OpenRTB Advisory – GDPR

Background on GDPR

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give greater control to EU citizens and residents over their personal data. The regulation was adopted in April 2016 and becomes enforceable from May 25, 2018 after a two-year transition period.

An important aspect of GDPR is the acquisition and conveyance of user consent over how their personal data may be used (i.e., “purposes”) and by whom (i.e., “companies”). By default, consent is not granted and users must explicitly opt-in with an option of doing so at a very granular level (i.e., by company by purpose if desired). IAB Europe is leading an industry consortium to define these purposes as they are not explicitly stated in the GDPR.

This effort has also led to an industry standard method of defining and encoding user consent, recently released in draft form. With respect to impact on the OpenRTB protocol, we can assume that all details of user consent in the context of a given ad opportunity will be encoded into a string known simply as the “consent string” which must be conveyed throughout the transaction along with a signal that GDPR regulations are in effect, which may carry additional responsibilities beyond that of user consent.

Please refer to the “Additional Resources” section for links to more detailed information about the IAB Europe consent management standard, for the structure and functional interpretation of the consent string, and for GDPR in general.

Download OpenRTB GDPR Advisory

OpenRTB Specification Versions

As of the writing of this advisory, the current version of OpenRTB is v2.5. Earlier v2.x versions are also in wide use. The original OpenRTB v1.0 Mobile is old enough and in such minimal use as to be considered deprecated.

Under a broader IAB OpenMedia initiative estimated to release in 2Q 2018, OpenRTB v3.0 is currently in development along with a new specification called AdCOM (Advertising Common Object Model). The new specification structure will provide a clear separation of layers. OpenRTB v3.0 will specify the transaction layer, which includes those aspects related specifically to buying and selling. AdCOM will specify the domain layer, which includes aspects related to impressions, ads, and other contextual objects. The two specifications will combine at runtime to form the familiar OpenRTB artifacts.

Document Purpose & Scope

We defer to the IAB Europe led design for GDPR consent acquisition and encoding and stipulate that this will evolve into an IAB standard. This advisory, therefore, focuses on how active versions of OpenRTB will signal GDPR applicability and convey the consent string, which is treated as a single unit of data to be conveyed throughout a real-time bidding transaction. Production and consumption of this consent string is beyond the scope of OpenRTB and this advisory. Furthermore, this advisory is not an authoritative source of information on GDPR. Ad-tech practitioners are strongly encouraged to become familiar with GDPR and user consent in order to determine the impact on their platforms and businesses.

Additional Resources

Primary IAB Tech Lab Contact for OpenRTB Advisory – GDPR
Jennifer Derke, Director of Product, Programmatic