The PrivacyChain is a distributed, blockchain platform , based on a shared, immutable, distributed ledger. This ledger ensures that participants in a PrivacyChain have a single, consistent, up-to-date view to a consumers opt-ins or opt-outs, something that is more difficult to accomplish with traditional technologies. As a result, PrivacyChain helps publishers and advertisers build more trusting relationships with their customers. It also provides companies with a standardized consent management solution which speeds and simplifies deployment for all their partners in the data supply chain. And because of this consistency and ease of deployment, PrivacyChain simplifies companies' ability to prove that they are complying with numerous consumer privacy regulations worldwide, including the California Consumer Privacy Act, General Data Protection Regulation, and the European Privacy Directive, as well as a company's own privacy policies.
A demo is available at http://tools.iabtechlab.com. Companies interested in testing the specification can build applications that make calls into the testbed and see how they are handled and propagated across the blockchain in a standard implementation.
Entities
Following entities are defined in privacychain:
Data Collector – For example, Brand, Publisher, Data Source of consumer data
Data Buyer – For example, Brand, Ad Agency, Data Aggregator
Advertiser – For example, Brand, Ad Agency
Individual – Consumer, user
Use Case 1 – Consent Collection
Title
Data Collector captures consent when an individual's personal data and opt-in preference is being collected
Description
Individual signs up as a member at the data collector1 ("entity") website
Website displays privacy messaging and prompts user to opt-in to accept privacy terms and condition
The website requests user to provide consent on the use of the individuals data for these purposes:
For the entity to provide basic services
For first party site personalization
For first party marketing purpose
For sharing with third party for market purpose
Post condition
Individuals consent along with its meta data2 is captured in PrivacyChain
Use Case 2 – Data Movement Tracking
Title
Advertiser tracks audience data movement when personal data is transferred to a third party
Description
Advertiser creates audience segment for advertising campaign
Advertiser ensure that audience has provided consent for their data to be used for marketing purpose
Advertiser transfers audience segment to third party for campaign execution
Third party received audience segment
Post condition
Transfer of individual's consent along with its meta data to the third party is captured in PrivacyChain
Third party receipt of individual's consent along with its meta data is captured in PrivacyChain
Use Case 3 – Data Movement Tracking
Title
Third party tracks audience data movement when data is transferred to another third party. All third parties delete audience data post campaign
Description
Third party transfers audience segment to another third party5 for campaign execution
Third party received audience segment
All third parties delete audience data post campaign
Post condition
Transfer of individual's consent along with its meta data to the third party is captured in PrivacyChain
Third party receipt of data and individual's consent along with its meta data is captured in PrivacyChain
Third parties deletion of individual's data post campaign is captured in PrivacyChain
Use Case 4 – Consent Collection
Title
Data Seller captures individual's consent when individual's personal data is being collected
Description
Individual signs up to use services at a data collector7 ('entity') site
Website displays privacy messaging and prompts individual to opt-in to accept privacy terms and condition
Privacy terms and condition and opt-in include individual personal data collection:
For the entity to provide basic services
For first party site personalization
For first party to share data with third party part of data sales
Post condition
Individual's consent along with its meta data8 is captured in PrivacyChain
Use Case 5 – Data Movement Tracking
Title
Data Seller tracks data movement when individual's data is sold and transferred to third party
Description
Data Seller sold opt-in individual data to a third party
Third party received data from Data Seller
Post condition
Transfer of the individual's consent along with its meta data to the third party is captured in PrivacyChain.
