Transparency And Consent Framework Mobile App Spec Ready For Adoption

Today, IAB Tech Lab and IAB Europe released the Transparency and Consent Framework’s Mobile In-app Specifications as a final version ready for widespread industry adoption. No significant changes were made to the specs in the process of finalization. Tech Lab’s GDPR Mobile Subgroup reviewed the specifications and public comments, considering their own implementation strategies in applying the Framework for in-app.

Early adopters of the mobile specs should be sure that their implementation complies with the final mobile in-app specifications and adheres to the Framework policies.

Released for public comment at the same time earlier this quarter, pubvendors.json will also be finalized in the coming weeks. Pubvendors.json provides granular controls to publishers, allowing them to whitelist vendors, addressing publisher liability concerns, and the ability for publishers to express if they support a vendor using Legitimate Interest as a legal basis. For mobile app inventory use of pubvendors.json, please review the Mobile Guidance for Ads.txt out for public comment until July 6th.

The Transparency and Consent Framework has over 350 registered vendors on the Global Vendor List, over 100 registered CMPs (Consent Management Providers), and potentially tens of thousands of publishers. This rapid adoption will be strengthened with the addition of finalized mobile in-app specifications.

General questions on the Framework can be sent to, and technical questions can be sent to

To join the Transparency & Consent Framework, register at:

The Idea That The Transparency & Consent Framework Increases Publisher Liability Is A Red Herring

A recurring theme in the feedback we are getting from the market on the Transparency & Consent Framework (TCF or “the Framework”) is that it increases the degree of legal liability that publishers bear under EU data protection rules, notably by forcing them to assume full liability for actions by third parties that are beyond their control.

In fact, nothing could be further from the truth. The TCF does not create new rules on liability, nor does it alter existing ones. Those rules are regulated by law and by contract, neither of which is affected by the Framework. The GDPR states that controllers are responsible, and therefore liable, for the processing of personal data they control. A controller is also liable for processing done on its behalf by processors under its control, unless the processor acted against the instructions of the controller.

In addition, liability is regulated through other law, such as tort law, and contract law. In many cases companies will contractually stipulate where liability lies – agreeing amongst themselves how to share it out as part of a normal commercial negotiation. Such contracts are typically concluded between publishers and their third-party partners, something that will not change under the GDPR or the TCF.

The Framework allows publishers to provide consumers transparency into the third-party partners they work with, and to obtain and transmit user consent signals to those partners. Indeed, the reason we need these signals is that third parties must comply with the GDPR’s transparency requirements and, where they are leveraging the consent legal basis, must be able to demonstrate that the user has indeed consented. These things are only possible if there is a signal.

For example, if a publisher lets a third party know that it has not provided transparency into on behalf of a third party, and has not obtained consent on behalf of a third party (maybe because the publisher doesn’t work with that third party), and that third party starts processing personal data regardless, the publisher is now able to demonstrate that it has duly informed the third party of all relevant facts allowing blame and liability to be established clearly with the third party that has engaged in unlawful processing despite better knowledge.

If anything, publishers are in a better position implementing the Framework than they were pre-GDPR.  This is because thanks to the audit trail it creates in order to convey information up the delivery chain, the Framework will make it possible to detect what parties were acting without the necessary legal basis, so that liability can be correctly apportioned.

Transparency & Consent Framework – Keeping The Ball Rolling

In this Friday’s weekly webinar on IAB Europe’s GDPR Transparency & Consent Framework, we will be discussing the feedback we have received to date from publishers in the public consultation we launched on 8 March. Since the law and the technology to which it applies are complex, some confusion has arisen in relation to what the Framework actually does (and does not do). The webinar should be a good opportunity to respond to what publishers have already told us, and give you the opportunity to ask any other questions you may have “live”.

