The Bottom Line
- Ad tech companies, and all other businesses subject to the GDPR, are facing an imminent compliance deadline.
- Companies may be able to seek GDPR-compliant solutions through their own internal initiatives, using third-party services or collaborating with others in the industry.
With only a few months to go before the European Union’s General Data Protection Regulation becomes enforceable, the Interactive Advertising Bureau’s Technology Laboratory (IAB Tech Lab) has published an advisory that seeks to explain how ad tech companies can comply with the new rules through a collaborative information sharing process.
Deadline Looming
In April 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which imposes new consumer privacy requirements on companies that collect, use or share consumers’ personal data from the EU — no matter whether the companies are located in the EU or elsewhere.
The primary goal of the GDPR is to give individuals in the EU more control over how the personal information they share online is used, and by whom, than they had under the prior rules. In essence, the GDPR seeks to do that by requiring that individuals specifically “opt in” to consent to the use of their personal information, rather than the “opt out” approach common in the United States.
The EU provided a transition period for companies subject to the GDPR to develop systems and to learn how to comply with the GDPR’s requirements. That transition period is coming to a close, and all companies subject to the GDPR must be in full compliance beginning on May 25, 2018.
The IAB Tech Lab’s Advisory
Now, the IAB Tech Lab has published an “OpenRTB GDPR Advisory.” The advisory specifies how ad tech companies can pass user consent through the OpenRTB protocol during a real-time bidding transaction for advertising inventory. Much in the same way that a COPPA (Children’s Online Privacy Protection Act) signal can be conveyed between parties engaged in an ad call, this new string would convey a signal regarding whether GDPR-compliant consent has been obtained. Such real-time sharing of user consent information among publishers, buyers and data companies would be beneficial to all participants in the online advertising ecosystem.
The advisory concedes that it is “not an authoritative source of information” on the GDPR, and it recommends that all members of the ad tech community become familiar with the GDPR and user consent requirements. This process has not been officially endorsed by EU regulators. Still, the advisory may provide a possible solution for ad tech companies as they seek to finalize their compliance with the GDPR by the May deadline. The IAB Tech Lab’s advisory is a reminder of the importance of finding solutions to meet the consent requirements under the GDPR before that time.