Interactive Advertising Bureau Europe has launched a new version of its controversial guidelines that have embroiled the adtech industry in a General Data Protection Regulation data-breach investigation.
Two months ago, the UK data watchdog, the Information Commissioner’s Office, called out the IAB’s Transparency and Consent Framework for being “non-compliant” under GDPR, Europe’s data privacy law.
The latest launch comes after months of consultation and is unlikely to satisfy the long-term requirements of the ICO, which has urged the adtech industry to reform the way internet user data was being collected and stored through real-time bidding.
Critics have blamed the TCF, released in March 2018 on the eve of GDPR being enacted, for being inadequate in ensuring user consent in the way programmatic ads are served via real-time bidding. RTB is an auction-based system that determines which ads are served to individual web users within a fraction of a second as they browse a web page. After a user lands on a web page, a bid request is pushed out to potentially hundreds of ad exchanges and a data profile about that user is broadcast.
Google, the world’s biggest advertising company and programmatic exchange, has pledged to adhere to “TCF 2.0” when it is expected to go live next year.
The IAB said TCF 2.0 offers three main differences:
- Increased and more “user friendly” detail on purposes: making standardised processing purposes more granular and user-friendly, and to provide some standardised flexibility to publishers in how they prefer to tell users about these purposes to their users. There are now 10 purposes (as opposed to five in the original TCF) and two “special purposes”.
- A “more complete accommodation” of the legitimate interests’ legal basis for processing personal data, including signalling whether a vendor’s legitimate interest has been disclosed and of a user’s “right to object”.
- Greater publisher controls, including more granular control over the purposes for which personal data is processed by a vendor (on a per vendor basis). A vendor can now register as capable of operating on multiple legal bases for the same purpose and allows publishers to declare which legal bases they prefer in order to work with vendors for that purpose. This allows vendors to more easily operate in different markets.
Chetna Bindra, Google’s senior product manager for user trust, privacy and transparency, said: “We welcome the announcement of the final terms of TCF 2.0. Google has collaborated with the IAB Europe and its members throughout this process.”
However, the updated TCF does not address the ICO’s concern over the way the open RTB process allows for “special category data” to be broadcast. This data comprises sensitive information about people’s religious beliefs, political opinions or sexual orientation.
Townsend Feeham, chief executive of IAB Europe, added: “The original TCF was launched to help a complex industry value chain manage their obligations under new regulations, notably the GDPR. With the number of constituents involved and disparate regulatory interpretations across multiple jurisdictions, it was essential that the evolution of the framework was handled sensitively, with the final specifications able to be adopted in a manner consistent with differing business models in a wide range of operational markets”.
But Johnny Ryan, chief policy and industry relations officer at tracking-blocking web browser Brave, told Campaign that TCF 2.0 does not solve the problems of RTB. Brave has been a leading complainant against RTB in 16 European countries.
He explained: “First, it is not possible to ask for GDPR compliant consent for RTB because RTB leaks what people are reading, listening to and watching to an unknown number of companies, who do unknowable things with it. Article 5 (1) [of the GDPR] requires that personal data must be protected and RTB does not do this. One cannot seek consent for a data breach.
“TCF 2.0 is being introduced because the IAB’s original framework was deeply flawed. As I noted back before it was released, and set out in the RTB complaint, it seriously infringed the GDPR. Publishers and advertisers trusted the IAB to provide guidance about the GDPR. It is now abundantly clear that this trust was misplaced. TCF 2.0 does not solve the problems of RTB.”
In an interview with Campaign this month, the ICO’s executive director for technology and information, Simon McDougall, warned that the reform of the RTB industry is “in the balance”.
The ICO has also been meeting the IAB Europe over the summer, following the release of the ICO’s Adtech Update Report in June. It is therefore likely that the regulator was broadly aware of TCF 2.0 before issuing its six-month notice period to the industry and is expecting stronger moves this year to make the industry GDPR-compliant.
Meanwhile, Mark Bembridge, chief executive of adtech platform Smartology, said TCF 2.0 is a “definite improvement”.
“TCF 1 was far too vague and this goes some way to adding the capability to adding more detail around vendors and CPMs. It’s interesting to see the addition of right to object for an end user’s perspective, which is a good step.
“I’m curious to see how it works in practice… is the end user really going to take the time to look at all the different vendors and make decisions around what they’re comfortable with?”
Ethan Butler, programmatic lead at Zenith, agreed it was a “step in the right direction”, adding: “We hope to see our clients’ confidence in RTB practices grow.”