The way advertisers profile, target and reach people online across the European Union is on the precipice of change — it’s just not clear how much. Regulators have said the way the industry gathers and then uses someone’s data to power large-scale addressable advertising on the open web is unlawful. They argue the safeguards erected by the industry to ensure that someone’s data is protected while it’s being used for advertising aren’t up to scratch.
The implications of this decision impact the industry not only in the long-term but have immediate spillover effects on advertisers, publishers and the ad tech vendors between them. There are, however, two sides to every story, and this one is no exception. The online ad industry, or at least the trade body that represents its interests in Europe, holds very different views on advertising and its many intersections with privacy. In fact, the trade body is legally contesting the decision.
Digiday caught up with the IAB Europe’s CEO Townsend Feehan to get her take on the future of those guardrails, also known as the Transparency & Consent Framework.
The responses have been provided by email following a background briefing with Digiday.
Explain the decision to appeal the Belgian DPA’s decision? Moreover, what is actually being appealed?
The decision is an administrative one, meaning that the authority that issued it (the Belgian DPA) both conducted the investigation and issued the final ruling. It is subject to appeal in the Belgian Markets Court. IAB Europe was given 30 days to lodge an appeal, meaning we have until March . On February , IAB Europe announced that it would appeal the decision (see statement here). Our petition will dispute the APD’s findings that IAB Europe acts as a controller for the recording of TC Strings — which are not personal data — and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.
It will also challenge assessments of the validity of legal bases established by the TCF that were done by the APD in the abstract, without reference to the particular circumstances surrounding any discrete act of data processing. Certain other findings and remedies arising as a consequence of IAB Europe’s alleged controllership and joint controllership will likely also be challenged. The appeal will include a request for suspension of the execution of the decision, which was immediately applicable on publication.
Has the Belgian DPA given any guidance on when a formal response to the appeal will arrive?
The timeline for submission of the action plan runs independently of and is not impacted by, the lodging of the appeal. IAB Europe has two months — until April  — to submit the action plan. The Markets Court will consider the request for suspension separately from the appeal “on the merits.” Our information is that there may be a decision on the request for suspension within a few weeks of its being lodged, but as the application for suspension may not be successful, we need to work according to the orders and timelines laid down in the decision. As a reminder, the timeline is two months (until April 2) to submit the action plan; some period of time after that (undefined) for the APD to review and approve the plan; then six months for IAB Europe to implement the plan.
A ruling on the merits by the Markets Court could happen late this year or potentially even next year.
Taking a step back, what’s your reaction to the ruling itself?
In a way, it was surprising that the Authority felt it needed to pursue an enforcement action — which made it imperative to find IAB Europe to be a data controller of something — rather than issuing policy guidance on the substantive content of the TCF. A policy discussion from the get-go would have saved a lot of wear and tear and avoided major unintended consequences that will inevitably arise from the current Decision’s broad interpretation of the notion of [the] controller.
How do you see the ruling with regards to the legality of the OpenRTB system? Some would argue that the writing is on the wall in terms of large-scale third-party addressability on the open web being unlawful given the noises from regulators?
The basic paradigm of the GDPR is that users have information and transparency about data processing that companies want to do, and they make choices based on that information/transparency. Those choices are revocable, and a range of other consumer rights are laid down in the law (right to erasure, right to access to data, right to correction, etc.). It is perfectly possible to operate under the OpenRTB protocol in a way that complies with the GDPR — publishers need to ensure they disclose the data controllers that might process their readers’ personal data for advertising purposes and comply with the Regulation’s requirements when making those information disclosures, and vendors need to ensure that personal data is only shared with, and processed by, vendors who have a GDPR legal basis to do that processing. The current TCF already requires that users’ personal data only be shared with vendors that have a GDPR legal basis for collecting and processing this data. If the TCF Policies are followed, the personal data of website visitors will only be collected and processed by vendors whom the visitors have explicitly authorized using the TCF UI. And the TCF is the best way to ensure the information disclosures are made in a way that meets the GDPR’s requirements.
The TCF was not conceived only for OpenRTB, but it is indeed the way that OpenRTB can be done in a compliant way, which is precisely why it has attracted the attention it has. If you are trying to promote an alternative way of targeting, delivering and measuring digital advertising, then one way to do that is to attack the best-practice standard that best enables a legally-compliant use of OpenRTB.
The TCF does not mandate the use of the full Global Vendor List, contrary to what is suggested in the APD Decision. Publishers are free to use as many or as few vendors as they wish. The TCF can also be used by publishers to obtain user agreement (establish a legal basis) for their own data processing.