Here are some examples of the feedback so far:

1.Publishers would like more control over which third parties receive and are able to process the data, including personal data, of their audiences, or what those third parties are able to do with the data

The Framework currently provides publishers with full control over which third parties – whether technology vendors or other data controllers – are disclosed on their websites, and which third parties the publishers solicit user consent for. The Framework also allows publishers (and their users) to prescribe the purposes for which the approved third parties may process data.  While in Version 1.0 the Framework is limited to controlling whether a given purpose is toggled on or off for all approved vendors, we are actively exploring technical solutions that would enable purpose-by-vendor controls for publishers and users.

2. Publishers are concerned about legal liability in the event of non-compliance by vendors

The Framework does not change rules on liability, which are defined by the law, including the GDPR, and contractual arrangements.  The Framework increases accountability by allowing a publisher to signal relevant information to technology vendors.  These signals create an audit trail that provides readily available evidence for identifying non-compliance and responsibility.

3. Publishers want user consent to be specific.

The version of the Framework put out for consultation foresees four different data processing purposes that websites would disclose – and could offer granular control for – accessing a device (ePrivacy Directive); advertising personalisation; analytics; and content personalisation. The proposed approach is a good-faith attempt to balance the conflicting imperatives of transparency and comprehensibility to the consumer, on the one hand, and ease of use for both publisher and user, on the other.

The Framework does not impose on users a take-it-or-leave it choice to accept or reject all third parties disclosed by the publisher, though some publishers may opt to present users with a take-it-or-leave-it choice.  Version 1.0 of the Framework will allow users to consent to some, all, or none of the data processing purposes disclosed, and to data processing (for those purposes) by some, all, or none of the third parties disclosed.  Moreover, publishers have complete control as to which third parties and which data processing purposes they solicit user consent for.

4. Publishers want to leverage the privileged relationship they have with their audiences

The Framework depends on publishers leveraging their direct relationships with their users to provide transparency and control over the data processing that occurs on their services. Publishers have complete freedom to define the user interfaces on their sites; they may create their own CMPs, or enlist a commercial CMP.  The Framework is deliberately not prescriptive in relation to the look and feel and ownership of the user experience.

The Framework empowers publishers to be more transparent and to offer more controls over the data processing undertaken by various technology providers for various purposes when users access a publisher’s content services, but entrusts publishers with deciding how best to leverage its possibilities.

No publisher-user relationship, whether privileged or otherwise, can exist if the production of content cannot be financed in a way that enables the creation of a compelling proposition for users.  The Framework has been created to enable publishers and the suppliers of other online services to continue to be able to choose how they finance their activities, and to enable users to choose how they access them.

We’ll keep surfacing the most recurrent queries and any misconceptions over the next few weeks.  Above all, we are looking forward to further input from all stakeholders, and an outcome that everyone can converge on as from May.

Legitimate Interest And Consent – Can Both Legal States Be Declared In The Framework?

In our last blog ‘To be or not be’ we presented the duality of the ‘processor’ and ‘controller’ and how the Global Vendor & CMP List (List) could best serve them. Concluding that the primary value of the List is for companies, irrespective of their controller or processor status, to provide transparency into a legal ground for processing personal data and obtain consent in accordance with their own assessment of when that is needed.

This brings us to a second important state of duality that the Framework is tackling – the declaration of the two allowable legal states, under GDPR, of consent and legitimate interest against a purpose.

Participation in the Framework requires that the consent manager provider (CMP) or publisher acting as a CMP must disclose every vendor they wish to work with alongside the purpose and the legal basis of their data processing – they must not signal that consent has been obtained for a vendor and purpose that has not been disclosed to the user. This is not optional but a hard requirement under the policies as well as the law. Publishers who refuse to make disclosures on behalf of a vendor will not be able to work with that vendor under the Framework.

Currently the Framework also supports the disclosure of legitimate interest as a legal basis by a vendor who processes data toward a specific purpose. The publisher or CMP must not attempt to obtain consent for that vendor and purpose combination or make it appear as though a vendor is operating on the basis of consent for that purpose.

When a vendor declares consent as their legal basis against a purpose the publisher or CMP must provide transparency and obtain consent on behalf of the vendor. Therefore, when consent is the legal basis a publisher must pass information about consent (or the lack thereof) to its vendors.

