Layered consent? Legitimate interest? A guide to speaking fluent GDPR

GDPR monste

Much as programmatic advertising has created an impressive batch of three-letter acronyms over the years, the General Data Protection Regulation has recently spawned its own arcane jargon.

Here’s a refresher on the most common terms you can throw around to establish your GDPR street cred.

Layered consent user experience
When a website explains what it’s doing with user data, in a layered way. This option has been popular with publishers that have a large number of ad tech vendors they use to monetize programmatic ad revenue. Rather than overwhelm site visitors with a sea of disclaimers on various third-party vendors the publisher uses, site visitors are met with approximately three layers of information regarding vendor partners and use of data, each with increasing levels of detail. The top layer of detail is the initial message which invites users to click “yes” to all third-party ad tech vendors and purposes of data use. A separate “manage settings” tab takes the visitor to a middle layer, where they’re presented with specific purposes for the use of their data such as whether it’s used for site analytics or for personalized retargeting. From there, the user can agree or click through to a final third layer, where they are shown a list of individual vendors.

Open consent user experience
This is the full monty when it comes to GDPR consent. Consumers are exposed to the consent value proposition: the how, why and benefits regarding the collection of information for targeted advertising. In that context, they are asked to opt-in, on a line-by-line basis, each individual ad tech vendor that a publisher wants to share their information with. On the surface, this more up-front consent option appears more overwhelming and potentially off-putting for the user, so naturally, it’s rarer to see.

Data processing agreement
This isn’t new to GDPR, but the term is now far more prominently used because of it. It’s an agreement that publishers, agencies and marketers will have in place with each other regarding data protection, so it acts as the base line for GDPR compliance. Also, not to be confused with another DPA acronym that stands for data protection authority.

Data processing addendum
These have been the proverbial thorn in the sides of publishers for months. Addenda aren’t new but are legal jargon for contract updates. Data processing addenda have crept in more under GDPR as everyone has scrambled to update their existing contracts. They seem new terms because there was such a huge influx of them in the months preceding the deadline of the enforcement on 25 May, and sorting through them continues to clog up time.

Data controllers
Publishers and advertisers are both data controllers. Any business that owns first-party audience data is responsible for however that data is then handled not only by themselves but their partners: agencies and third-party tech vendors. Controllers determine the purposes and methods of processing personal data. They’re also on the hook for fines, even for breaches that are caused by partners.

Joint controllers 
When two businesses jointly determine the purposes and means of processing personal data and are totally transparent with each other over the terms. They’d therefore share liability. The term co-controller has also come up, but this isn’t an official term, according to experts. Rather, this is a term that surfaced as a result of Google’s GDPR policy change, in which it described itself as a co-controller, a move which would give it full control of the controller’s [publisher’s] audience data, in theory. Beware any company that starts professing that they’re a co-controller, as it’s not officially defined under GDPR.

Data processors and sub-processors
Data processors do not own the audience data but do things with it in order to fulfill marketing-related activities like ad serving and retargeting. Generally, processors must only act on the documented instructions of the controller. Processors can also be subject to fines, along with the controllers. When a processor outsources work to an external company, that secondary company is a sub-processor. The processor needs permission from the controller to do so.

Consent management platform
A CMP is what publishers use to capture and store information on what a user has given consent to use their data (and what they haven’t). That CMP then ensures that same information is passed to every other partner the publisher works with in the digital ad supply chain, to ensure no one is using data out of turn, and risking fines. Most ad tech vendors have tacked this capability onto existing services — this is not an opportunity for a new ad tech business model but is regarded by vendors as strictly hygiene.

Hard and soft opt in/out
There is still confusion around what constitutes opt-in, opt-out and legitimate interest. The term “hard opt-in” gets bandied around often. To avoid confusion opt-in and hard opt-in both refer to whether a website has not assumed what a site visitor’s expectations or choice is but will adjust its ad targeting according to whether the person ticks clicks “agree” or “yes.” If they do neither, they won’t be sent personalized ads.

Opt-out and soft opt-in are used interchangeably and mean the same thing: that a website has presumed an individual is happy for their data to be used unless they specify otherwise and opt-out of the experience.

Legitimate interest
The jury is out on just how many companies will be able to play the legitimate-interest card and skirt repercussions from regulators. A business that claims legitimate interest will have (in theory) undergone a lengthy test internally and checked that their interest in collecting the data outweighs the interest of the individual for not having the data collected. Under GDPR though, the site must make it easy to revoke any consent given, hence why unsubscribe links and buttons can be seen more clearly on email newsletters.

Personalized and non-personalized ads 
Personalized ads use personal data. In some cases, this includes sensitive information like race, religion and sexual orientation — the latter of which requires “explicit” consent rather than the more standard form of consent, under GDPR.

Non-personalized ads can be targeted but without using personal data of any kind. In some circles, they’re now described as using “ethical” as opposed to “conventional” data-targeting techniques, and the likes of Google have introduced them as an option. You could also class methods such as contextual targeting under this, which doesn’t target ads with personal data.

More in Media

NewFronts Briefing: Samsung, Condé Nast, Roku focus presentations on new ad formats and category-specific inventory

Day two of IAB’s NewFronts featured presentations from Samsung, Condé Nast and Roku, highlighting new partnerships, ad formats and inventory, as well as new AI capabilities.

The Athletic to raise ad prices as it paces to hit 3 million newsletter subscribers

The New York Times’ sports site The Athletic is about to hit 3 million total newsletter subscribers. It plans to raise ad prices as as a result of this nearly 20% year over year increase.

NewFronts Briefing: Google, Vizio and news publishers pitch marketers with new ad offerings and range of content categories

Day one of the 2024 IAB NewFronts featured presentations from Google and Vizio, as well as a spotlight on news publishers.