What’s the IAB Europe’s advice to the market now, given that TCF is ‘currently unlawful’?
The ruling was directed to IAB Europe, and not to any individual commercial stakeholder (publisher, vendor, CMP, advertiser) that actually implements the TCF. It foresees a period of two months for the development of an action plan that delivers the additional functionality requested by the APD and a further period of six months for actual delivery of that plan, once the APD has approved it. We have a small, cross-ecosystem taskforce working on developing the plan, but we intend to keep the market informed at regular intervals (probably weekly or biweekly), both on development of the plan and on interactions with the APD on it once we have drafted it. The whole industry needs to lean into this process of defining what TCF v3 — which should ultimately be approved as a GDPR Code of Conduct – looks like, and where we are able to make changes with respect to legal basis and UI aspects and continue to operate to enable digital advertising to fund the open web.
Industry players who are concerned about legal risk following the issuing of the Decision need to look at their own practices in light of its findings. TCF is a minimum standard that currently delivers the rather narrow functionality of helping first parties establish a GDPR legal basis (and ePrivacy consent) for the processing of personal data and accessing of users’ devices by third parties for the purpose of digital advertising and content personalization. It does not prevent publishers, vendors and advertisers from taking other measures to comply with the whole waterfront of obligations laid down in the GDPR. Publishers that wish to already reflect the APD findings in their practices could consider removing legitimate interests as a legal basis for profiling and provide supplementary information disclosures about the types of personal data that may be processed for advertising. The APD finds the definitions of the data processing purposes in the TCF to be both insufficiently granular and insufficiently concise – publishers could elect to provide additional wording to supplement the legal and “user-friendly” definitions that are laid down in the TCF Policies.
Why doesn’t TCF need to be radically redesigned to be lawful both re how it works and how its used to support openRTB?
The APD ruling makes clear that what the APD wants is more TCF, not less — they want the TCF to deliver a broader range of compliance functionality, including ensuring wholesale GDPR compliance of all TCF vendors. What needs to be in the action plan is essentially an extension of the Framework, and a more thorough-going harmonization of the information disclosures (the Decision speaks of “forcing” CMPs to use “uniform” information disclosures). The APD seems to want to see data processing purpose definitions that are both more granular and more concise. They are also seeking limitations on the use of the legitimate interests legal basis. As explained on the phone, it is unclear from the Decision whether the aim is a full ban on the use of legitimate interests or just a ban on the use of legitimate interests for profiling.
The IAB Europe states that there hasn’t been clarity or guidance when it comes to what is and isn’t permissible in terms of how consent is gathered and what it is used for as it pertains to tracking and profiling?
I am not sure where we said this — I think that what I evoked during our call was the lack of clarity on foundational concepts such as controllership and the definition of personal data. These concepts are sufficiently ambiguous in the Regulation that several years of socializing the TCF with more than a dozen European DPAs — in some cases in multiple meetings — never surfaced the idea that IAB Europe was a controller or the TC String in and of itself was personal data, both of which are positions the APD has taken in its recent decision.
This said, in relation to consent, there is a lively debate on how the various attributes of valid consent – “unambiguous”, “specific”, “informed” and “freely-given” — are to be interpreted. I would be happy to discuss this more offline. As I think I did indicate when we spoke, it is still unclear whether the term “freely-given” is to be interpreted as conferring a general entitlement in law to access to valuable digital content at no cost and without advertising.
How do you view the follow up statements from the Dutch and Danish DPAs?
The decision is addressed to IAB Europe and only binds IAB Europe. It could be relied on by new complainants bringing new complaints in relation to specific acts of processing by specific publishers or vendors, but those cases would then need to be picked up by DPAs. This seems unlikely during the remediation period laid down in the decision, most notably because so many DPAs seem to have been consulted on the decision (more than 25) and are at least indirectly bought into the timelines laid down in it.
Editor’s note: since the interview took place, the Danish DPA has confirmed in a mail to Danske Medier, the IAB Europe’s Danish member association, that it is prepared to give the media industry and other stakeholders using the TCF framework an appropriate period of time to implement necessary adjustments and solutions in the light of APD’s decision. It has made it clear that this would not preclude their processing complaints that may relate to (other) issues linked to the TCF framework.
The post ‘It was surprising’: IAB Europe’s CEO on the uncertain future of third-party addressability appeared first on Digiday.