

Such an exclusivity paragraph is inconsistent with the “Policies for Interacting with Users”, which stipulate that the UI must prominently distinguish between Framework participants and others and avoid confusing or misleading users about the Framework participation of any of the disclosed parties.

To resolve this inconsistency and address confusion it has caused, IAB Europe deleted the exclusivity language under the heading “Working with Vendors” in the “Policies for CMPs”, and replaced it with the following wording:

“If a CMP works with Vendors who are not registered with the MO, the CMP must make it possible for users to distinguish between Vendors registered with the Framework, and those who are not. CMPs must not mislead others as to the Framework participation of any of the Vendors who are not registered with the MO.”

No other changes have been made to the Policies at this time.

The new Policies Version 2018-10-03.2a replace the previous Version 2018-04-25.2.

• Link to Policies Version 2018-10-03.2a (current)
• Link to Policies Version 2018-04-25.2 (previous)

With this webinar on 25 September, IAB Europe offered a complete overview of the Transparency & Consent Framework to date including a deep dive into:

• Governance
• Policy Documentations
• Technical Specifications
• Practical Implementations

Speakers included:

• Townsend Feehan, CEO, IAB Europe
• Matthias Matthiesen, Director – Public Policy & Privacy, IAB Europe
• Julia Shullman, VP, Chief Privacy Counsel, AppNexux
• Jennifer Derke, Director of Product Programmatic, IAB Tech Lab
• Somer Simpson, Head of Product and Growth, Quantcast
• Pooja Kapoor, Head of GDPR & Data Trust Initiatives
• Christer Ljones, Head of Product advertising strategy, Schibsted Media
• Jonas Dobravolskas, Product Director, AdForm
• Stevan Randjelovic, Brand Safety Manager, EMEA, GroupM

Watch the webinar recording here.

This is the fifth in a series of working papers published by IAB Europe’s GDPR Implementation Group. IAB Europe’s GDPR Implementation Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members.

The working paper can be read or downloaded HERE.

In particular, data subject rights (Article 15-22 of GDPR) are principally challenging to these companies since they do not use or store directly identifiable personal data.  How do ad tech companies respond to a data subject access requests if they do not have the data subject’s name and address on their system to pull the data from their system? Instead, they store the individual’s cookie and mobile ID. How do they subsequently verify that the cookie ID belongs to an individual without the individual’s name and email address, for example? Most companies would need to take an additional step to get their data subject’s name and address to truly identify the individual.

IAB Europe’s GDPR Implementation Group commenced a working group with the collective minds of data protection officers and technologists from various companies helping to think through these issues. The discussions helped craft this guidance document with options as to how to verify a data subject’s request and respond to data rights requests.

Some issues we covered:

• The first step in this process is determining if you are a controller or processor. Data processors should not reply directly to access requests, unless directed by the controller in a contract or otherwise.
• The inability to verify that data belongs to the requestor begs the initial question: should digital marketing companies that only collect pseudonymous data respond to data subject right requests?
• Once a determination has been made to reply, it is strongly recommended that companies create an internal policy for responding to data subject rights, and also for all interactions with data subject access requests, particularly the reasons for denying any such a request.
• At least one person should be responsible for responding to the data subject requests whether the requests are made via the website, postal mail or email.

The five steps for digital marketing companies to take now:

1. Determine whether you are a controller or processor;
2. Ensure you have appropriate procedures and policies in place to respond to the data subject rights, including when do you have to respond to data subject rights (are you relying on consent versus legitimate interest to collect and/or process the data) and how will you respond;
3. Having a verification process in place to ensure the data subject has a right to the personal data that the data subject rights request is tied to.
4. Make sure your employees in marketing, legal and privacy are properly trained to respond to data subject requests; and
5. Update your data protection notices to reflect your process and response to data subject rights requests.

It is crucial to emphasise that every technology platform in the digital marketing sector is unique, providing various services to its clients. Consequently, each company will implement processes and procedures that are particular to that company, resulting in different responses to data subject rights obligations.

The working paper on Data Subject Requests can be read or downloaded below:

The IAB Europe Transparency and Consent Framework is the global cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements under the General Data Protection Regulation. It has been developed by IAB Europe in collaboration with organisations and professionals in the digital advertising industry.

The Framework has been created to offer flexibility to comply with the law, and provide a means of transmitting signals of consent from a user to third party vendors working with publishers. A registry of vendors has been created as part of the Framework and publishers can use the registry to view which of the vendors they work with are part of it. The Framework enables companies that collect and process data or access consumers’ devices to collect and process data to continue to do so and comply with GDPR law.

Would you like to know the benefits for CMPs? Please download the Factsheet below.