Just in case anyone else is similarly confused and had to check, this is the work of the IAB, which stands in this case for the Interactive Advertising Bureau - not the Internet Architecture Board
iab is the "thing" that somehow standardized banner dimensions and file sizes in the 90s.
they do have some good standards, that focused on user privacy, which are abandoned by now. mostly they spend the 2000s trying to standardise hit-the-monkey rich media banners and were widely ignored while google stole all Ad money by dictating the direction they wanted instead (and thanks to that period every site in the world snitch you to google analytics)
now iab is trying to lead how Ads will confirm the publisher secured gdpr consent. but again google is already on their own thing.
not trying to sound like an ass, but that means nothing. Every company selling ad is on that list.
If the company follows standards or not, is another history.
On the other hand, one of my clients dropped the membership (cutting all expenses on the quarters pre-IPO/Sale so the numbers looked better) and was still leading one of the standards even without the name on this list.
I did some poking around as to what this actually is (and it's probably not for the average site).
It's the specifications for how the IAB (Internet Advertising Board), which consists of of every organization blocked by your ad blocker, would like publishers to gather consent from people landing on their site.
It's a very optimized setup as who they are targeting using this are the big sites that do Real Time Bidding (RTB) for ad slots on their pages. You land on a site and the js for ads loads, calls out to a real time ad marketplace with your info (IP, cookies) and then preset bids ("I'll pay 20c to serve this person an ad for cheese!") all are evaluated and the highest paying gets served on the site (and the marketplace takes a tiny cut).
What this framework does is help add user consent and GDPR readiness into the criteria that can be used in this process. So as a publisher if you're trying to meet GDPR requirements you can say: "Only give me ads from places that respect this".
As a consumer, this kind of paves the way to just consent to these things once and then use them all over the web (good for UX). If you're just trying to get to grips with GDPR try this Plain English Guide
Thanks for the link, it's very easy to read. I still have some questions about data deletion request:
- How will this affect invoices that have to be kept for accounting purposes? Even if a customer wishes their data to be removed, we should not remove accounting information.
- How will this affect Internet archives and caches?
It seems removing all traces of a customer can be a very hard thing to do.
If other laws exist that clash with GDPR, those laws take precedence. This question most often comes up specifically with regards to payments and finance. If a law requires you to retain payment/accounting information for three years, you must keep that info for three years, because this is addressed by a more specific law than GDPR.
1. If you're legally obligated to keep information, you should keep it. This is one of the "legal bases" of handling personal data. Others are things like they consented to this, you have a legitimate business activity with it, they contracted you to do something with it, etc.
2. The GDPR makes a really clear distinction between personal information (email, name, religion, etc.) and everything else: you need to delete the personal information.
So it's not necessary to do a cascading delete of everything the user ever created if they ask for their _personal_ information to be removed.
This isn't really GDPR related, but you can see this on Reddit sometimes where comments that a user remain, but the user deleted their account.
since 1978 and I didn't see anybody on HN panicking at the thought of doing business with french citizens, although these laws are tougher than GDPR. Remember than the latter is enforced at the country level, it's not Europe who is going to fine your business. Which means maybe Czechia will let you fly with whatever you are doing with personal data, and maybe Spain won't because they have tougher user data protection laws. My point is GDPR didn't create a new legal risk that wasn't there before. It's just that people here didn't care before for some reasons.
Now I see all these "GRPR compliant"(whatever that means) seals on different products, but where they even "CNIL compliant" before? Is that framework "CNIL compliant"? How many of you did a declaration to the CNIL before harvesting data from french citizens?
Maybe nobody cares because nobody got any fines maybe. This could be different with GDPR. Time will tell how hard they will enforce these rules, but it could be very harsh and very expensive for some people.
Agreed. GDPR replaces the current Directive and the various member state laws implementing it. GDPR's requirements are (making up a number) 80% or 90% already required by current laws. It's just that the fines were small. GDPR allows fines of up to 4% of annual revenue for the corporate group. So that's why it's getting so much attention. Large multinationals can't afford to ignore such a fine. The reality is probably that the enforcement authorities would only be able to hand out so many mult-million dollar fines (and fight the ensuing battle) at a time. We'll see what enforcement really looks like over time and that'll indicate how serious this is all taken.
