What pitfalls does the GDPR consent management tool present for website owners?

, Articles

It has been almost a year since the General Data Protection Regulation (GDPR) came into force. The regulation applies to everyone who collects or processes personal data of individuals within the EU.

What pitfalls does the GDPR consent management tool present for website owners?

Websites use visitor data to do things such as analyze behavior or personalize ads in third-party environments. According to Czech legislation, if a visitor allows a website to store cookies in the visitor’s browser, this qualifies as consent to the processing of personal data. Thus, browsers mediate consent. This means that website visitors don’t have the option to control which ad sources and entities obtain their data. There may be up to hundreds of such sources and entities in the ad chain.

IAB Europe, therefore, came up with a consent management tool called a Consent Management Provider (CMP), which is increasingly promoted to and demanded by global players on the ad market. A CMP is a framework that standardizes requests of publishers and other online service providers for “informed” consent from website visitors. In praxis, this means that when visitors arrive at a website, in addition to getting information about data processing, they also get a list of as many as several hundred data processors. This list also includes the purpose of the data use, which visitors will allow or forbid. The results of internal testing done by R2B2 show that more than 75% of visitors give full consent. This consent is automatically forwarded to the ad chain for future visits. However, according to the tests, publishers don’t obtain consent information from the CMP until after a few seconds have passed. The same delay occurs each time the visitors arrive at the site again, even though they have already given their consent. Today, when there is constant pressure to load web pages as quickly as possible, when even publishers themselves are deploying new ad servers to quickly load ads, this can pose a significant problem.

The cause of this problem lies in the CMP. All data processors that are in the ad chain and request “informed” consent must also be in the IAB database. From there they are copied to the previously mentioned data management option by website visitors. This process works via an API, whose slowness is one potential pitfall. Another appears to be the location of the CMP call in the website code. Ideally, it should be the first script called when loading the page in the CMP framework, otherwise, there can be additional delays that may affect how the ad is displayed. Without consent information, targeted ads musn’t be displayed, which leaves publishers to choose between two options. Either they can display the ads quickly, as is customary, but the ads won’t be targeted, or they can wait for information from the CMP and display targeted ads that are more profitable for them. In the latter case, however, one must count on a several-second delay, as tests have shown. In both scenarios, all sides of the ad chain can lose out. Visitors aren’t shown relevant ads and advertisers aren’t able to deliver targeted ads in the space, thus publishers can lose both money and visitors.

If the results of the testing done by R2B2 accurately reflect the actual status of the current CMP, then the entire ad system could return to how it was a few years ago. Thus, the entire process needs to be fine-tuned so that consent information is available for entities in the ad chain in the shortest amount of time possible—in no more than a few hundred milliseconds. Both the IAB and individual publishers could influence the speed through their implementation of a CMP.

Lukáš Alexandr, Head of Technical Development, R2B2