When a vendor declares legitimate interest as their legal basis, it only needs the publisher to provide transparency. Since legitimate interests are claimed, rather than given, no signal about the existence of the legitimate interest is necessary.

BUT currently it is not possible for a publisher or CMP to pass onto a vendor, information that they have provided transparency to the end user that legitimate interest and vendor and purpose is the claimed state for personal data processing. They can only pass to the vendor that they have requested and obtained consent. The only way for a vendor to know that transparency has been provided is when receiving a positive consent signal. If no consent is ‘signalled’ this means that consent has not been given – in the dual world of legitimate interest and consent this could mean that the publisher or CMP have either disclosed a legitimate interest, attempted but failed to obtain consent, or chosen not to work with a vendor. The vendor has no way of knowing which of these cases is causing this transmission and would therefore be conflicted by the signal. However, since under the ePrivacy Directive consent is generally required for storing and/or accessing information on a device, Vendors can rely on their consent status for ePrivacy Directive purposes to infer the remainder of their disclosure status.

However, in future the recently announced Pubvendors.JSON extension to the Framework, which is currently subject to public consultation will address this information transmission conflict by giving publishers a mechanism by which they can inform vendors of the disclosures they have provided on their behalf. As a result, Pubvendors.JSON will allow vendors to declare consent or legitimate interest against purposes provided that they adhere to the Pubvendors.JSON implementation.

Public comment concludes on June 1, 2018. IAB Tech Lab and IAB Europe participants will evaluate and incorporate feedback received and release a final version of each of these specifications. If the dual challenge of legitimate interest and consent resonates with your company then you can adopt the pubvendors.json technology as a beta implementation now, even before the specifications are finalized.

We welcome your feedback  – technical feedback can be sent to and general feedback can be sent to

We look forward to hearing from you.

To Be Or Not To Be

As the adoption of the IAB Europe Transparency & Consent Framework gains momentum we are seeing increasing and exciting levels of engagement from the industry.  Our Friday Webinar series on the Framework is attracting over 300 participants each week – sign-up for the next one here.

After each webinar we have received numerous questions about what was covered during the session. They ranged from detailed technical questions about how the Framework works, to queries about the registration process, cookies, consent policy, legal liability, and the user interface.

One of the common questions is the declaration dilemma of processor and controller and the place for each in the Framework.  Our List of registered vendors does not differentiate between controller and processor namely because for different processing activities vendors may be controllers and/or processors in the same transaction, or between different transactions. Being on the list doesn’t make a representation about a company’s legal status as a controller/processor in a given situation under the GDPR. The primary value of the List is for companies, irrespective of their controller or processor status, to provide transparency and obtain consent in accordance with their own assessment of when that is needed.

As a controller under GDPR companies are responsible to ensure that transparency is provided and a legal basis established where personal data is processed, which makes the value of the List apparent for controllers.

However, even if you are a processor who may not need to provide transparency into a legal ground for processing personal data, because you are acting on the instruction of and under the legal basis of a controller, you may still need to obtain consent for information storage or access under the ePrivacy Directive and therefore can leverage the Framework exclusively to that end.

Therefore: If you are a vendor and consider that you are a processor that does not need to provide transparency as a legal ground for processing personal data, but still like to obtain consent for the placement of cookies, then the declaration of one of five purposes the Framework enables “information storage and access” (described as ‘the storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies’) would be the minimum you should consider.

With this thought in mind do not delay in signing up to the Global Vendor List here and join the growing number of vendors (over 130 at the last count) that to date have joined the Framework. This will ensure that you can continue to maintain and work closely with the publishers that you support now and in the future.

Transparency & Consent Framework Specification Launches Global As Industry Participation Increases

We are very pleased to announce the release of the technical specifications for IAB Europe’s Transparency & Consent Framework. This exciting cross-industry initiative will be a critical tool in helping publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements of the EU’s new General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018.

