The industry’s attempt to create a standardized framework for compliance with the General Data Protection Regulation has been overhauled to better satisfy the needs of publishers, consumers and the law itself.
Until now, Google had pledged its commitment to joining the Transparency and Consent framework, but not in its current form. The deadline for its integration had been pushed back so many times, some industry executives had begun to fear the tech giant had other plans. However, the Internet Advertising Bureau Europe and IAB Tech Lab have released the second version, and Google has stated it expects to be integrated by the end of next March.
“In line with the IAB Europe timeline, we expect to integrate with TCF 2.0 shortly after the switchover from TCF 1.1 and when 2.0 goes fully live, which we currently understand as by end of Q1 2020,” said Chetna Bindra, senior product manager for user trust, privacy and transparency at Google. “We will provide greater detail on our integration approach in the coming weeks.”
Many ad executives have long speculated that the longevity of the TCF would depend on whether Google joined. Until it does, ad tech vendors and media agencies are still buying and selling ads using different consent strings provided by the IAB TCF and Google’s own versions, creating interoperability and resource headaches. “It’s much easier for media buyers if they only have to read and ingest one type of [consent] string,” said Stevan Randjelovic, brand safety manager for EMEA for GroupM.
The second version is the fruits of 12 months of continuous discussion and planning between more than 55 organizations including publishers, media agencies, ad tech businesses, 10 national IABs and nine meetings with data protection authorities from across Europe. There is no official number of publishers that have joined the framework due to the fact it’s their consent management platforms that sign up to the TCF. But major publishers including Axel Springer, The Guardian and The Telegraph have all been actively involved in the steering group discussions, according to sources close to the situation, along with publisher trade bodies such as the European Publishers Council.
“It’s a positive development for both publishers and their ad tech vendors,” said Angela Mills Wade, executive director of the EPC. “V2.0 provides the granularity publishers need in order to remain compliant under GDPR, and the flexibility to present consent requests as they wish.” This version will be an attractive option for many publishers, she added.
The revised version has been centered around improving how publishers communicate to users how they’re using their data, to ensure consent requests are clearer, and users properly informed. It’s also been geared toward giving publishers more control over how their ad tech vendor partners can use their data — and for what purposes. Now, users can deploy a right to object if a business is using the legitimate interest (opt-out) basis, just as easily as revoking consent. Vendors will be assigned a signal from the publisher CMP that specifies when that vendor has been disclosed to the user as being able to process the publisher data on the basis of having a legitimate interest, for ad targeting purposes, and when they can’t.
Due to the wide interpretation of GDPR, publishers have gone for a wide mix of approaches to gaining consent, some very light touch, others far more conservative. Meanwhile, publishers that rely on open marketplace inventory for a large chunk of their digital ad revenue have been criticized for overloading consumers with legal jargon and top-heavy consent messages which list hundreds of ad tech vendors consumers aren’t likely to recognize. As such, doubt has been cast over whether users are actually giving informed consent or whether they understand how their data is being used and by whom. To improve that, TCF 2.0 includes standardized messaging templates that offer both legal-language and user-friendly language versions. The user can have access to both the legal and user-friendly versions. The legal version is mandatory, the user-friendly version optional. Which type publishers use will vary by publisher, but the overall effect should at least go some way to cleaning up the current mess of different consumer messages on sites.
Much of the discussions over the last 12 months with the steering group has been around agreeing on an appropriate level of granularity of purposes for which data can be processed. The second version of TCF includes 12 purposes (the current one has five), and two special features. The purposes are related to online ad delivery such as profiling, content and ad measurement. The special features are additional controls added for geo-location data and for fingerprinting. These features also require an extra layer of consent. For instance, not all purposes for processing data — like ad targeting — will use geo-location data. But if they do, that has to be clearly disclosed to the user.
One of the core new additions to the TCF is a stack of some 38 different variation options, though these will likely be whittled down to between five and 10 in time by publishers, according to IAB Europe CEO Townsend Feehan. Publishers can choose from these options which purpose and vendor stack they want. For instance, they can select which vendors they would allow to carry out data processing for purposes such as ad measurement and targeting, and which they wouldn’t. But the vendors that wouldn’t be allowed to use data for those purposes may be allowed to for other purposes. Publishers can pick and choose, but it must all then be relayed to the consumer clearly in the consent messages.
“It’s a way of trying to layer the information so people can better assimilate what they’re agreeing to,” said Feehan.
The first version of the TCF has attracted fierce criticism from across the media industry, with critics lambasting the fact that the framework exists as a vehicle by which bad practices and misuse of personal data by ad tech businesses can be protected under GDPR. Privacy activists have for some time lobbied that real-time bidding — the mechanism by which ads are bought and sold programmatically on the open exchange — is incompatible with GDPR. On June 20, U.K. data protection authority the Information Commissioner’s Office released a report that pulled up the TCF as not being fully compliant and highlighted concerns over the volume of ad tech vendors involved in digital ad transactions as well as the leaky nature of digital ad trading.
There are some who still believe that the TCF has exposed brands and publishers to legal hazard, and the second version does nothing to solve the underlying issues of RTB in which data leakage is a given. “RTB is a massive data breach,” said Johnny Ryan, chief policy and industry relations officer at browser Brave. “That means it fails the GDPR at the first test. It also means that consent is not possible because nobody can say where the data in question will end up or what will happen to them.” If there is no protection of the data, then consent is irrelevant, he added.
Yet the IAB Europe and IAB Tech Lab remain confident that the TCF 2.0 will help render RTB compatible with GDPR. “The intent is to allow RTB transactions to be GDPR compliant,” said Dennis Buchheim, evp and gm at IAB Tech Lab.
However, especially sensitive data — called special category data under GDPR — such as sexual orientation, ethnic origin, political views, isn’t ever likely to be compatible with GDPR. The ICO has recently stated that this cannot be used in ad bid requests without explicit consent. That a business could get a user to give informed and explicit consent to that kind of data being used for ad retargeting is highly unlikely, according to ad executive sources. In fact, it’s better to avoid altogether.
The TCF does not support the processing of this special interest category data, nor the gaining of explicit consent in order to do so. Some businesses may choose to flout that, but it would be at their own risk. “It would be very challenging to get explicit consent to work under GDPR for RTB purposes,” said an executive at a major agency holding group who requested anonymity. “GDPR isn’t just about direct data but also data that allows you to infer that a person is, for example, bi-sexual. It would be too challenging to cater to that [in the TCF].”