Getting data activation right–a brand marketer's guide to IAB privacy frameworks

I often speak with marketing and digital teams who tell me that adopting IAB (Interactive Advertising Bureau) frameworks is a complete solution to privacy compliance. 

• “We’re good, we use IAB TCF”
• “No worries on privacy, our activation partners all adhere to the Global Privacy Platform”

The truth? IAB frameworks are a good start, but there’s more to do to ensure end-to-end compliance across a brand data ecosystem. 

In this article I’ll unpack what advertisers get (and don’t get) with IAB framework adoption, and how to close the gaps that leave brands open to regulatory risk, and hamper data activation.

Advertising practices are under intense scrutiny

I have a lot of empathy for digital marketers and advertisers, who are in the midst of a huge digital and data transformation:

• Regulators like the FTC (Federal Trade Comission) and U.S. State Attorneys General are keeping a close watch on the advertising industry for any misstep. Enforcers are using words like “commercial surveillance” and “surveillance capitalism” to describe targeted advertising. That doesn’t bode well for enforcement leniency.
• Marketers rely heavily on third-party data for advertising success, and it’s under threat by legislators (see the California Delete Act). 
• Big tech players like Google and Apple continue to threaten brand advertising success with walled gardens and first party identifiers. 

IAB privacy frameworks can promise order amidst chaos, ensuring advertisers and publishers stay on the right side of regulations amidst growing scrutiny. Adhering to frameworks can make brands feel safe and compliant. 

Unfortunately, frameworks are not “set-it-and-forget-it,” nor are they a complete solution. A complete data strategy exposes the personal data floating across your business ecosystem, and creates a productive path towards collecting, storing, and mobilizing permissioned data for business growth.

The IAB's role in privacy regulations

GDPR vs CCPA compliance 

In 2018, the GDPR, Europe’s data privacy law, changed the game for digital advertisers doing business in Europe. Among other requirements, the GDPR requires an opt-in from consumers to collect and process personal data, businesses must disclose what they were doing with data, and meet data minimization rules (collect only what you need). 

In 2020, California opened the data privacy legislative floodgates in the US with the CCPA. (Today, 20 US states have enacted data privacy legislation.) US laws generally require businesses to give consumers the right to opt-out of targeted advertising, in addition to rights shared with Europe like the right to have one’s data deleted and the right to know which data businesses have on you. 

Under both jurisdictions, there are diligence requirements and obligations when data is shared across your data ecosystem, for example, with activation partners. 

IAB frameworks at a glance

The IAB framework, created by the Interactive Advertising Bureau, helps digital advertisers, publishers, and tech vendors comply with data privacy regulations. Key components include the Transparency and Consent Framework (TCF) and the Global Privacy Platform (GPP), which standardize consent and privacy signals across the digital advertising ecosystem.

In response to these regulations, the IAB produced and created a number of frameworks, protocols and agreements to help advertisers and publishers seeking to thrive in the privacy-first data economy. 

Here are some of the frameworks created by the IAB: 

• IAB Transparence and Consent Framework (TCF): Aims to help advertisers, publishers, and tech vendors comply with data protection regulations like GDPR by providing a standard way to obtain, record, and share user consent for data processing. 

• IAB Global Privacy Platform (GPP): The GPP is a protocol designed to streamline the transmission of privacy, consent, and consumer choice signals from sites and apps to ad tech providers; it enables advertisers, publishers and technology vendors in the digital advertising industry to adapt to regulatory demands across markets. Read more: Global Privacy Platform (GPP)

• IAB Multi-State Privacy Agreement (MSPA): The IAB created the MSPA to be a common framework for advertisers, agencies, technology vendors, and publishers implementing the new privacy laws taking effect in 2023 in California, Colorado, Connecticut, Virginia, and Utah. The MSPA is being amended to cover additional state privacy laws taking effect in 2024 through 2026.

• IAB Data Deletion Request Framework: This specification created by the IAB creates a technical framework for proficiently managing data deletion requests. “The ‘Right to Delete’ is a Data Subject Right (DSR) currently protected by the GDPR, 15 US state privacy laws, and additional privacy legislation, including Quebec Law 25. 

