The IABEU's Consent & Transparency Framework fails to meet increasing demand for a Universal Consent API

The IABEU's Consent & Transparency Framework fails to meet increasing demand for a Universal Consent API

The Charter of the the W3C Tracking Protection Working Group (TPWG) has expired, and the WG shut down, after publishing the  Do-Not-Track technical document as a 'Note'.

As the Note's introduction says, there has been very little attempt by browser companies to implement the necessary Consent API, and the publishing/advertiser/adtech ecosystem has refused to respect the signal:

"Since its last publication as a Candidate Recommendation, there has not been sufficient deployment of these extensions (as defined) to justify further advancement, nor have there been indications of planned support among user agents, third parties, and the ecosystem at large. The working group has therefore decided to conclude its work and republish the final product as this Note, with any future addendums to be published separately."

This is in spite of there being requirements in European law for a browser based consent signal (Recital 66 of the 2009 ePrivacy Directive, A21.5 of the GDPR, A10 of the EP's agreed draft of the ePrivacy Regulation etc.), as well as 100s of millions of web users still expecting that the DNT setting, supported in its "general preference" form by all major browsers, should mean something. While thousands of websites, client-side consent platforms and browser extensions did implement at least some aspects of the protocol, the leadership team and the major US companies that finance and dominate the W3C did not consider this sufficient to allow the group to continue its work.

While the AdTech industry has introduced a cookie based Consent and Transparency Framework (CTF),this does not have the cross-domain signalling capability or the domain (and controller) transparency of DNT. Connectivity on the web is built around Urls i.e. domain origins, while consent under the CTF is given to IABEU administered "Vendor Ids", with no association between embedded domains and the actual companies that control them.

For example the website of The Sun, a highly popular UK newspaper, cookies are placed by hundreds of third-party domains in contravention of the law.

Website of The Sun showing 200+ third-party domains

On arrival, before any interaction with the site, there were 706 UID (i.e. tracking) cookies across 230 web domains, managed by servers belonging to hundreds of companies.

A list of the 706 cookies placed in 230 domains

The Sun's website supports the IABEU's CTF which uses a cookie to record the user's cookie preferences, and someone with technical skills can use the CTF's API to decode this cookie. It contains an obscure value (BOXg-b_OXg-b_AcABBENB3-AAAAid5_PXbnCJ4Th1P51NkQjACqACIACwAQAAsIAAEICAAgBCIEAQBIAgQAAAIZAQABwRAhAGgARQCiCsG-VOg995t__3ziTEA), which in fact indicates that all possible 551 IAB vendors (i.e. AdTech companies) claims to have been given user consent, which of course cannot be true as the user has not interacted with the site before.  This is the case even if all the cookies in the context are deleted immediately before visiting the site.

The "vendorConsents" array is a list of boolean values ("true" or "false") which indicates the consent assumed by AdTech vendors ordered by their "VendorID". 

shows callback from CMP getVendorConsentsShowing all the consent indicating bits are set on first visit

There is no way using the CTF to find out what companies are using cookies to collect data on a particular site. A technically knowledgable user could perhaps use their browser to see the domain names that are present, and if cookies are placed in them, but these domain names are usually obscure (for example how would a user know that the domain "" belonged to Google?). The IABEU publishes a list of the AdTech companies that have registered with the framework, but this does not contain the thousands of "third-party" domain names that they use.

example of VendorList not including domains

In contrast the DNT protocol already has a simple way to associate the names of companies (and their privacy or cookie policies) with the domain names found embedded on a site, via a JSON resource that must be present on every domain whose server needs to obtain consent, while its Consent API records when the user gives explicit consent to specific domains, in line with standard web platform practices. The security and privacy architecture of the web is built on the separation between "domain origins" (the Same Origin Policy), respected by DNT but not by the CTF.

So while not offering people any built-in way to find out who owns the hundreds of third-party domains embedded on most publisher's sites, the IABEU framework simultaneously has no ability to signal site-specific consent which is actually implemetable by providers. Because it has not been forged within a multi-stakeholder publicly accessible standards process, and has such a poor technical underpinning, almost all its existing implementations offer user-unfriendly interfaces that conflict with legal requirements such as that the tools should actually stop tracking or illicit storage access (i.e not merely be a confusing "smokescreen" where tracking is ever present), that non-exempted storage should not be accessed till the user has given their consent, and that it is as easy to withdraw consent as to give it. (required by A7 of the GDPR)

The intrinsic complexity and lack of transparency in the CTF lends itself to companies that that want to defy and ultimately undermine European data protection and privacy law. This is shown by the almost complete failure by the publishing ecosystem to ensure that no access to storage for tracking purposes is allowed until users have freely given their specific and informed consent.

But the requirement for a universal consent signal is still there, and it is now possible that a new standards track will emerge tying in the legal, moral and common sense need to obtain explicit consent with the capability of new security and privacy enabling APIs, from both the W3C standards process and new features directly from the browsers such as Safari's and Firefox's Intelligent Tracking Protection, to enforce the users choice within the browser by stopping the means to track.

Although the percentage of HTTP requests with DNT set returned to over 10% earlier this year, it is still close to 8% - as measured across thousands of European consumer brand sites.

DNT usage

Check out our other blog posts