On September 25th, we held a 2.5-hour long webinar providing a Complete Overview of the IAB Europe Transparency & Consent Framework. As is usually the case, we had many interested attendees who were keen on learning more. While we usually do our best to make these as interactive as possible, we were simply overwhelmed with questions and had to skip over quite a few to be able to remain on schedule. For this reason, we have decided to answer the questions in a series of blogs. This is the fourth and penultimate blog in the series, dealing with questions about the policies of the IAB Europe Transparency & Consent Framework.
The IAB Europe Transparency & Consent Framework’s policies do allow for the gaining of support across multiple publishers, which is called ‘global consent’ in the policies of the Framework. Server-specific (meaning for a particular site) disclosures and consent take priority over global consent. If a user makes a global consent choice first, and then later makes a service-specific choice, the service-specific choice will determine a user’s consent status for that service.
This means that for the second question, the consent that hasn’t been given on the other publisher’s site would take precedence over the first publisher’s site, because it is both more recent and more specific. The Consent Management Provider (CMP) has a duty to resolve any conflicts of this kind.
We believe that in order for processing of personal data to be lawful, the user must know who is processing their data and for what purpose.
The GDPR provides for six co-equal legal bases which are enumerated in Article 6(1). The six legal bases are, in order:
The IAB Europe Transparency & Consent Framework allows users to express their consent, or lack thereof, granularly to (a) the setting of cookies under the rules of the ePrivacy Directive; (b) the processing of their personal data for each of the purposes standardized by the framework; by (c) specific Vendors setting cookies and/or processing personal data. It is therefore significantly more granular than an “all or nothing” approach. defined purposes
The current five data processing purposes are fully defined in the Transparency & Consent Framework Policies, and expanded on in the FAQs document. The descriptions used represent the standardized interpretation of the current processing purposes. These five purposes were defined by IAB Europe in conjunction with our members as part of the launch of the Framework.
As part of a large update to the Transparency & Consent Framework, we are working with our industry partners to define more granular and ‘user-friendly’ purposes.
It is complicated to define where to ‘set the bar’ on gathering of consent, due to different approaches by different data protection authorities in Europe. While the GDPR is clear in what it requires for valid consent (an affirmative action, freely given, specific, and informed), there is still room for interpretation by data protection authorities on what each of these factors requires. An affirmative action may in some markets constitute scrolling down after being served a consent notice, whereas others require an obvious yes/no choice to be presented. Authorities may also have different interpretations of when consent is considered freely given, and what level of granularity is considered specific enough.
Due to these differences, the IAB Europe Transparency & Consent Framework leaves freedom for publishers and their CMPs to interpret how best to adapt their interface to their relevant market(s). In terms of specificity of purposes, the Framework draws a very clear baseline of requiring proper disclosure of the relevant defined purposes.
In future, it is foreseeable that a more precise legal understanding will be developed through interpretations from judicial bodies. An EU-wide understanding is only likely to arise from a judgment at the Court of Justice of the European Union. If a clear standard is developed, then the Framework will be adapted if necessary to uphold this.