These robust frameworks provide a good starting point, but they don’t get advertisers to the finish line when it comes to two areas of concern:

• Regulatory requirements for managing consumer consent records
• Consumer expectations for how you’re handling their data

How the IAB framework and CMPs work together 

Let’s walk through two hypothetical examples to illustrate how the IAB frameworks support publishers and advertisers: 

1. Publisher perspective: following a consumer’s opt-in consent choice in Europe using the IAB Transparency and Consent Framework (TCF)
2. Advertiser perspective: following a consumer’s opt-out consent choice in California using the IAB Global Privacy Platform (GPP)

The publisher perspective

Here’s what happens when a consumer provides opt-in consent to a website using the IAB’s Transparency & Consent Framework (TCF):

1. A consumer makes a consent choice. A user shows up to a publisher website, and the consent management platform (CMP) asks for consent for a set of pre-defined purposes such as personalized ads, measurement or audience insights. In the TCF, the CMP also asks for consent for which advertiser technology providers (“vendors”) the user consents to.‍
2. Consumer choices are encoded into the TCF “string.” The consumer’s choices are packaged up in a special format–a “string”–that the publisher and its data sharing partners can understand.

‍

‍

3. CMP provides the string to the website’s vendors. The CMP is responsible for sending the TCF string to any and every vendor that has a javascript tag on the publisher website. (The javascript tag is the mechanism for each vendor’s visitor data collection on the publisher website.)‍
4. The privacy string is passed on and respected. In every single communication that the vendor has with another vendor, the string is passed along with any requests made between those vendors. If an applicable purpose OR vendor is not consented to, the transaction / applicable operations are stopped. It is a requirement of the TCF framework that all participants respect the privacy choices and stop applicable data processing accordingly.

This common string passed across publishers and vendors helps them speak the same “language” when it comes to consumer preferences and privacy choices. The diagram shows the basic flow of consent generation through respecting the choice.

‍

‍

For publishers and vendors, the IAB framework is fairly robust. In coordination with a capable consent management platform, publishers can respect consumers’ consent preferences. Now, let’s talk about advertisers.

The advertiser (brand) perspective

Let’s imagine Steve, a car enthusiast. Steve lives in California, where privacy laws (CCPA/CPRA) require businesses to allow Steve to opt-out of data sharing, such as targeted advertising. 

1. Steve visits BMW.com and designs a car. 
2. Steve’s data is sent to the brand’s CDP (customer data platform) as a “BMW Prospect.” 
3. The brand’s “BMW Prospects” audience segment, which now includes Steve, is sent to its DSP (demand side platform) to deliver advertising. DSPs are programmatic ad buying platforms that help brands find inventory to place their ads. 
4. Back to Steve: on BMW.com, he finds the Privacy Center page and opts out of the sale or share of personal data with BMW. 

Now: because Steve has opted out, the brand must remove his data from the “BMW Prospects” segment in the CDP and DSP. This can happen in two ways:

• The brand’s consent management platform sends the opt-out signal to the CDP, and the CDP removes Steve from the “BMW Prospects” (and other) segments. When the CDP-DSP connection is next updated, Steve is removed.
• The brand’s CMP can send the opt-out signal directly to the DSP. 

There is a third option–failure. If the brand’s CMP fails to get the opt-out signal to the DSP, here’s what happens next for Steve:  

1. Steve navigates to CNN.com to catch up on the news. 
2. CNN’s CMP generates the IAB string, which says YES to advertising for Steve. With permission in hand to show Steve targeted advertising, CNN facilitates an auction for the ad impression among DSPs representing thousands of advertisers, including BMW.
3. Since Steve is still in that high intent “BMW Prospect” segment, the DSP representing BMW places a high dollar bid for the ad impression, and wins.‍
4. The BMW ad is served to Steve, even though he opted out of BMW targeted advertising. ‍
5. Making matters worse, BMW’s Ad Server introduces other data collectors, such as creative optimization providers, or measurement tracking technology.

‍

‍

Most advertisers assume that when they adopt the IAB framework and rely on the publisher-generated string, consumer opt-out choices will be respected. But in this (all too common!) example, we see that the brand-owned CMP is absolutely critical to the brand’s ability to pass consumer consent signals to data partners that communicate with publishers. 

IAB framework success depends on CMPs to pass consent signals (privacy string), and reconcile conflicting signals between publishers and advertisers. 

