Publishers and ad tech vendors may finally have reached a compromise on what an industry standard for GDPR compliance looks like.
For the most part, publishers are happy with the latest version of the IAB Europe’s Transparency and Consent Framework (TCF), the trade body’s attempt to create a standard for compliance with the General Data Protection Regulation for the online ad industry. The framework, whose first iteration was rejected by publishers for being biased toward ad tech companies, has been overhauled to appease publisher gripes around controls and to encourage Google to adopt it.
The new version took a year to develop, involving around 80 executives from publishers, agencies and ad tech vendors.
One of the biggest areas of contention has been around how data processors like Google and other ad tech vendors, can use publisher user information. The current version of the framework has five definitions for how vendors can use that publisher information, which publishers criticized for being too vague and at risk of being too broadly interpreted by vendors.
Version 2.0 has 12 purposes. Two are related to fraud protection and security, and the technical delivery of ads. These can’t be controlled by users. The remaining 10 purposes — relating to online ad delivery such as profiling, content and ad measurement — can be. Users can opt in or out of those, either individually or as a stack of choices that are grouped together.
Another important update: Legitimate interest has been better accommodated at the request of publishers. Now, users can withdraw their consent and opt out of legitimate interest should they wish to. Vendors will be assigned a signal from the publisher CMP that specifies when that vendor has can process the publisher data on the basis of having a legitimate interest, for ad targeting purposes, and when they can’t.
The framework will be open for public comment for 30 days. But publishers already seem pleased with the results. Not having a unified consent process has wreaked havoc on the user experience. The hope is that should this version be universally accepted, users may finally start to see a much-needed uniformity of consent requests on publisher sites.
“If Google were to join the TCF, it would solve a lot of problems for us and allow us to get consent in a single unified way,” said an executive at a major U.K. publisher. “The level of detail is good and enables the user to make a clearer decision on consent without being overwhelmed.”
The TCF has also been altered in a way that appeases concerns Google and other ad tech vendors had — also over the purposes for how data was used. At one point, Google was at odds with publishers over how specific the purposes needed to be. While publishers have argued for more granularity of control on purposes, vendors like Google wanted the parameters for the purposes to be more flexible, according to sources. For instance, publishers believe personalization should be a separate purpose from ad selection and delivery. But the counter-argument is that there should be one purpose for methods that are intertwined, such as ad delivery and measurement. Also, that overkill on the granularity of purposes would confuse users.
Supposedly, all sides are now content with the result. While some executives believe that the new version will encourage further publisher adoption, others predict most will wait to see if Google confirms its integration. They won’t want to waste the expense of altering their own GDPR strategies only to find that Google Ad Manager won’t synchronize with the framework. “No one will move until Google is in. Version 2.0 won’t stand for much without Google,” said Dan Wilson, CEO of London Media Exchange.
“Google is committed to integrating with v2 and will announce timing soon after v2 is finalized,” said a Google spokesperson.
Google’s integration would likely solve a lot of issues that have been created for both publishers vendors. “Hopefully, this [Google signing up] will lead to increased yields as buyers move to find more consented users,” said the same publishing executive.
Getting GDPR-ready has been a costly business for nearly everyone. PriceWaterCoopers’ latest survey showed that GDPR budgets had topped $10 million for just under half of the 300 companies interviewed.
Media agencies also welcome a unified approach. “As buyers, we want an industry solution that reduces friction for us,” said Stevan Randjelovic, brand-safety manager for EMEA at GroupM, who led the discussions around the agreement on the purposes. “If there is friction, it requires more resources and time to do things.”