‘Like an atomic bomb’: And now the IAB’s GDPR fix after regulator issue
The guardrails the advertising industry has erected to maintain compliance with Europe’s vast data protection law are unable to do so, according to data protection watchdogs — led by the Belgian Data Protection Authority. The consequences of this decision could significantly change how data is collected – and who is responsible for fixing the problem.
Moreover, these guardrails, known as the “Transparency & Consent Framework” (TCF), have been deemed illegal by oversight bodies.
Simply put, popups asking people for their consent every time they land on a site are illegal.
This means that all data collected through these popups from over 1,000 companies, including Google and Amazon, must be deleted accordingly. Nixing it all presents huge logistical and technical challenges, such as how to verify data and whether data is actually deleted.
Needless to say, advertisers, publishers and everything else will need to immediately assess their reliance on the framework. Since many of these companies have paid IAB Europe for this utility, this could put the trading group in a difficult position.
So it will be interesting to see if – and to what extent – they try to compensate the trading body for the costs involved and the damages suffered, said Ruben Schreurs, group product manager at Ebiquity.
That is to say, the ramifications of this decision are monumental.
Take retargeting, for example. Large parts of it could be illegal if the ads are shown on sites where TCF is employed. The level of precise engineering and quality assurance needed to solve problems like this would be unprecedented. Not least because the data obtained through the TCF is ubiquitous to the point of being integrated into the very fabric of the online advertising market. Any overhaul of the TCF means industry-wide overhauls of how advertising works across the European Union web.
The truth is, no one really knows what that means right now. It’s not even clear whether regulators will be able to enforce their own decision. One thing is certain though: the big tech platforms will be fine with whatever happens given the terms they set for users. When a person logs into these platforms, they also consent to the sharing of data, unless otherwise specified. Publishers don’t have that luxury. The means of obtaining consent to use a person’s data for advertising purposes was most often via the TCF.
“This is an atomic bomb for so many things related to online advertising,” said Rob Webster, chief strategy officer at media consultancy Canton.
There’s a lot to discover here, but it basically boils down to this: the TCF is an encoded string of characters that contains all the relevant information about a person’s decision whether or not to be tracked, and by whom. . It does not allow someone to prevent their data from being shared.
The consent string is sent along with all other user data normally shared by a publisher with an ad technology provider prior to an ad serving. It basically works as a sort of signal for other companies to know whether or not they can use the data. It can’t actually block anything that happens to the data, whether or not someone has given permission for it to be shared.
In other words, the TCF relied heavily on good players and industry compliance. Not everyone was. Otherwise, consent chain fraud, where ad tech providers alter parts of the consent chain to make it look like they have user consent more than they do, wouldn’t be. widespread.
This has been a long-standing problem with TCF, but neither its architect (IAB Europe) nor the companies (consent management platform) in charge of collecting this consent were responsible. The decision changes that. It concludes that the IAB Europe is a data controller, making it liable for consent fraud and the transmission of user data – even if the commercial body does not collect and process any data itself. .
And therein lies one of the most controversial parts of the IAB Europe decision. He does not believe he is a data controller under the GDPR. So much so, in fact, that the question is whether to mount a legal challenge to prove that this is not the case.
“I wonder a bit if this means that the major international standards organizations (like the W3C) will in future also be held responsible for personal data structured and defined in their protocols,” said Jochen Schlosser, chief technology officer at ad tech vendor. Adforms. “Downstream, I believe there are discussions to be had now, there are mitigations that will be made (obviously). , will find the right actions to make the TCF evolve towards what the regulator requires.
The IAB Europe has two months to find these actions before they are submitted to the main regulator of the decision, the Belgian Data Protection Authority. If approved, the trade body has an additional six months to achieve this, after which a fine of €5,000 ($5,651) per day will be imposed if they have not resolved the issue.
“When the dust settles, I’m sure everyone will see this as a very positive day for the programmatic industry.”
Dan Larden, UK Head of Digital Media Consultancy TPA
Looking ahead, the trade body is adamant: TCF can be saved. Time will tell if that’s true.
A statement from IAB Europe read: “Notwithstanding our serious reservations on the substance of the decision, we look forward to working with the ODA on an action plan to be executed within the mandated six months that will ensure the continued usefulness of the TCF. on the market. As previously communicated, it has always been our intention to submit the framework for approval as a transnational GDPR code of conduct. Today’s decision would appear to pave the way for work to begin. »
Some ad executives remain cautiously optimistic that a solution can be found given the stakes.
“When the dust settles, I’m sure everyone will see this as a very positive day for the programmatic industry,” said Dan Larden, head of UK at digital media consultancy TPA. “The TCF and Open RTB framework has been scrutinized by European lawmakers and there are finally clear and precise answers on what is needed to ensure that the way data is collected and shared about individuals complies with the modern standards of today privacy standards.
The timing of the decision surprised some within trade bodies helping to manage the industry through the torrent of legal challenges that have ravaged the digital media industry since the GDPR came into effect in 2018.
IAB Europe notified its members of the DPA’s decision and its subsequent consultation process with sister EU DPAs in November. Speaking at the time, a source with knowledge of the legal challenges facing the TCF told Digiday that they expected some debate between the various DPAs, so much so that a final decision would only materialize. in mid-2022.
However, decisions, like patents, are only as good as the ability to enforce and defend them. And some worry that there are too many nooks and crannies for bad actors to hide in the complex ecosystem that is ad tech.
Some doubt that governments have the resources to oversee the ad-tech middle layer of the digital media ecosystem, while others point to the task forces tasked with designing privacy-compliant industry frameworks as a key source of the problem.
“Technology, in general, has always been a game of cat and mouse, it’s nothing new, and right now [with the latest TCF ruling] it just plays out in higher courts,” Lockr CEO Keith Petri said.
“When you look at working groups, there’s a lot more participation from ad tech platforms versus key stakeholders. [advertisers and publishers]and no one even thought about consumers.