Collecting Consent from End-users
To properly collect consent from end-users, the following information needs to be presented to the data subject in a clear and understandable manner:
- Identity of the data controller and its contact information
- The purpose of the data processing
- The duration of the data processing
- The rights of the data subject
- Consent needs to be actively given, it cannot be set by default
Consent Management Platforms
We recommend the use of a registered Consent Management Platform (CMP) to collect and manage consent from website visitors. A CMP integrates with BidTheatre and the rest of the advertising ecosystem to signal consent in a uniform manner. There is currently a lot of activity in the industry around CMP's, and we expect adequate and free CMP's to be available soon.
Read more about CMP's here: http://advertisingconsent.eu
IAB Europe GDPR Implementation Working Group Working Paper on Consent
We recommend IAB Europe GDPR Implementation Working Group's working paper on consent for more information: https://www.iabeurope.eu/policy/gig-working-paper-on-gdpr-consent/
From this paper we'd like to highlight a few conclusions:
Listing names or processors
"The GDPR does not require that consent requests list the names of processors which will process the data on behalf of a controller. The processor can do so on the basis of the consent granted to its controller"
Advertisers are not required to explicitly list BidTheatre as a processor for the purpose of attributing ad effectiveness or do retargeting (purpose 1 & 2).
Publishers are not required to explicitly list BidTheatre as a processor for the purpose of selling ad inventory programmatically via an SSP (purpose 4).
However, for the purposes of performing user syncing between SSP and DSP (purpose 5), or targeting ads based on recorded personal data (purpose 6), publishers will need to name BidTheatre explicitly, since BidTheatre acts as a controller of the personal data handled.
Making Service Conditional on Consent
"Importantly, the GDPR does not establish a prohibition on making access to a service conditional on consent, although it requires a context specific assessment. The ePrivacy Directive clarifies that access to 'website content may still be made conditional on the well-informed acceptance of cookies' and use of similar tracking technologies. As a result, digital services, such as websites or apps are generally permitted to require users to consent to the collection their personal data through cookies or similar technologies before allowing them to use a service"
"IAB Europe’s position is that, when read together, the GDPR and ePrivacy Directive clearly allow private businesses to deny access to users who do not consent to data processing. Publishers are free to decide themselves which methods of obtaining consent fit best with their respective business models, including whether access to their service should be conditional on such consent and/or whether user experiences should vary depending on the user’s choices."
Requesting Consent "en bloc"
"This means that, where appropriate, a controller could request and obtain consent for a number of purposes en bloc without offering the data subject the possibility to agree only to a subset of those purposes."
Scope of Consent
"Consent can be obtained by a first party on behalf of themselves and their partners (and partners’ partners) on a 'service-specific' or 'global' basis"
"The Article 29 Working Party has endorsed the principle of global consent on the basis that it will provide a better user experience. Specifically, in their view, for an average user, the number of consent requests will decrease over time as the user navigates and expresses their consent on the internet..."
"Consent is valid as long as the processing of personal data is necessary to fulfil its purpose or until the data subject withdraws consent"