The Framework will ensure that online services give consumers full visibility and control over who is allowed to process their data in connection with advertising, and for what purposes.

The official release version of this open-source standard reflects extensive feedback from publishers, advertisers, and other important stakeholders who all participated in the final working group review of the following technical specifications:

To support the technical specifications, there is a series of implementation guides for publishers, buyers (DSPs and agencies), CMPs and DMPs:

The technical specifications of the Framework will be maintained by an IAB Tech Lab working group. We will be working continuously with them to update the technical specifications to accommodate any changes in policy as well as feedback from the market. We look forward to hearing from you at

Sign up now

This release swiftly follows our recent announcement that the registration process is now open for both Vendors and Consent Management Providers (CMPs) to apply for approved status in the context of IAB Europe’s Transparency & Consent Framework. Since the announcement, we are seeing an increasing number of Vendors and CMPs registering and gaining approval. For more information about the Framework, including a link to the registration portal for vendors wishing to participate, visit

Join our next Webinar

On Friday 20th April, we had a very successful Webinar with a panel of CMPs demonstrating their consent solution to over 300 participants. You can watch a recording of it here. We will repeat this webinar on Friday 27 April at  8am PDT / 11am EDT / 4pm BST/ 5pm CEST. If you are interested please check for details or register here.

Vendors And Consent Management Providers Are Invited To Register To Participate In IAB Europe’s Transparency And Consent Framework

The registration process is open for Vendors and Consent Management Providers to apply for approved status in the context of IAB Europe’s Transparency and Consent Framework.

The General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, requires a legal basis for processing the personal data of EU residents. While the GDPR offers six possible legal bases, the two that digital publishers, advertisers and those that support them typically find most relevant include consent or legitimate interest. Crucially, publishers must also provide transparency into the list of vendors or partners they decide to work with that may also process their website visitor’s personal data.

IAB Europe’s Transparency and Consent Framework has been created to offer flexibility in terms of various paths towards complying with the law, and providing a standardised means of communicating signals to different parties in real time.

The member registry of vendors and CMPs (known as the List) will facilitate adherence to the Framework policy, provide transparency into the ways companies intend to comply with GDPR requirements, and centralise participants into one well-known location. Publishers can then use the List registry to view which of their partners are a part of the Framework, and determine which vendors to include in the transparency and consent user interfaces they decide to make available on their sites.

Registration is at and there are separate pages for vendors and CMPs to complete the required information.

Once companies have submitted their application and received approval by IAB Europe, they need to pay the annual fee. We will then issue vendors with an ID and publish them in the Framework while CMPs will receive an ID and sub-domain and will be listed on

You can find all the background information you need in the FAQ and on We will also hold an open webinar on Friday, 20 April 17:00 CEST/16:00BST/11:00 EDT/ 08:00 EDT) when our technology and policy experts will be on hand to answer your questions – Register for the webinar: here

Taking Back Control: What’s In It For Publishers

With the public consultation on the first iteration of the Transparency & Consent Framework (the Framework) that closed on April 8, 2018, we are continuing to receive good, actionable feedback from publishers.  A recurrent theme is whether and how the Framework can assist publishers to assert greater control over the delivery of advertising to their sites, and especially of valuable first-party data.  Without getting ahead of ourselves, it seems at least possible that the Framework will provide an opportunity for publishers and ad tech to address a source of tension that has dogged their commercial relationship for over a decade, and reach a more durable modus vivendi.

With the GDPR coming into effect on 25 May 2018, and the current ePrivacy Directive still in force, the regulatory framework alone is already improving publishers’ ability to control which third parties are active on their sites.  The ePrivacy Directive makes consent the primary legal basis for interactions with consumer devices in nearly all EU markets, and the publisher has privileged direct access to the user to obtain that consent.  Consumer information obligations in the GDPR mean that even where the legitimate interest legal basis is used, third parties will rely on publishers to make the necessary disclosures to enable those third parties to process data.  No disclosure, no legal basis.  Publishers and other first parties are the gate-keepers on whom third-party vendors will be completely dependent.

