GDPR and OpenRTB

Recently, the IAB released an "advisory" which states best practices on how to relay consent under GDPR through the ad tech value chain. The GDPR actually creates two challenges for real-time bidding - what is the consent, and how is conveyed. The advisory is a standard for the latter but still leaves the actual process of consent in the hands of those with direct contact with the consumer.


There are two OpenRTB objects that are impacted by the advisory. The first is the extension under "Regs" - which is the generic field for regulations. There is a generic "ext" field for extensions. So a specific Regs.ext.gdpr flag has been defined that will be used to determine whether or not the impression is subject to the GDPR. A bid with a 1 means GDPR applies, whereas a 0 means it does not. It is between the exchange and the publisher to determine a mechanism to establish this on a per-impression basis. The actual consent will be specified under the "User" field, under a parallel User.ext.consent field. The advisory specifies that the "consent string" pass the purposes and companies for which the user has given consent.  There is also a forward-looking provision for including this in OpenRTB 3.0.

This standard was released in early February, mere months from the May 25 enforcement date. It might seems like things are starting to come together - but notably, the standards around the consent string have not been defined nor released, nor has there been a standardized definition around what consent screens should look like, what satisfies consent criteria, nor even how long consent lasts. This means that the actual meat of GDPR remains completely undefined in OpenRTB, just four months before it goes live. DSPs have historically taken many months to release simple features - and complex things like native advertising have taken years. While the OpenRTB task force is diligently pursuing a remedy - and this advisory is a strong first step - the case remains that there are not standards in place for DSPs to have effective communication on the consents for advertising. Exchanges may not all implement the exact same standard, further complicating the issue. While it remains to be seen, this is a precarious time for those whose business relies on programmatic behavioral targeting.