A decision on guardrails to help the ad industry gain consent to track people across the European Union was meant to leave everyone with no doubts about one thing: whether the tracking and profiling of people across the web by a swarm of vendors is legal. Instead, it’s done anything but unify opinion.
But first, a recap: earlier this month, the Belgian Data Protection Authority said the way large swathes of the ads industry tracks people for advertising is unlawful under the General Data Protection Regulation. That’s because the Transparency & Consent Framework (TCF) the IAB Europe developed to standardize how someone’s consent for targeted advertising is collected and managed is neither transparent enough about what happens to that data nor does it secure it all properly.
Simply put, the news is a headache to anyone whose ability to precisely target people with ads online across Europe has been reliant on consent gained via TCF. Yes, the IAB is appealing the Belgian regulator’s decision, but TCF remains unlawful to use it today.
In the short term, this will mean that data gained from the framework must be deleted, which will affect targeting, profiling and reach. In the longer term, the consequences are far bigger. This data has, after all, been gathered since May 2018 so could ultimately affect what’s been collected and processed over the past four years. Not to mention the fact that cross-site tracking and targeting will be dampened. Think about it: companies can no longer collect someone’s data for advertising purposes without their consent because this ruling has decided that legitimate interests (more on that here) can not be a legal basis for processing it.
The industry’s reaction?
Panic: marketers are bracing themselves for a reduction in targeting data and reach as a result of TCF being unlawful to use to gather the consent needed to facilitate real-time bidding on impressions. It’s a logistical quagmire for marketers — one that’s made all the trickier because the regulators aren’t entirely on the same wavelength.
Of the 30 data regulators across the EU that Digiday contacted, four responded. All those responses said the same thing: the Belgian data regulator has acted as the lead authority in this case, but its decision reflects views that are widely shared among its counterparts across Europe.
Some, however, like the Danish and Dutch regulators are being more assertive in getting that message across. The Dutch regulator, for example, has urged local publishers to look for alternatives to the large-scale tracking and targeting of users across the open web after coming to the conclusion that it is unlikely the IAB Europe will be able to contort the TCF far enough to comply with the GDPR.
“A lot of the behavior of web publishers and online advertisers in the EU is already contrary to the GDPR (and the U.K. GDPR) so I don’t think this Dutch guidance (if that is what it is) changes anything greatly outside the Netherlands,” said Nigel Jones, co-founder of data protection specialist Privacy Compliance Hub and is an ex-Google lawyer. “It does, however, put pressure on Dutch web publishers to look for alternatives such as relying on contextual advertising rather than behavioral advertising.”
Belgian media business DPG Media, which is also active in the Netherlands and Denmark, is weighing up whether to do just that. It’s considering abandoning TCF in favor of pursuing ads aimed primarily at logged-in visitors to its sites.
According to Stefan Havik, digital development director at DPG Media, there isn’t anything “intrinsically wrong” with the TCF system. To him, it’s a “basic foundation” for a standardized protocol to collect and distribute consent. The issue is how it enables the broadcasting of consumer data to a fragmented ecosystem, he added: “The IAB has little to do with the amount of companies a media business puts in that framework. It’s up to everyone else to act responsibly.”
Not everyone shares this view. And therein lies the problem. Now more than ever publishers should have a united perspective on how the industry goes about tracking their readers in the future. But the commercial realities of running a media business in the current climate make it hard to reach a consensus on anything including TCF.
Those divisions run deep if the messages in an industry Slack channel are anything to go on. Commercial execs from some of Europe’s biggest titles scrambled there after hearing TCF had been put on notice, said one of the channel’s members on condition of anonymity.
Some weren’t surprised, the exec continued. They’d long surmised that tracking people had become an irresponsible and unacceptable business practice. Others, however, were caught off guard, the exec continued; then that confusion quickly turned into a hope that the industry can find a legal way to continue tracking people at scale regardless of its unprecedented complexity.
There are reasons to wonder
A transformation of this kind would saddle IAB Europe with significant new costs since it requires the development and ongoing operation of a technical accountability infrastructure, said Ratko Vidakovic, founder of ad tech consultancy AdProfs. And the requirements for this apparatus, particularly around the need to “guarantee the integrity and confidentiality of the TC String,” could be a very tall order, if not impossible, given how the OpenRTB ecosystem functions today. Radical changes would be required of both the TCF and the OpenRTB standards, he continued.
“Such changes would be a significant undertaking as these technologies underpin the entire industry,” said Vidakovic. “But it may be necessary to ensure the survival of RTB in Europe.”
No surprise some ad execs are of the opinion that it’s time to move on.
“We must be very clear about the real issue here, which is large scale and ungovernable third-party data addressability on the open web,” said Ruben Schreurs, group chief product officer at Ebiquity. “The current OpenRTB ecosystem that underpins this is not fit for purpose under the contemporary regulations, as it allows large numbers of indirect vendors to obtain and transact huge amounts of personal data in a highly opaque environment.”
To the likes of Schreurs, tracking someone’s behavioral data has run its course — at least at the industrial level where thousands of companies were accessing troves of personal data bereft of any robust checks and balances. Remember, it’s not like audience targeting has always worked exactly as it’s been sold as by various businesses across the market.
Privacy and data protection must take center stage now, according to marketers like Shenan Reed, senior vp, head of media for L’Oréal. That doesn’t mean well-informed and compliant ways to add relevance to advertising will cease to exist — far from it, said the marketer at the IAB’s Annual Leadership Meeting last week. Media owners at the same event echoed that sentiment. In fact, Vox Media’s CEO Jim Bankoff told attendees that his business would find a way to generate ad income whilst putting their audience’s rights first.
“This could be ground zero for advertising in terms of how we rebuild it in a more privacy-conscious way,” said Thomas Lue Lytzen, director of sales and ad tech at one of Denmark’s biggest news publishers Ekstra Bladet. “We, the ad ecosystem, didn’t want to accommodate the concerns of lawmakers and regulators and give up on anything when we could’ve perhaps traded cross-site profiling and targeting in for the advertising funnels of frequency capping, measurement and verification. That may be hard for some to accept, but as long as there are elements of profiling and targeting across the web you will have privacy experts arguing that this is unlawful.”
Put another way: the likes of Bankoff and Lue Lytzen believe the way they’ll be able to monetize media will be less about collecting as much personal data as possible to inflate the value of their inventory and more about selling content data that helps advertisers understand how someone is interacting with content so that they can be in the right place, at the right time with the right message. This way publishers, potentially, avoid all the complications of managing consent.
Viable as these solutions may be, none of them have much chance of success without the backing of advertisers. As it stands it’s not clear what they will do. They’ve not exactly been vocal with their opinions in the days since TCF’s future was cast into doubt. Otherwise, the Irish Council for Civil Liberties, which brought TCF’s issues to the regulators in the first place, wouldn’t have sent an open letter to the CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM, and Mastercard demanding they stop consent spam and delete data obtained via the framework. Not that their silence is a surprise. The situation is, ultimately, a delicate one as evidenced by the IAB Europe’s response.
“It may also seem incoherent that on the one hand, IAB Europe has announced that it will appeal the decision but on the other, it has begun working on the ‘action plan’ requested by the APD [Belgian regulator], said a spokeswoman for the trade body in an emailed statement. “In fact, these two things are perfectly compatible. While IAB Europe disagrees with a number of the substantive findings in the Decision, it is clear that some of them – for example, whether the definitions of the data processing purpose definitions can be drafted in a way that is clearer and easier to understand – are things that reasonable people can disagree about and that we should be open to trying to improve.”