Third party receipt of data and individual's consent along with its meta data is captured in PrivacyChain
Use Case 6 – Individual Inquiry
Title
Individual inquires consent status and data movement
Description
User login to brand website he/she signed up previously
User inquires attribute(s) he/she has provided data to the brand
User inquires movement of his/her data outside of the brand
Post condition
The brand's website displays a list of user's attribute(s) along with meta data:
Consent status
Expiry date
Usage/purpose
he brand's website displays a list of third party destinations in which user's data has been shared with/transferred to
Use Case 7 – Data Propagation
Title
Individual manages his/her consent and updated consent propagates to downstream entities
Description
User login to brand website he/she signed up previously
User inquires attribute(s) he/she has provided data to the brand
User revoke consent to share data with third party
Post condition
The action of revoking consent to share data with third party is captured in PrivacyChain
PrivacyChain triggers consent revocation notification to all third-party entities that had received the individual's consent previously
Use Case 8 – Auditing
Title
Regulator auditing Data Collector and Data Processor's privacy practice
Description
Regulator access PrivacyChain
Regulator retrieve audit trail of data collection, data movement with consent along with the metadata for a particular Data Collector/Processor
Post condition
PrivacyChain supports audit trail data extraction
Regulator determines compliance
Use Case 9 – External Governance and Monitoring
Title
Regulatory authority and consumer advocacy group monitors the integrity of the consortium
Description
Regulatory authority and consumer advocacy group request setting up and running PrivacyChain nodes
PrivacyChain consortium approves request via PrivacyChain governance process
Regulatory authority and consumer advocacy group follow provisioning instructions
PrivacyChain provision regulatory authority and consumer advocacy group within the network
Post condition
Regulatory authority and consumer advocacy group each runs a node within PrivacyChain
Regulatory authority and consumer advocacy group access data within the ledger
Subscribe to notifications for all events related to a consent record
SB-02
V1.0
/subscription/findByEntity
GET
Return subscriptions for an entity
SB-03
V1.0
/subscription/{subscriptionId}
GETDELETE
Find subscription by subscription IDDelete subscription by subscription ID
About IAB Tech Lab
The IAB Technology Laboratory (Tech Lab) is a non-profit research and development consortium that produces and provides standards, software, and services to drive growth of an effective and sustainable global digital media ecosystem. Comprised of digital publishers and ad technology firms, as well as marketers, agencies, and other companies with interests in the interactive marketing arena, IAB Tech Lab aims to enable brand and media growth via a transparent, safe, effective supply chain, simpler and more consistent measurement, and better advertising experiences for consumers, with a focus on mobile and TV/digital video channel enablement. The IAB Tech Lab portfolio includes the DigiTrust real-time standardized identity service designed to improve the digital experience for consumers, publishers, advertisers, and third-party platforms. Board members include AppNexus, ExtremeReach, Google, GroupM, Hearst Digital Media, Integral Ad Science, Index Exchange, LinkedIn, MediaMath, Microsoft, Moat, Pandora, PubMatic, Quantcast, Telaria, The Trade Desk, and Yahoo! Japan. Established in 2014, the IAB Tech Lab is headquartered in New York City with an office in San Francisco and representation in Seattle and London.
THE STANDARDS, THE SPECIFICATIONS, THE MEASUREMENT GUIDELINES, AND ANY OTHER MATERIALS OR SERVICES PROVIDED TO OR USED BY YOU HEREUNDER (THE "PRODUCTS AND SERVICES") ARE PROVIDED "AS IS" AND "AS AVAILABLE," AND IAB TECHNOLOGY LABORATORY, INC. ("TECH LAB") MAKES NO WARRANTY WITH RESPECT TO THE SAME AND HEREBY DISCLAIMS ANY AND ALL EXPRESS, IMPLIED, OR STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AVAILABILITY, ERROR-FREE OR UNINTERRUPTED OPERATION, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. TO THE EXTENT THAT TECH LAB MAY NOT AS A MATTER OF APPLICABLE LAW DISCLAIM ANY IMPLIED WARRANTY, THE SCOPE AND DURATION OF SUCH WARRANTY WILL BE THE MINIMUM PERMITTED UNDER SUCH LAW. THE PRODUCTS AND SERVICES DO NOT CONSTITUTE BUSINESS OR LEGAL ADVICE. TECH LAB DOES NOT WARRANT THAT THE PRODUCTS AND SERVICES PROVIDED TO OR USED BY YOU HEREUNDER SHALL CAUSE YOU AND/OR YOUR PRODUCTS OR SERVICES TO BE IN COMPLIANCE WITH ANY APPLICABLE LAWS, REGULATIONS, OR SELF-REGULATORY FRAMEWORKS, AND YOU ARE SOLELY RESPONSIBLE FOR COMPLIANCE WITH THE SAME, INCLUDING, BUT NOT LIMITED TO, DATA PROTECTION LAWS, SUCH AS THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (CANADA), THE DATA PROTECTION DIRECTIVE (EU), THE E-PRIVACY DIRECTIVE (EU), THE GENERAL DATA PROTECTION REGULATION (EU), AND THE E-PRIVACY REGULATION (EU) AS AND WHEN THEY BECOME EFFECTIVE.