It is companies like Cambridge Analytica, Google and others that caused this law change. In general the EU countries tries to leave the market to develop on it's own without interfering. However when there are a feeling that the market is doing the wrong thing, someone feels there needs to be a correction of ways and then we end up with things like this.
I'm sure someone once said "This is why we can't have nice things".
If you'd like an explanation of what this is about, check out the IAPP's Privacy Advisor Podcast - March 29 episode interviewing Matthias Matthieson, who heads the IAB. Basically, they realize that tracking things like user consent in the programmatic online advertising space with all the uses and participants accessing and pooling the data will be pretty much impossible unless an agreed protocol is used for doing so within the advertising ecosystem. For a perspective that says GDPR and programmatic advertising as it currently exists using personal data are not compatible, see Johnny Ryan's two earlier interviews on the same podcast.
18 comments
[ 3.3 ms ] story [ 52.1 ms ] threadthey do have some good standards, that focused on user privacy, which are abandoned by now. mostly they spend the 2000s trying to standardise hit-the-monkey rich media banners and were widely ignored while google stole all Ad money by dictating the direction they wanted instead (and thanks to that period every site in the world snitch you to google analytics)
now iab is trying to lead how Ads will confirm the publisher secured gdpr consent. but again google is already on their own thing.
which is? you left us hanging there
If the company follows standards or not, is another history.
On the other hand, one of my clients dropped the membership (cutting all expenses on the quarters pre-IPO/Sale so the numbers looked better) and was still leading one of the standards even without the name on this list.
It's the specifications for how the IAB (Internet Advertising Board), which consists of of every organization blocked by your ad blocker, would like publishers to gather consent from people landing on their site.
It's a very optimized setup as who they are targeting using this are the big sites that do Real Time Bidding (RTB) for ad slots on their pages. You land on a site and the js for ads loads, calls out to a real time ad marketplace with your info (IP, cookies) and then preset bids ("I'll pay 20c to serve this person an ad for cheese!") all are evaluated and the highest paying gets served on the site (and the marketplace takes a tiny cut).
What this framework does is help add user consent and GDPR readiness into the criteria that can be used in this process. So as a publisher if you're trying to meet GDPR requirements you can say: "Only give me ads from places that respect this".
As a consumer, this kind of paves the way to just consent to these things once and then use them all over the web (good for UX). If you're just trying to get to grips with GDPR try this Plain English Guide
https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...
- How will this affect invoices that have to be kept for accounting purposes? Even if a customer wishes their data to be removed, we should not remove accounting information.
- How will this affect Internet archives and caches?
It seems removing all traces of a customer can be a very hard thing to do.
If other laws exist that clash with GDPR, those laws take precedence. This question most often comes up specifically with regards to payments and finance. If a law requires you to retain payment/accounting information for three years, you must keep that info for three years, because this is addressed by a more specific law than GDPR.
1. If you're legally obligated to keep information, you should keep it. This is one of the "legal bases" of handling personal data. Others are things like they consented to this, you have a legitimate business activity with it, they contracted you to do something with it, etc.
2. The GDPR makes a really clear distinction between personal information (email, name, religion, etc.) and everything else: you need to delete the personal information.
So it's not necessary to do a cascading delete of everything the user ever created if they ask for their _personal_ information to be removed.
This isn't really GDPR related, but you can see this on Reddit sometimes where comments that a user remain, but the user deleted their account.
https://www.cnil.fr/fr/loi-78-17-du-6-janvier-1978-modifiee
since 1978 and I didn't see anybody on HN panicking at the thought of doing business with french citizens, although these laws are tougher than GDPR. Remember than the latter is enforced at the country level, it's not Europe who is going to fine your business. Which means maybe Czechia will let you fly with whatever you are doing with personal data, and maybe Spain won't because they have tougher user data protection laws. My point is GDPR didn't create a new legal risk that wasn't there before. It's just that people here didn't care before for some reasons.
Now I see all these "GRPR compliant"(whatever that means) seals on different products, but where they even "CNIL compliant" before? Is that framework "CNIL compliant"? How many of you did a declaration to the CNIL before harvesting data from french citizens?
I'm sure someone once said "This is why we can't have nice things".
GDPR is scarier because the fines look higher and uniform across the EU, as far as I can tell.
[0] http://www.theregister.co.uk/2016/10/05/ico_finally_delivers...