IAB Tech Lab unveils new working group to tackle evolving consent frameworks

The IAB’s conference also takes place as the trade org seeks to address flaws in how the flow of user data through the middle layers of the industry is communicated to the public after rulings from the enforcers of EU privacy laws put the industry on notice last week.

The Rearc continues

The PETs Working Group, an IAB Tech Lab project, forms part of Project Rearc and will draw on technologies currently employed by the insurance and financial industries used to maximize data security and minimize the use of personal data.

IAB Tech Lab is currently inviting data scientists, developers and security systems engineers across its membership to collaborate on using advanced cryptography, plus other privacy-enhancing tools to develop new means of ad targeting and user tracking. 

Shailley Singh, IAB Tech Lab’s svp of product, told Digiday the working group will look to build upon earlier agreed-upon means of data usage such as “seller defined audiences” plus other “aggregated attribution” methods.

“We’re looking at next several other use cases like measurement and attribution and how to further make privacy inherent in the transactions itself,” he added. “And how do you ensure that the user’s personal information is not revealed to any party while at the same time you’re able to execute the [marketing] use cases while maintaining addressability.”

Presently IAB Tech Lab is inviting members to participate in the working group with the trade org also soliciting input from third parties such as academics that specialize in researching the use of digital technology.

The input of Big tech players, the likes of whom will absorb more than 50% of all ad spend this year, will be key if the working group’s proposals are to scale significantly. In conversation with Digiday, Singh mentioned how the group will look to build upon anonymization proposals from players such as Microsoft, called PARAKEET, as well as others.

“We’ll be using cryptographic [methodologies] to enable parties to come together and understand the data without actually knowing an individual user’s information,” he added. Speaking with Digiday in September, the recently appointed IAB Tech Lab CEO Anthony Katsur spoke of his vision on how the trade org holds the dual roles of supporting how business is conducted by establishing tech standards while also “dealing with the regulatory and compliance issues.”

Conversations around TCF need to be had

Many conversations on the latter issue will be had at the IAB’s ALM this week. In particular, last week’s ruling from the Belgian data protection watchdog that deemed the online ad industry’s Transparency Consent Framework — a means of articulating the intricacies of programmatic advertising to the public to garner their consent — fell short of GDPR’s requirements.

IAB Europe, the chapter of the trade org that was subject to the ruling, now has two months to find a remedy plus an additional six to roll it out with several sources approached by Digiday expressing their opinion this effectively meant that the writing is on the wall for TCF.

For many, the media industry will have to go right back to the drawing board with conversations set to take place at ALM this week representing a crucial first step in this journey.

Although, as the subsequent outpouring of feedback from industry players this week demonstrates (see the Twitter post below from the IAB’s executive chairman Randall Rothenberg) the “impenetrable” wording of GDPR, not to mention the fragmented privacy landscape in the U.S. spreads confusion.

https://twitter.com/r2rothenberg/with_replies

Several sources told Digiday that over the last week publishers have been consulting their peers asking if they now have to delete all the data they collected using TCF since 2018. Meanwhile, some fear that the outcome will be that advertisers will further concentrate their ad spend in the industry’s walled gardens.

Rob Beeler, founder of Beeler.Tech, an outfit that helps publishers organize their online monetization strategies, told Digiday that a significant issue with GDPR is that it doesn’t allow for much “nuance”. He added, “The problem is the concept of privacy is simple to a consumer – they want privacy – but complicated for any company (ad tech or not)- to respect and still use data.”

In an emailed statement, Mathieu Roche, CEO of ID5, said the latest ruling from Belgium’s data protection authority, known as the APD, wasn’t necessarily the end of TCF. Instead, it will just mean that those with a “looser position on privacy” will have to be squeezed out.

“The only topic that is clearly off limit is the TCF ‘v1’ setting that allowed for a ‘global consent’,” he said. “Any personal data collected under this framework should be deleted … It is worth noting that the IAB had anticipated that and has deprecated this version in September 2021. So, it is unlikely that much data will be affected by this measure.”

He continued, “This means no more legitimate interest, no more ‘data collection’ [by] CMPs with consent for themselves checked by default, a more secure approach to creating transparency consent string to avoid spoofing them, etc. All good things that some of us have been pushing for, but that the IAB has been reluctant to build into the TCF to avoid alienating parts of its constituency.”

The IAB’s ALM runs from February 7-10; Digiday will report on the conference’s proceedings.