Q: For data limited to a specific advertiser’s use, Yahoo is considered a processor. For any other data licensed for broader use, Yahoo is a controller. Does this mean that any data should be pushed to only one seat/one client?
A: Generally, Yahoo will only enter into a processor relationship on a one-by-one basis with a specific advertiser client (legal entity). If the advertiser operates in more than one seat or account, there is no problem. We would avoid a situation where an advertiser comes to us and wants to use our DMP to re-distribute data to unrelated third parties.
Q: Provider does not have the direct relationship to the end-user. The publishers whose data we aggregate do. We require that the publisher manages the user consent. Some publishers will be collecting the audience data under consent and some under legitimate interest. For our publisher running consent - will you be participating in the IAB framework?
A: Yes, Yahoo is participating in the IAB framework. We are using IAB bits for our
gdpr_euconsent parameter values - Storage and access of information and Personalization.
Q: We would ask any of our publishers to also include consent for Yahoo. For publishers running under legitimate interest - how are these handled with the outlined parameters?
A: Yahoo will still need consent for the following AIB parameters - Storage and access of information and Personalisation If a publisher claims legitimate interest for everything and does not get consent from a user for Yahoo, we cannot accept this data. If they include the parameters and right values, it means the publisher got consent for Yahoo and we can process the data.
Q: For the data transfer, a data provider should include the
gdpr_euconsent values if they have the consent, rather than Yahoo received consent from that user?
A: Euconsent values are for Yahoo consent. A data provider should gather consent for Yahoo. Yahoo needs consent to process data on a EU user in co-controller scenarios.
Q: Are data providers expected to send the
gdpr_euconsent values if Yahoo has consent or if the provider has consent?
A: For cookie-sync, provider doesn’t need to determine if we have consent in the IAB string. Yahoo will decode the IAB string when we get it to determine if we have consent.
Yahoo is controller, we need to send the IAB strings, only if Yahoo, not provider has consent on that user, correct? Meaning, we will need to collect the IAB consent string, look up whether Yahoo has consent or not, and store that on the provider profile. We will then pass this along in the data transfer?
A: That is correct. For data transfer we require provider to confirm Yahoo has consent for the IAB purposes prior to sending data. If Yahoo does not have consent, provider should not send the data.
Q: We need to pass along Yahoo consent, not provider consent, correct? Meaning, we will need to read the IAB consent string, look up whether Yahoo has consent or not, and if so, convert that to ‘storage and access of information and personalisation’ in the sync pixel.
A: They just need to pass the IAB string through the IAB protocol and we will decode the consent string to determine if Yahoo has consent. Note that the IAB protocol doesn’t exactly cover data transfers through DataX. This is why for DataX we came up with a consent protocol that is similar to the IAB framework but relies on partners to ensure they only send data when Yahoo has consent. The IAB protocol does explicitly cover cookie-syncing so we’re OK decoding the IAB string ourselves. This is why we have two different positions on DataX vs cookie-syncing.