With the arrival of the GDPR, all players of the tech industry (advertisers and publishers, adtech, CRM, identity providers, emailing, etc.) need to collect and share user consents across their technology stack. Consent web tokens allow them to do that in a standardized and secure way. One common language that all can trust!
A consent web token is a list of consents given by a user (direct marketing, profiling, etc.) signed with a cryptographic key that guarantees its origin and stamped with an expiration date. Anyone who has access to the token can check its validity and know what the user has consented to and until when so they can act accordingly. Because the token is signed, no actor of the chain can alter it and it can be trusted as the fair representation of the user choices.
When are CWTs created and used?
1. Consent collection
On websites or in mobile applications, an official issuer of CWT tokens collects consents from users through banners, popups, etc.
2. Token signature
Once the user has given consent, a JWT token that respects the CWT specification is created and crypt signed with a private key.
3. Sharing and using the token
The consent token is shared with vendors that get access to user data. They can verify the validity of the token with the public key of the issuer.
Frequently asked questions
Commonly asked tidbits.
How can I know that a CWT is valid?
A consent web token is cryptographically signed with a private key that only the issuer know to guarantee that its content cannot be modified by anyone else than its issuer. Companies that receive CWTs can use the public key of the issuer to confirm that the token content is authentic and can be trusted.
This relies on two industry standards: the JSON web token and asymmetric keys.
How can I know that the list of consents from the user is real?
At the end of the day, the content of the CWT (the list of consents of the user) is only as good as its issuer. Didomi maintains a list of issuers and their public keys to make it easy to use consent web tokens but cannot guarantee that the way they collect consent is compliant with the regulation.
Consent web tokens are about securely sharing consents from trusted sources to downstream consumers of consents.
Are CWTs free?
Of course. Consent web token is an open-source specification and reference implementation maintained by DIdomi, a company that offers consent management solutions.
Our goal is to promote it as an industry standard that is easy to use for everyone and fosters best practices as well as user choice. We welcome contributions to the specification and its implementation.