Re: dpvcg-ACTION-58: Look at iab europe consent framework from Harshvardhan J. Pandit on 2019-01-16 (public-dpvcg@w3.org from January 2019)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Wed, 16 Jan 2019 22:28:25 +0000
To: Eva Schlehahn <uld67@datenschutzzentrum.de>
Cc: public-dpvcg@w3.org
Message-ID: <43008175-cfaa-22ba-cc93-e09a8a1444f0@harshp.com>
Hi Eva, I'm sharing here my notes about IAB.

The official link to their consent representation is 
https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/a32574941ce201708e30e78702278efe1ce6cd59/Consent%20string%20and%20vendor%20list%20formats%20v1.1%20Final.md

Main items of interest in that are their list of purposes (5) and 
something called features (3), the way they register 'vendors' - which 
can be either Controllers or Processors.


      IAB Consent String

Interactive Advertising Bureau (IAB) is an industry association that 
develops standards for the digital advertising industry. IAB provides an 
open-standard framework for the management of consent called 
Transparency and Control Framework (TCF).
The TCF has its own terminology distinct from that of the GDPR such as

  * 'vendors' - which are third-parties with access to the user's device
    or data, but are not necessarily Data Controllers
  * 'CMP' Consent Management Provider - provides consent management
    between websites and vendors

consent string:

  * In TCF, obtained consent is represented using a standardised binary
    representation known as 'consent string' and is distributed to
    vendors using a real-time bidding mechanism known as 'daisybit'.
  * IAB maintains a list of approved/registered vendors and CMPs
  * IAB maintains a list of 'standard' purposes used for consent, of
    which currently there are 5
  * The metadata stored within the consent string reflects information
    such as when it was updated, compression scheme of the data, and
    version of vendor list it uses.
  * The list of purposes and vendors the consent is given for are
    represented by a set bit in a binary string.
  * After the interaction between an end user and the Consent Manager
    Provider (CMP) UI, the consent info is stored (for example, as a
    third-party cookie) in the user's browser. The data in the consent
    string answers the question: "Which vendors and purposes did the
    user give consent for?"

compliance:

  * an audit of the given consent can be presented using consent string
    which contains the recorded timestamp of last update, cmpid (which
    CMP), cmpversion (which version of CMP), consent screen (screen
    number in CMP), consent language, vendorlistversion, list of
    (approved) purposes and vendors
  * Where should a CMP store the user consent information for long-term
    storage?
      o Cookies
          + pros: Easy to use and cheap; Fast and provide a good user
            experience
          + cons: Short-lived; Cannot be used as proof of consent;
            Third-party cookies might be blocked by browsers so web-wide
            consent can be hard to implement
      o Server-side storage
          + pros: Long-lived; Can be used as proof of consent
          + Can be slow (use cookies/local storage as client-side
            cache); Requires a long-term ID (cookie ID or email or
            similar user ID)
      o You'll usually want to go with a combination of server-side
        storage for being able to store consent for a long time and
        share it across websites/apps, and a client-side storage like
        cookies or shared preferences for a local fast-to-access cache.
      o A third-party cookie is not a long-term solution to auditable,
        permanent, user-keyed consent storage, and does not work today
        for browsers that block 3rd-party cookies or mobile apps. CMP's
        should work towards standardizing a more future-looking
        server-side consent retrieval mechanism as well, and can use
        this cookie as "consent caching" for that future implementation.
  * revoking consent
      o The IAB Europe Framework only expresses user consent at a given
        point in time.
      o A state change (for example, revoked consent) can be determined
        by comparing user consent records.(no information on what this
        means or how to do this)
      o The Framework does not deal with other GDPR rights like
        portability, the right to be forgotten, etc.
      o Signals sent through the IAB Europe framework should only
        indicate what the user status is at the time of the signal
        creation and nothing else. The CMPs and vendors should deal with
        other GDPR rights separately and on their own for now.

Regards,

Harsh

On 08/01/2019 15:21, Data Privacy Vocabularies and Controls Community 
Group Issue Tracker wrote:
> dpvcg-ACTION-58: Look at iab europe consent framework
>
> https://www.w3.org/community/dpvcg/track/actions/58
>
> Assigned to: Eva Schlehahn
>
>
>
>
>
>
>
>
-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Wednesday, 16 January 2019 22:33:37 UTC