
GDPR Transparency and Consent Framework - dbielik
https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework
======
michaelbuckbee
I did some poking around as to what this actually is (and it's probably not
for the average site).

It's the specifications for how the IAB (Internet Advertising Board), which
consists of of every organization blocked by your ad blocker, would like
publishers to gather consent from people landing on their site.

It's a very optimized setup as who they are targeting using this are the big
sites that do Real Time Bidding (RTB) for ad slots on their pages. You land on
a site and the js for ads loads, calls out to a real time ad marketplace with
your info (IP, cookies) and then preset bids ("I'll pay 20c to serve this
person an ad for cheese!") all are evaluated and the highest paying gets
served on the site (and the marketplace takes a tiny cut).

What this framework does is help add user consent and GDPR readiness into the
criteria that can be used in this process. So as a publisher if you're trying
to meet GDPR requirements you can say: "Only give me ads from places that
respect this".

As a consumer, this kind of paves the way to just consent to these things once
and then use them all over the web (good for UX). If you're just trying to get
to grips with GDPR try this Plain English Guide

[https://blog.varonis.com/gdpr-requirements-list-in-plain-
eng...](https://blog.varonis.com/gdpr-requirements-list-in-plain-english/)

~~~
forgot-my-pw
Thanks for the link, it's very easy to read. I still have some questions about
data deletion request:

\- How will this affect invoices that have to be kept for accounting purposes?
Even if a customer wishes their data to be removed, we should not remove
accounting information.

\- How will this affect Internet archives and caches?

It seems removing all traces of a customer can be a very hard thing to do.

~~~
dmitriid
IANAL

If other laws exist that clash with GDPR, those laws take precedence. This
question most often comes up specifically with regards to payments and
finance. If a law requires you to retain payment/accounting information for
three years, you must keep that info for three years, because this is
addressed by a more specific law than GDPR.

~~~
forgot-my-pw
Thank you.

------
nostalgeek
The whole GDPR is an interesting phenomenon. Where I live we had this

[https://www.cnil.fr/fr/loi-78-17-du-6-janvier-1978-modifiee](https://www.cnil.fr/fr/loi-78-17-du-6-janvier-1978-modifiee)

since 1978 and I didn't see anybody on HN panicking at the thought of doing
business with french citizens, although these laws are tougher than GDPR.
Remember than the latter is enforced at the country level, it's not Europe who
is going to fine your business. Which means maybe Czechia will let you fly
with whatever you are doing with personal data, and maybe Spain won't because
they have tougher user data protection laws. My point is GDPR didn't create a
new legal risk that wasn't there before. It's just that people here didn't
care before for some reasons.

Now I see all these "GRPR compliant"(whatever that means) seals on different
products, but where they even "CNIL compliant" before? Is that framework "CNIL
compliant"? How many of you did a declaration to the CNIL before harvesting
data from french citizens?

~~~
arez
Maybe nobody cares because nobody got any fines maybe. This could be different
with GDPR. Time will tell how hard they will enforce these rules, but it could
be very harsh and very expensive for some people.

~~~
caffeine5150
Agreed. GDPR replaces the current Directive and the various member state laws
implementing it. GDPR's requirements are (making up a number) 80% or 90%
already required by current laws. It's just that the fines were small. GDPR
allows fines of up to 4% of annual revenue for the corporate group. So that's
why it's getting so much attention. Large multinationals can't afford to
ignore such a fine. The reality is probably that the enforcement authorities
would only be able to hand out so many mult-million dollar fines (and fight
the ensuing battle) at a time. We'll see what enforcement really looks like
over time and that'll indicate how serious this is all taken.

~~~
Moru
It is companies like Cambridge Analytica, Google and others that caused this
law change. In general the EU countries tries to leave the market to develop
on it's own without interfering. However when there are a feeling that the
market is doing the wrong thing, someone feels there needs to be a correction
of ways and then we end up with things like this.

I'm sure someone once said "This is why we can't have nice things".

------
Angostura
Just in case anyone else is similarly confused and had to check, this is the
work of the IAB, which stands in this case for the Interactive Advertising
Bureau - not the Internet Architecture Board

~~~
aeorgnoieang
I'm still confused as to what exactly this is.

~~~
gcb0
iab is the "thing" that somehow standardized banner dimensions and file sizes
in the 90s.

they do have some good standards, that focused on user privacy, which are
abandoned by now. mostly they spend the 2000s trying to standardise hit-the-
monkey rich media banners and were widely ignored while google stole all Ad
money by dictating the direction they wanted instead (and thanks to that
period every site in the world snitch you to google analytics)

now iab is trying to lead how Ads will confirm the publisher secured gdpr
consent. but again google is already on their own thing.

~~~
yeldarb
Google's SVP of Ads & Commerce is on the board of IAB.
[https://www.iab.com/our-story/#board-of-directors](https://www.iab.com/our-
story/#board-of-directors)

~~~
gcb0
not trying to sound like an ass, but that means nothing. Every company selling
ad is on that list.

If the company follows standards or not, is another history.

On the other hand, one of my clients dropped the membership (cutting all
expenses on the quarters pre-IPO/Sale so the numbers looked better) and was
still leading one of the standards even without the name on this list.

------
caffeine5150
If you'd like an explanation of what this is about, check out the IAPP's
Privacy Advisor Podcast - March 29 episode interviewing Matthias Matthieson,
who heads the IAB. Basically, they realize that tracking things like user
consent in the programmatic online advertising space with all the uses and
participants accessing and pooling the data will be pretty much impossible
unless an agreed protocol is used for doing so within the advertising
ecosystem. For a perspective that says GDPR and programmatic advertising as it
currently exists using personal data are not compatible, see Johnny Ryan's two
earlier interviews on the same podcast.

