GDPR – Guide for publishers

With IAB's recent changes to the consent framework for GDPR, Sortable is transitioning publishers using our hosted CMP to a hosted Quantcast CMP. This and other articles will be updated in coming weeks to reflect these changes.

On May 25, 2018, the GDPR (General Data Protection Regulation) came into effect, requiring all organisations working with the personal data of EEA citizens to be compliant with the regulation. This guide outlines how a publisher can work with Sortable to be GDPR compliant.

Updated Terms of Service

Many partners, including Sortable, provided updated terms and privacy policies in advance of GDPR.

Part of Sortable's updated Terms of Service require the publisher to gather consent from end users concerning what data is collected and how. The Consent section of this document has some suggestions on how to do this.

If you choose to decline the updated terms, there will be significant impact to revenue for EEA users. Without explicit user consent, in most cases we will not be able to deliver ads.

Consent

At a minimum, the GDPR requires that consent meets these standards:

  • Users must be aware of the identity of the controllers and the purposes of the processing.
    • This means identifying each ad partner used on a site.
    • This also involves identifying the ad technology vendors used by each ad partner.
    • The purposes typically include collection of data and use of cookies for ad personalization and measurement.
  • Users must explicitly opt-in and have the option to refuse or withdraw consent.
  • Controllers can demonstrate that the user has consented.

Note: Under the GDPR, children under 16 cannot give consent.

The IAB has created a standard that meets these requirement and passes consent data along to partners participating in the advertising auctions. The standard defines how a Consent Management Platform (CMP) functions to collect consent from end users. Although Google has promised support for future versions of this standard, we provide recommendations for how to collect the consent needed to show Google personalized ads using the current IAB framework (version 1.1).

Desktop and mobile web

There are several ways that a publisher can choose to manage user consent under GDPR.

Desktop and mobile web consent options1. Sortable-hosted CMP2. Quantcast CMP3. Other IAB CMP4. No IAB CMP5. No ads
Revenue impactLowLowLowMediumHigh
Integration effortLowMediumMediumHighLow
UX impactMediumMediumMediumHighLow

Sortable product support

Sortable Hosted

YesYesYesNoYes

Sortable Select

YesYesYesYes, non-personalized adsYes

Advertising partner support

Google

Includes custom purpose for Google personalized ads

Newer versions of Quantcast CMP support custom purpose for Google personalized ads

Requires setup of custom purpose ID to serve Google personalized ads

Publisher manages Google consent and type of ads displayed

N/A

Header bidders

IAB consent string is passed through to header biddersN/A

Server-to-server connections

IAB consent string is passed through to SSPs/DSPsN/A

1. Sortable-hosted CMP

One of the easiest solutions is to opt in to using Sortable-hosted CMP. The Sortable CMP is automatically loaded for EEA users and prompts for consent. It also collects the consent needed to show Google personalized ads.

Configuring Option 1

Let Sortable know that you wish to use Sortable’s hosted CMP.

Sortable strongly advises providing a link on your site for a user to review and revoke consent after the initial pop-up has been closed. Instructions on how to implement this link can be found in our integration guide.

2. Quantcast Choice CMP

Sortable supports integrating with newer versions of the Quantcast Choice CMP which include a custom solution for obtaining consent for Google personalized ads. Quantcast Choice is an IAB-compatible CMP,  so Sortable queries the CMP for consent and passes it to header bidder and server-to-server (S2S) partners.

Configuring Option 2

Let Sortable know that you wish to use the Quantcast Choice CMP, and confirm that your implemented version supports obtaining consent for Google personalized ads. 

3. Other IAB-compliant CMP

Sortable supports integrating with other third-party IAB-compliant CMPs. Sortable queries the CMP for consent and passes it on to header bidder and server-to-server (S2S) partners.

Configuring Option 3

Let Sortable know which IAB-compliant CMP you wish to use. 

Provide the ID and description of the custom purpose you are using for Google consent, if you would like Sortable to manage Google's publisher tags configuration.

Since Google is not a registered IAB global vendor, you need a way to gather consent for Google so that personalized ads may be served.

Option 3a: Publisher purpose for Google personalized ads

Set up your CMP with a custom purpose that, when accepted by end users, allows Google to serve personalized ads. This is the approach that the Sortable-hosted CMP uses to collect the consent needed for personalized ads delivery.

If you would like Sortable to manage Google's publisher tags configuration and the delivery of personalized or non-personalized ads dependent on user consent, provide the ID of Google's custom purpose defined in your CMP. Sortable's behaviour will be the same as with our hosted CMP.

Option 3b: Custom consent for Google personalized ads

In this configuration, the publisher manages gathering consent for Google and configuring Google Ad Manager to display personalized ads in the appropriate context. See Google's guide on how to configure ad personalization settings in Google’s publisher ad tags.

Note: This option is only available for Sortable Select customers.

4. No IAB-compliant CMP

This option is only available for Sortable Select customers and is not recommended.

In this configuration, the publisher manages gathering consent for Google and other vendors. The publisher is responsible for meeting the minimum requirements for consent gathering under the GDPR. Header bidding and server-to-server connections may proceed with limited support due to lack of valid consent.

Configuring Option 4

Let Sortable know that you wish to proceed without an IAB-compliant CMP.

5. No ads

Although not recommended, Sortable can prevent ads from serving in the EEA. This can provide you with more time to investigate other strategies.

Configuring Option 5

Let Sortable know that you wish to prevent serving ads to users from the EEA.

Questions?

If you have any questions about Sortable’s approach to GDPR, please contact GDPRquestions@sortable.com.