For example, if Steve is opted in to CNN, but opted out of BMW, the key role of the CMP is to ensure that the data on Steve from BMW isn’t used to target an ad. To many publishers AND advertisers, this is not understood.

Simply put: when IAB frameworks are engaged, they serve the interests of the publisher <> consumer dynamic OVER the interests of brand <> consumer dynamic. 

‍

‍

Why brands should care about creating a comprehensive consent solution

Beyond risk of regulatory enforcement, there are revenue-preserving reasons for advertisers and publishers to invest time and budget in a comprehensive consent and permissioning strategy. 

Protecting consumer trust

The game’s changed from the wild west days of “collect and use all the data you can”, to today’s world of being respectful of people’s data to earn and maintain their trust, which includes respecting their privacy choices. 

The Person Behind the Data, a conjoint study of 2500+ US and UK consumers, revealed that consumers reward brands with responsible data practices with 23% increased purchase intent. This is huge for advertisers. Transparency on what you’re doing with data, and your data sharing practices were some of the biggest contributors towards consumer brand preference and trust. From the consumer’s perspective, sharing data with a publisher site after they’ve opted out is a clear violation of their expectations, with clear potential to impact future buying decisions. 

Avoiding media wastage

Beyond trust and considering revenue preservation, we must consider the wasted media spend targeting people that don’t want to be targeted by your brand. There are two elements to this. 

Firstly, there are pure opt-outs who just don’t want to engage with your brand, and any efforts to reach them are futile. They are essentially outside of your category, or outside your brand. 

Second and more importantly, some opt-outs simply represent privacy conscious buyers. They may like your brand enough to build a car on your website (like Steve) , and exhibit buying signals, but don’t want to be targeted. At these moments, brands must be extra careful. Respecting Steve’s privacy and data dignity at that moment might preserve a sale.

Identifying the right consent management and data permissioning technology

So, what does a complete solution look like? 

It begins with transparency. Communicate exactly what you’re doing with data. Your customers expect it, deserve it, and will appreciate it. This happens in your disclosures and in privacy modals and preference centers. It’s important to communicate in plain language.

Secondly, understand consumer privacy choices. This happens via your frontend privacy experiences: privacy modals, or preference center. When you collect consent or provide a disclosure, you record the permission to use data for certain purposes, such as analytics, advertising, personalization, and more. 

Finally, it’s about making sure privacy signals are respected and enforced across your entire data ecosystem. That means ensuring every team, system, and third-party vendor sticks to the privacy choices set by your customer, keeping everything in line with their preferences.

Read more: The ins and outs of consent management platforms

‍

Solution components

Essential consent management elements that a brand advertiser MUST consider, that aren’t covered by adopting an existing framework are:

• Location-aware privacy notices: Serve the right privacy language and notices to the right consumers, based on automatic location recognition matched with privacy banners and modals that populate with your brand voice and jurisdiction-specific language. It’s also important to make sure you’re covered when new jurisdictions like US States hit the scene with their own privacy laws. 
• Website tag control: Ensures that personal data collection through tags and scripts is controlled based on consent choices. For example, if a web visitor declines to opt-in to data processing, the tags and scripts that collect data from websites must be stopped. 
• Cross-device preference recall: It’s about treating people as people. Choices that are made on one device or browser, should be reflected on other devices and channels where that person engages with your brand. 
• Orchestration: Enforcing privacy choices across your data systems and vendors isn’t easy. It requires APIs and infrastructure that reliably communicate privacy signals to data systems that use different protocols. 

Of course, your CMP should also support and control systems that do not use IAB frameworks.

‍

The future of data activation

I can’t (and won’t!) dispute the IAB’s influential role in advancing privacy in the digital advertising industry. But marketers and advertisers must be cautious of relying on IAB frameworks as a one-stop-shop for privacy compliance. 

To navigate the maze of global regulations and genuinely honor consumer data preferences, advertisers need a comprehensive approach to consent management. This means going beyond frameworks, understanding your unique data lifecycle–touchpoints, systems, and campaigns–and integrating robust privacy technologies. Your reputation, budget, and consumer trust depend on it. Because in the end, it’s not just about compliance—it’s about delivering a connected, permissioned experience to consumers like Steve.