Reinforcing the pivotal position of the publisher

The Framework reflects, and will further reinforce, the pivotal position of the publisher. Publishers will decide what choices are presented to their users – which third parties, processing data for what purpose.  A publisher can ensure that only trusted partners are surfaced, and only for purposes that align to publisher objectives

Where user consent must be obtained, publishers will determine whether users are offered the option of granting global or only service-specific consent to a given vendor to process data for a given purpose.  Publishers also have complete freedom to determine all other aspects of the user interface.  Some publishers will want to build their own consent management platforms. Some will want to hire in a third-party Consent Management Provider.  In either case, the look and feel will be adapted to the requirements and preferences of the publisher.

Publishers are free to unilaterally present additional different purposes in the same UI. However, only the standardised set of purposes can be transmitted through the Framework. As a result, any non-standardised purposes would need to be leveraged and/or transmitted through a means other than the Framework. This flexibility enables publishers, within the same UI, to provide transparency into, and request consent for, purposes in addition to the standardised ones – for example, for their own use, or to work with vendors outside of the online advertising ecosystem.

We’ll have a final wrap on feedback from other key stakeholders next week, as we move toward deployment in mid-April and the opening of the global vendor and CMP registration process.

IAB Europe Releases GDPR Transparency & Consent Framework For Public Comment

IAB Europe today released the draft technical specifications for its GDPR Transparency & Consent Framework (“Framework”) for public comment. First announced in November 2017, the Framework is a cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements (including consent where necessary) of the GDPR before the regulation comes into effect on May 25 this year. The Framework is a non-commercial, open source initiative. The final version is scheduled for release mid-April, after continued consultation with publishers, advertisers, and other important industry participants.

The GDPR covers a broader scope of “personal data” than the existing EU Data Protection Directive, and companies are expecting to be more constrained in how they can access and process such data for advertising purposes. The Framework is available to companies based in Europe and around the world, and is designed to support various channels and formats, including mobile and desktop environments.

The Framework includes technical specifications that will allow companies and consumers to have greater control over, and dynamic insight into, the parties who access and process the personal data of consumers in the EU. The technical specifications will be maintained by an IAB Tech Lab working group going forward, through a collaboration between IAB Europe and IAB Tech Lab that leverages IAB Europe’s policy and legal expertise and IAB Tech Lab’s technical expertise.

IAB Europe has published the draft specifications for public comment and is working to closely collaborate with key industry stakeholders including publishers, advertisers, agencies, and their important trade organisations. Organisations wishing to meet with stakeholders involved in the framework and provide feedback may do so until April 8, 2018.

Vital information for data protection leads within companies

Data protection officers, IT leaders and other interested individuals within publishers, brands, agencies and technology vendors responsible for their organisation’s GDPR compliance can access the specifications here.

General feedback may be submitted in writing to, and technical feedback may be submitted to Those interested have the opportunity to share further feedback and ask questions by participating in upcoming Q&A Webinars that will be scheduled during March 2018. See the webinar schedule and register here.

A Framework to ensure future growth of the global publishing industry

Advertising accounts for 81.5 percent of revenues for digital publishers (Source: IHS Markit). From May 25, publishers looking to provide a customized online experience including tailored advertising can use the Framework to allow data to be collected and processed lawfully by their partners for advertising and other purposes.

Without the Framework consumers will see less relevant online messages from brands, and brands will see less engagement from consumers. The resulting loss in advertising revenue would impact jobs within the publishing and digital advertising industries, and millions more in related sectors.

Commenting on the Framework, Colin Barlow, Global COO, GroupM said: “The GDPR will bring a number of new requirements to all participants in the digital advertising ecosystem. Such change requires a new shared industry standard, and the IAB Europe Framework offers the best solution to achieving this. GroupM has been consulting with IAB Europe and other members to ensure the framework meets our needs, and so that we can align to its requirements.”

For more information and updates on the proposed solution and its supporters, please visit the dedicated website at