An important aspect of GDPR is the acquisition and conveyance of user consent over how their personal data may be used (i.e., “purposes”) and by whom (i.e., “companies”). By default, consent is not granted and users must explicitly opt-in with an option of doing so at a very granular level (i.e., by company by purpose if desired). IAB Europe is leading an industry consortium to define these purposes as they are not explicitly stated in the GDPR.
This effort has also led to an industry standard method of defining and encoding user consent, recently released in draft form. With respect to impact on the OpenRTB protocol, we can assume that all details of user consent in the context of a given ad opportunity will be encoded into a string known simply as the “consent string” which must be conveyed throughout the transaction along with a signal that GDPR regulations are in effect, which may carry additional responsibilities beyond that of user consent.
We defer to the IAB Europe led design for GDPR consent acquisition and encoding and stipulate that this will evolve into an IAB standard. This advisory, therefore, focuses on how active versions of OpenRTB will signal GDPR applicability and convey the consent string, which is treated as a single unit of data to be conveyed throughout a real-time bidding transaction. Production and consumption of this consent string is beyond the scope of OpenRTB and this advisory. Furthermore, this advisory is not an authoritative source of information on GDPR. Ad-tech practitioners are strongly encouraged to become familiar with GDPR and user consent in order to determine the impact on their platforms and businesses.