All vendors that publishers work with when surfacing content to the user, including Sell-Side Platforms (SSPs), Exchanges, Demand Side Platform (DSPs), ad servers and data management platforms, need to be disclosed to the user alongside information on the purpose(s) for which they are collecting and processing data and the legal basis or bases for that collection and processing.
- Adhere to the Framework policy;
- Provide transparency to the user into the ways they intend to comply with GDPR requirements – note a vendor need not necessarily be a data controller;
- Be listed in one well-known location, the Global Vendor & CMP List (List). Publishers can then use the List to view the vendors participating in the Framework, hosted at https://vendorlist.consensu.org/vendorlist.json;
Vendors are assigned a vendor ID when they register on the Global Vendor & CMP List (List), with which they can read and interpret information on the consent status of a user and the consent status of a user in relation to other vendors.
FAQs: GLOBAL VENDORS AND THE FRAMEWORK
- “CMP” – a company operating as a consent management platform, that can read and/or set the user’s consent status for the vendors chosen by a website operator, either publisher specific through a first-party cookie, or global through a third-party cookie. A CMP is not necessarily synonymous with a company that surfaces the user interface to a user, although it can be the same.
- “Purposes” – the purposes for which a vendor enabled by a website operator is using personal data collected from, or received by a third-party, about an end user.
- “List” – Global Vendor & CMP List that contains the approved registration and allocation of vendor IDs and CMP sub-domains for global participation in the Framework.
1. Can publishers choose which vendors they wish to work with on the List and disclose to their users and, where necessary, obtain consent for?
Yes, publishers maintain complete control over which vendors they wish to work with. Publishers also choose whether to surface disclosures and obtain service-specific or global consent for their vendors.
2. Who will be included on the List and what are their obligations?
The List will include all vendors that agree to the following:
- Compliance with Framework policies and technical specifications, such as
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP JS API or in the bid request, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose. For example, if a vendor receives a bid request and the bid request reveals that the vendor does not have consent to process the personal data contained in that bid request, it may not process any personal data contained in that bid request unless it has another legal basis for doing so.
Vendors may choose not to pass bid requests containing personal data to other vendors who do not have consent. In the event that a bid request containing personal data is passed to a receiving vendor without consent, the vendor that does not have consent is responsible for only acting upon that data if it has another applicable legal basis for doing so.
3. What vendor disclosure will be required through the Global Vendor List?
Vendor registration details can be viewed at https://register.consensu.org/
4. How is the Global Vendor List managed and updated?
- IAB Europe manages and updates the List, consistent with predefined policy.
- When new vendors are added to the List and a publisher chooses to work with them, new disclosures will need to be made to a user and, where necessary, user consent will need to be obtained for those new vendors. They cannot rely on a global consent given to a prior list of vendors.
- Similarly, if a vendor that is already on the List adds a new purpose for which it needs disclosures to be made on its behalf or for which it relies on consent, new disclosures must be made and consent must be obtained for that new purpose.
CONSENT STRING AND GLOBAL VENDOR LIST FORMAT SPEC V1.1
MOBILE IN-APP SPECIFICATION V1.0
IAB Europe Transparency and Consent Framework Implementation Guidelines
Register for our weekly webinars, taking place Fridays at 17:00 CEST.
View the upcoming schedule and register:
The registration process is open for vendors and CMPs to apply for approved status in the context of IAB Europe Transparency & Consent Framework.