Publishers are wary of the latest attempt to standardize GDPR compliance

Illustration of a blimp that has the letters GDPR on the side.

After August 15, publishers will be asking people for their consent to gather data to show them ads again, as the revamped version of the Internet Advertising Bureau Europe and IAB Tech Lab’s Transparency and Consent Framework kicks in.

TCF 2.0 is the industrywide attempt to standardize the media industry’s compliance under the two-year-old General Data Protection Regulation. The first version was criticized for overly favoring ad tech companies, which make up a chunk of the IAB’s members.    

For the last two years, trade bodies and steering groups have created a more palatable version of the first framework that suits more stakeholders. Due to roll out in March, the IAB extended the deadline to August so companies hamstrung by coronavirus could get organized. Here’s an update on the progress.

The purpose of the framework is to standardize how businesses —  publishers, ad tech vendors and agencies — can continue running programmatic advertising on the open exchange in a way that is compliant with GDPR. The updated version has been improved, particularly in giving more clarity around how data processors, like Google and vendors, can use publisher user information.

Google’s involvement, like all publisher and platform partnerships, is both a boon and causing some consternation.   

As Google controls so much of the ad market, having it join TCF is key to the framework’s success. But publishers are still keen for more details on how exactly this will look while the clock is ticking down.

“The main problem for us is the IAB and Google haven’t actually agreed how they will work and Google joining was the main selling point,” said one publishing executive. “Google’s policies are shifting faster than a gearbox in a Formula 1 car so it is hard to work out how that side of compliance looks.” 

German media company Axel Springer and Nordic group Schibsted are irked by Google seemingly dictating how others should process data, allegedly using its strength to push on what was initially agreed in the framework to suit its own needs.   

“We should not be having our compliance dictated by a vendor, no matter how big,” said the first publishing executive. 

Google, and IAB Europe, maintain the tech giant is working within the confines of the framework. Like any other vendor or publisher, Google can set any contractual terms that it likes,” said Filip Sedefov, legal director at IAB Europe. “[Google] would probably do that with or without TCF,” he said. “It’s a fake idea to think that TCF would reinforce that position in any way.” 

Vendors using the out-of-date framework after August 15 — although there is a grace period until September 30 — would be potentially flirting with GDPR non-compliance.

For the second version, consent strings — which represent the permissions the vendor needs to use data — contain more elements and segments about that user than the first iteration. Vendors need updated information on user consent to be processed. 

For publishers who are ready for the deadline, they will have to ask for consent again, but it’s unlikely to lead to a drop in consent and so a drop in revenue from ads that can’t be targeted, according to sources.

Currently, 460 vendors are operational on TCF 2.0, about 80% of vendors. Roughly 600 vendors signed up to the first iteration. Sedefov is confident they will in time but it’s causing some vexation among publishers. The question, come August, will be whether publishers cut vendors, throttling supply, if they haven’t switched over.

“Ad tech players aren’t quite ready for it,” said a second publisher. “All publishers are getting ready.” It’s true that publishers and consent management platforms have to do less development than vendors. Vendors have to do more development work than publishers to make sure they can receive and read the right signals.   

“DSPs and SSPs could indeed be a risk towards the deadline,” said a former publisher, “since they have to technically ‘digest’ all the tracking pixels, which are to be passed on from publishers to advertisers, and vice versa.”

Europe’s patchwork of different regulatory boards and data protection authorities make standard implementation difficult and local interpretations likely. 

“Not a lot of DPAs seem to have a deeper knowledge of the details TCF will be providing,” said the former publisher. “There’s more work for IAB Europe and the local IABs to do.”

More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.