YOU'VE GOT GDPR FATIGUE: OPT-IN NOW FOR YOUR PRESCRIPTION
Updated: Oct 5, 2018
A BLOG BY CHLOE GRUTCHFIELD, CO-FOUNDER
GDPR cost me my last job. It shook the foundation of my previous role so much so, that the European operations closed down in a flash. Coincidentally, GDPR also opened up a huge opportunity for me; to launch something quite simply amazing: RedBud Partners.
In the run up to May 2018, I attended weekly calls with my previous colleagues, who at the time were based in the US, to discuss all things GDPR related. During that time, I have witnessed my LinkedIn feed transform from a few odd expert opinion posts written by legal/privacy professionals, to 99% of my network claiming to be experts on this very topic.
The final weeks leading to May 25th saw an influx of marketing emails, all desperately seeking for my opt-in consent, telling me I’m their most valued customer. In all honesty, these marketing campaigns served me well for finally clearing out my unwanted subscriptions to vendors I don’t actually recall signing up to. What’s more, my personal GP practice sent a GDPR text message (well, nine text messages to be exact. Little over-excited marketing glitch in their system I’m guessing). The messages sought to get my consent, to receive 'appointment SMS' notifications. I even got one for my 5-month-old son.
I consented on his behalf. Hopefully he won’t be able to use GDPR against me when he turns 18.
On the 11th April, Verve, my previous employer, decided to opt-out of its European operations, joining a flurry of other concerned organisations: ”Ad tech firms are quitting Europe, blaming the GDPR (often as a scapegoat)”.
It seemed I was plagued by the wrath of this looming data malarkey. My GP (the SMS over-zealous one) finally diagnosed me with acute GDPR fatigue. A condition that is still spreading.
For this, I can only apologise.
To come to terms with it all, and close this grey chapter of my life, I decided to self-medicate, and take a peek at how the industry as a whole (in particular publishers) are “embracing” GDPR.
IAB Consent & Transparency Framework
I started my self-medication, by getting myself up to scratch with the latest frameworks available. Launched on 24th April 2018, IAB Europe’s GDPR Transparency & Consent Framework, has a simple objective “to help all parties in the digital advertising chain to ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.”
It offers a standardised framework for publishers and ad tech vendors, to capture and share what EU users have consented for when it comes to data processing :
For what purpose they’ve agreed for their data to be processed (measurement, personalisation etc.)
What vendors (ad tech in particular) they are happy for their data to be shared with
The consent of the user (represented by a base64url-encoded string of the concatenated cookie value fields bits (1s and 0s)) is captured via a Consent Management Provider (“CMP”) and stored in the user’s browser (in a third party cookie for example). The below slide from the IAB Consent & Transparency Framework illustrates well how the consent is stored.
Note that although not illustrated below, the consent string also contains field values for the metadata of the consent info, e.g. consent string version, CMP ID, when updated, vendor list version etc. More info here .
As per the Framework detailed in IAB’s GitHub account: “the OpenRTB request will contain the entire DaisyBit, allowing a vendor to see which other vendors are an approved vendor or a publisher and whether they have obtained consent (and for which purposes) and which have not.”
So what do we think about it?
My colleague Rhys may laugh at my love for all things ‘tech’, but I think it’s pretty cool - and very clever.
I had 2 caveats but more research revealed that IAB solved those already:
I did wonder if this framework meant some publishers would lose control of which vendor their opted-in audience would be shared with. The vendor list is centrally managed by the IAB (latest version available here). However the “pubvendors.json” setup seems to alleviate some of those concerns by providing a standard way for publishers to publicly declare the vendors that they are working with and their permissions/configurations, essentially whitelisting vendors. There will always be cowboys who disregard pubvendors.json and do whatever they want with the data. But they were doing so pre-GDPR anyway.
The latest version of the framework for web seems to be very reliant on third party cookies (unless the publisher has developed its own CMP and is able to set a first party cookie I guess) so it will be tricky for browsers that have third party cookies disabled by default. I initially thought the IAB framework was cookie only - but no. It works in the app world too with a framework for CMP SDKs to collect and share information on user consent.
My main concern really is whether the whole supply chain is in a position, technologically, to be able to pass the consent string back and forth. It only works if everyone is participating.
So, I was keen to see if anyone had actually implemented it.
Those who implemented the framework:
I have visited A LOT of websites since the 25th May. It turns out the framework hasn’t been widely implemented yet. Considering Google was apparently late to join the party - only publicly confirming its commitment in the week of GDPR enforcement - it’s no surprise the implementation is slow.
I did, however, find a website that launched it before most. The Daily Mail has implemented their own CMP and it’s in the IAB CMP registered list: http://advertisingconsent.eu/iab-europe-transparency-consent-framework-list-of-registered-cmps/.
Upon visiting the website, and consenting completely randomly to purposes and vendors, a new cookie from domain cmp.dmgmediaprivacy.co.uk was dropped on my browser. The name of the cookie, euconsent, is in line with the IAB framework and this is what it looks like:
The ‘content of the cookie’ is the consent-string that represents a compressed version of my ‘consent to purposes and vendors’. I reverse encoded the content-string (a base64url-encoded version of the concatenated cookie value fields bits (1s and 0s)) and this is the result I get:
This value is going to be shared with the wider ecosystem, and will mean that I only have my data shared with purposes and vendors I’ve opted-in for.
Still with me?
A big question remains for me, though. Will my consent string make it all the way to the demand side?
Those who didn’t implement the framework
… but are compliant with GDPR
One website I visited has a cookie consent popup as soon as you land on the page for the first time and then a permanent “Cookie Choice” button at the bottom of the page, so very easily accessible.
That popup is a CMP powered by Evidon. It’s very user-friendly and enables you to opt-in/opt-out of specific purposes in bulk (for analytics, personalisation etc.) and opt-in/opt-out of specific vendors.
In the interest of experimentation shown in the example below, I’ve opted out of “Internet-Based Advertising Cookies” (I opted back in after this exercise, of course). Some partners like Adobe cookies are disabled. But I wasn’t able to opt-out of vendors who do not provide a cookie opt-out, or only allow you to opt-out through company:
This is what happened in the background while I was unchecking a few boxes:
I checked the status of the cookie:
As you can see, unlike the DMG cookie, it doesn’t create an euconsent cookie, rather a ba_opt_out cookie. The value of the content field is not a base64url encoded string. I wonder how it will work with the IAB Consent & Transparency Framework (in particular, how my consent is going to be shared with the ecosystem)? I did see Evidon in the list of IAB registered CMPs, however the domain of the cookie on the IAB list is evidon.mgr.consensu.org (unlike the cookie I’m describing above). I looked for a cookie dropped from the evidon.mgr.consensu.org domain, but so far, I haven’t seen one.
The Many Who Are Still Working on it
I won’t name them, but there’s still a decent number of websites who are displaying a very generic cookie “opt-out” statement. Upon landing on the website, I’ve already opted-in and that opt-in is non specific.
I don’t blame those publishers though. As I mentioned perviously, the IAB Consent & Transparency framework only works if everyone in the supply/demand chain is participating.
A look into what HTTP requests and responses are firing when I’m browsing on UK website shows that the exchange of consent string within tags is still not generalised.
Let’s see where we are at when the GDPR dust settles and we’re all over our GDPR fatigue.
Want to find out more? Email us at email@example.com