Ad businesses have become more jittery about compliance to the General Data Protection Regulation since the U.K. data protection watchdog fired its warning shot to the ad-tech sector at the end of June, according to ad executive sources.
The Information Commissioner’s Office even pulled up the only industry-wide attempt to standardize the media industry’s compliance in its report: the Internet Advertising Bureau Europe and IAB Tech Lab’s Transparency and Consent Framework. But regardless, the trade bodies have spent the last 12 months overhauling the framework to make it more palatable for a wider set of media businesses than the initial version.
“Internally, we’re increasingly worried about the regulator coming down hard in the next six months,” said an executive at a major publisher. Meanwhile, agency legal teams have been particularly pretty strung out over the last few months, according to multiple agency executive sources.
Here’s a primer.
What is TCF 2.0?
It’s a revamped version of the original framework launched in 2016. The purpose of it is to standardize how businesses — publishers and ad tech vendors predominantly, but also agencies — can continue running programmatic advertising on the open exchange in a way that is compliant with GDPR.
Why was it revamped?
Simply put, publishers hated the first version. Given such a large proportion of the IAB Europe’s members are ad tech vendors, the general consensus among publishers was that the first iteration of the framework was too biased toward what would be beneficial for ad tech vendors and no one else. It has been reworked to cater to publishers’ needs, with far fewer loopholes for ad tech vendors to exploit. Google has also committed itself to joining the TCF by the end of next March.
Is that a big deal?
Yes. Without Google, the argument for integrating with the TCF, which is quite resource-intensive, was far thinner given how much of the ad market Google controls. Until now, vendors have had to struggle with interoperability issues by using two different sets of guidelines and rules and how consent signals are transmitted to digital ad supply partners, known as consent strings. There was one set of rules issued by IAB Europe, and the other by Google which has taken a conservative approach to compliance. However, some publishers are nervous that Google’s integration will lead to it somehow dictating terms for them in the future.
So people like this version?
Yes and no. Views on it are mixed, though there is general recognition that it is far better than the original version, while most also accept there isn’t much of an alternative given it’s the only industry-wide attempt at a standard. It’s just that many publishers and agency executives — not to mention privacy activists — question whether the TCF can actually protect anyone. A core reason being that these are guidelines that companies are told to adhere to. But there is no actual policing. The ICO will end up doing that where feasible. That means, even if the TCF states that ad tech vendors can’t misuse data such as personally sensitive information within programmatic bid requests, without explicit consent from that user they have no way to enforce it or oversee it.
Is it even possible to police?
Given the hundreds upon hundreds of ad tech vendors in the digital ad supply chain, it is surely impossible to police data leakage in any meaningful way. Many in the industry believe the IAB is wrong to assert that the TCF can solve everyone’s GDPR headaches, but also that it helps protect the current ad tech status quo, rather than encourage the rooting out of bad practices that have dogged the industry for years. Naturally, the IAB’s position is that the TCF will at least get everyone on the same page as to what compliance can look like.
So what will the TCF be a success?
The jury is out on that. For starters, its take-up will depend on Google. There isn’t likely to be a stampede of additional publishers or vendors and agencies integrating with it until Google has done so. Multiple ad tech and publisher executive sources have admitted as much. The fact a good proportion aren’t even fully integrated with the first version, given the technical resource it takes to do so, it won’t be clear whether the TCF will be a rip-roaring success for some time. Perhaps even more importantly, the ICO hasn’t yet blessed the new version, and it’s unclear whether it will. The regulator recently criticized the first version, so there will be a lot of interest around whether it publishes a direct response to the second version and deems the new additions to the framework GDPR-compliant.