‘Like an atomic bomb’: So what now for the IAB’s GDPR fix after regulator snafu?

The guardrails the ad industry erected to maintain its compliance with Europe’s wide-ranging data protection law aren’t able to actually do so, according to data protection watchdogs — led by the Belgium Data Protection Authority. The consequences of this ruling could throw a significant wrench in how data is collected — and who is responsible for fixing the issue.

Furthermore, those guardrails, known as the “Transparency & Consent Framework” (TCF), were found by the watchdogs to be unlawful.

Simply put, the popups asking people for consent whenever they land on a site are illegal.  

That means all data collected via those popups from more than 1,000 companies including Google and Amazon must be deleted as a result. Nixing it all presents massive logistical and technical challenges, like how to verify the data and whether the data is actually deleted.

Needless to say, advertisers, publishers and everything in between will need to assess their reliance on the framework immediately. Being as many of those businesses paid IAB Europe for this utility, it could put the trade group in an awkward position.

So it will be interesting to see if — and to what extent — they try to indemnify the trade body for costs involved and damages incurred, said Ruben Schreurs, group chief product officer at Ebiquity.

The ramifications of this ruling are monumental.

Take retargeting, for example. Large swathes of it could be illegal if ads run on sites where TCF is employed. The level of precise engineering and quality assurance needed to fix issues like this would be unprecedented. Not least because data gained from TCF is ubiquitous to the point where it’s woven into the very fabric of the online ad market. Any revamp of TCF means industry-wide overhauls to the way advertising works across the European Union corner of the web.

The truth is no one really knows what this means right now. It’s not even clear if the regulators will be able to enforce their own ruling. One thing is certain though: the big tech platforms will be ok with whatever happens given their outlined terms to users. When someone logs into those platforms they’re also consenting to data being shared unless otherwise specified. Publishers don’t have that luxury. The way to get consent to use someone’s data for advertising was via the TCF more often than not.

“This is an atomic bomb for so many things related to online advertising,” said Rob Webster, chief strategy officer at media consultancy Canton.

Why regulators decided TCF ran afoul of the General Data Protection Regulation:

Fails to ensure personal data are kept secure and confidential; Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking; Fails to provide transparency about what will happen to people’s data; Fails to implement measures to ensure that data processing if performed in accordance with the GDPR; Fails to respect the requirement for “data protection by design”

There’s a lot here to unravel, but essentially it comes down to this: the TCF is a coded character string that contains all relevant information on a person’s decision on whether or not they want to be tracked, and by who. It does not allow someone to block their data from being shared.

The consent string is sent alongside all the other user data that’s normally shared by a publisher to an ad tech vendor ahead of an ad running. It essentially functions as a signal of sorts for other companies to know whether or not they can use the data. It can’t actually block anything happening to the data, regardless of if a person has given their permission for it to be shared.

In other words, TCF relied heavily on good actors and the industry’s desire to be compliant. Not everyone was. Otherwise, consent string fraud, where ad tech vendors alter parts of the consent string to appear as though they have user consent more than they do, would not be rife.

It’s a long-running issue with TCF, but neither its architect (IAB Europe) or the companies (consent management platform) tasked with gathering that consent were on the hook for it. The ruling changes that. It concludes that IAB Europe is a data controller, which makes it responsible for consent fraud and user data transmission — even though the trade body does not collect and process any data itself.

And there lies one of the more contentious parts of the ruling for the IAB Europe. It doesn’t believe it’s a data controller in the eyes of the GDPR. So much so, in fact, that it’s weighing up whether to mount a legal challenge to prove it isn’t.

“I wonder a bit if that means that large international standardization organizations (like the W3C) will in the future also be held responsible for personal data that is structured and defined in their protocols,” said Jochen Schlosser, chief technology officer at ad tech vendor Adform. “Downstream, I believe there are some discussions to be had now, there are some mitigations which will be made (obviously). I am confident that the experts in IAB, from a protocol as well as from the privacy side will find the right actions to evolve TCF towards what the regulator is asking for.”

The IAB Europe has two months to find those actions before they’re submitted to the ruling’s leading regulator — the Belgian Data Protection Authority. If it’s approved, then the trade body has a further six months to make it happen, after which a fine of €5,000 ($5,651) per day will be dished out if it hasn’t fixed the problem.

“When the dust settles I’m sure everyone will see this as a very positive day for the programmatic industry.”
Dan Larden, head of U.K. at digital media consultancy TPA

Looking ahead, the trade body is adamant the TCF can be saved. Time will tell whether that’s true. 

An IAB Europe statement reads, “Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.  As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”

Some ad execs remain cautiously optimistic a resolution can be reached given what’s at stake.

“When the dust settles I’m sure everyone will see this as a very positive day for the programmatic industry,” said Dan Larden, head of U.K. at digital media consultancy TPA. “The TCF and Open RTB framework has been run over with a fine-tooth comb by European lawmakers and there is finally some clear and precise answers on what is needed to ensure that the way data is collected and shared on individuals is compliant with today’s modern privacy standards.”

The timing of the ruling surprised some within the trade bodies helping to steward the industry through the torrent of legal challenges that have hectored the digital media industry since GDPR came into effect in 2018.

IAB Europe notified its membership of the APD’s ruling, and its subsequent consultation process with sister-DPAs across the EU, in November. Speaking at the time, a source with knowledge of the legal challenges TCF faces told Digiday they expected a degree of debate among the various DPAs, so much so that a final ruling would not materialize until mid-2022.

However, rulings, like patents, are only as valuable as the ability to enforce and defend it. And some fear there are too many nooks and crannies for bad actors to take cover in the complex ecosystem that is ad tech.

Some doubt that governments have the resources to police the digital media ecosystem’s middle-layer of ad tech while others point to the working groups charged with devising privacy-compliant industry frameworks as a key source of the problem.

“Tech, in general, has historically been a cat and mouse game, this is not new, and right now [with the latest TCF ruling] it’s just playing out in higher courts,” said Keith Petri, CEO of Lockr.

“When you look at the working groups there’s a lot more participation from ad tech platforms compared to the main stakeholders [advertisers and publishers], and nobody’s even thought about the consumers.”

Sign up to get the day’s top stories at 6am eastern.