GDPR Transparency and Consent Framework

I did some poking around as to what this actually is (and it&#x27;s probably not for the average site).<p>It&#x27;s the specifications for how the IAB (Internet Advertising Board), which consists of of every organization blocked by your ad blocker, would like publishers to gather consent from people landing on their site.<p>It&#x27;s a very optimized setup as who they are targeting using this are the big sites that do Real Time Bidding (RTB) for ad slots on their pages. You land on a site and the js for ads loads, calls out to a real time ad marketplace with your info (IP, cookies) and then preset bids (&quot;I&#x27;ll pay 20c to serve this person an ad for cheese!&quot;) all are evaluated and the highest paying gets served on the site (and the marketplace takes a tiny cut).<p>What this framework does is help add user consent and GDPR readiness into the criteria that can be used in this process. So as a publisher if you&#x27;re trying to meet GDPR requirements you can say: &quot;Only give me ads from places that respect this&quot;.<p>As a consumer, this kind of paves the way to just consent to these things once and then use them all over the web (good for UX). If you&#x27;re just trying to get to grips with GDPR try this Plain English Guide<p><a href="https:&#x2F;&#x2F;blog.varonis.com&#x2F;gdpr-requirements-list-in-plain-english&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.varonis.com&#x2F;gdpr-requirements-list-in-plain-eng...</a>

The whole GDPR is an interesting phenomenon. Where I live we had this<p><a href="https:&#x2F;&#x2F;www.cnil.fr&#x2F;fr&#x2F;loi-78-17-du-6-janvier-1978-modifiee" rel="nofollow">https:&#x2F;&#x2F;www.cnil.fr&#x2F;fr&#x2F;loi-78-17-du-6-janvier-1978-modifiee</a><p>since 1978 and I didn&#x27;t see anybody on HN panicking at the thought of doing business with french citizens, although these laws are tougher than GDPR. Remember than the latter is enforced at the country level, it&#x27;s not Europe who is going to fine your business. Which means maybe Czechia will let you fly with whatever you are doing with personal data, and maybe Spain won&#x27;t because they have tougher user data protection laws. My point is GDPR didn&#x27;t create a new legal risk that wasn&#x27;t there before. It&#x27;s just that people here didn&#x27;t care before for some reasons.<p>Now I see all these &quot;GRPR compliant&quot;(whatever that means) seals on different products, but where they even &quot;CNIL compliant&quot; before? Is that framework &quot;CNIL compliant&quot;? How many of you did a declaration to the CNIL before harvesting data from french citizens?

Just in case anyone else is similarly confused and had to check, this is the work of the IAB, which stands in this case for the Interactive Advertising Bureau - not the Internet Architecture Board

If you&#x27;d like an explanation of what this is about, check out the IAPP&#x27;s Privacy Advisor Podcast - March 29 episode interviewing Matthias Matthieson, who heads the IAB. Basically, they realize that tracking things like user consent in the programmatic online advertising space with all the uses and participants accessing and pooling the data will be pretty much impossible unless an agreed protocol is used for doing so within the advertising ecosystem. For a perspective that says GDPR and programmatic advertising as it currently exists using personal data are not compatible, see Johnny Ryan&#x27;s two earlier interviews on the same podcast.