A ruling on guardrails to help the advertising industry gain consent to track people across the European Union was meant to leave everyone in no doubt about one thing: whether tracking and profiling of people on the web by a swarm of providers are legal. Instead, he did anything but unify opinion.
But first, a recap: Earlier this month, the Belgian Data Protection Authority said the way large swathes of the advertising industry track people for advertising purposes is illegal under of the General Data Protection Regulation. Indeed, the Transparency and Consent Framework (TCF) developed by the IAB Europe to standardize how a person’s consent for targeted advertising is collected and managed is neither sufficiently transparent about what happens of this data nor does it properly secure it.
Simply put, the news is a headache for anyone whose ability to accurately target people with online ads across Europe depended on consent obtained through the TCF. Yes, the IAB is appealing the Belgian regulator’s decision, but the TCF remains illegal to use it today.
In the short term, this means that data obtained from the framework must be deleted, which will affect targeting, profiling and reach. In the longer term, the consequences are much greater. This data has, after all, been collected since May 2018 and could therefore ultimately affect what has been collected and processed over the past four years. Not to mention that cross-site tracking and targeting will be toned down. Think about it: companies can no longer collect a person’s data for advertising purposes without their consent because this decision decided that legitimate interests (more on this here) cannot be a legal basis for processing.
The industry’s reaction?
Panic: Marketers brace for reduced targeting data and reach due to illegal use of TCF to collect consent needed to facilitate real-time bidding on impressions. It’s a logistical quagmire for marketers — a quagmire made all the more tricky by regulators not entirely on the same page.
Of the 30 data regulators across the EU that Digiday contacted, four responded. All of these responses said the same thing: the Belgian data regulator acted as the lead authority in this case, but its decision reflects opinions widely shared by its counterparts across Europe.
Some, however, like the Danish and Dutch regulators, are more assertive in getting this message across. The Dutch regulator, for example, has urged local publishers to seek alternatives to large-scale tracking and targeting of users on the open web after concluding that the IAB Europe is unlikely to be able to to sufficiently deform the TCF. to comply with the GDPR.
“Much of the behavior of web publishers and online advertisers in the EU is already against GDPR (and UK GDPR), so I don’t think these Dutch guidelines (if that’s what they are) change a lot outside of the Netherlands,” said Nigel Jones, co-founder of data protection specialist Privacy Compliance Hub and former Google lawyer. “However, this puts pressure on Dutch web publishers to that they are looking for alternatives such as relying on contextual advertising rather than behavioral advertising.”
Belgian media company DPG Media, which is also active in the Netherlands and Denmark, is considering whether to do just that. It plans to abandon TCF in favor of advertisements aimed primarily at visitors logged into its sites.
According to Stefan Havik, director of digital development at DPG Media, there is nothing “intrinsically bad” about the TCF system. For him, this is a “basic basis” for a standardized protocol for collecting and distributing consent. The issue is how it enables the flow of consumer data to a fragmented ecosystem, he added: “The IAB has little to do with the number of companies a media company puts in that frame. . It is up to everyone to act responsibly.
Not everyone shares this point of view. And therein lies the problem. Now more than ever, publishers need to have a unified perspective on how the industry will track their readers in the future. But the business realities of running a media company in the current climate make it difficult to achieve consensus on anything, including TCF.
These divisions run deep if posts from an industry Slack channel are anything to go on. Trade officials from some of Europe’s biggest titles rushed there after hearing TCF had been put on notice, one of the channel’s members said on condition of anonymity.
Some were not surprised, the executive continued. They had long assumed that tracking people had become an irresponsible and unacceptable business practice. Others, however, were caught off guard, the executive continued; then that confusion quickly turned into hope that the industry could find a legal way to continue tracking people at scale, no matter how complex it was.
There are reasons to wonder
Such a transformation would impose significant new costs on IAB Europe because it requires the development and ongoing operation of a technical accountability infrastructure, said Ratko Vidakovic, founder of ad technology consultancy AdProfs. And the requirements for this device, especially around the need to “guarantee the integrity and confidentiality of the TC chain”, could be a very difficult, if not impossible, task given the way the OpenRTB ecosystem works today. Radical changes would be needed for both the TCF and OpenRTB standards, he continued.
“Such changes would be a significant undertaking because these technologies underpin the entire industry,” Vidakovic said. “But it may be necessary to ensure the survival of the RTB in Europe.”
No wonder some ad executives think it’s time to move on.
“We need to be very clear about the real issue here, which is the addressability of large-scale, ungovernable third-party data on the open web,” said Ruben Schreurs, group product director at Ebiquity. “The current OpenRTB ecosystem that underpins this is not fit for the purpose of contemporary regulation, as it allows a large number of indirect providers to obtain and process massive amounts of personal data in a very opaque environment.”
For the likes of Schreurs, tracking someone’s behavioral data has run its course — at least on an industrial level where thousands of companies were accessing troves of personal data devoid of any robust checks and balances. Keep in mind that audience targeting hasn’t always worked exactly as it has been sold by various companies in the market.
Privacy and data protection must now take center stage, according to marketers like Shenan Reed, senior vice president, head of media at L’Oréal. That doesn’t mean knowledgeable, compliant ways to add relevance to advertising will cease to exist — far from it, the marketer said at the IAB’s annual leadership meeting last week. Media owners at the same event echoed that sentiment. In fact, Vox Media CEO Jim Bankoff told attendees that his company would find a way to generate advertising revenue while prioritizing the rights of its audience.
“This could be ground zero for advertising in terms of rebuilding in a more privacy-conscious way,” said Thomas Lue Lytzen, director of ad sales and technology at one of the largest news publishers. from Denmark, Ekstra Bladet. “We, the advertising ecosystem, did not want to address the concerns of legislators and regulators and give up anything when we might have been able to trade cross-site profiling and targeting for ad funnels of capping, measuring and frequency check. This may be hard for some to accept, but as long as there are elements of profiling and targeting on the web, you will have privacy experts who will argue that it is illegal.
Simply put: people like Bankoff and Lue Lytzen believe that the way they can monetize media will be less about collecting as much personal data as possible to inflate the value of their inventory and more about selling content data that helps advertisers understand how someone interacts with content so they can be in the right place at the right time with the right message. This way, publishers potentially avoid all the hassles of managing consent.
As viable as these solutions are, none of them have much chance of success without the support of advertisers. As it stands, it’s unclear what they will do. They haven’t exactly voiced their opinions since TCF’s future was thrown into doubt. Otherwise, the Irish Council for Civil Liberties, which took TCF’s issues to regulators in the first place, would not have sent an open letter to the CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM and Mastercard demanding they stop consent spam and delete data obtained through the framework. Not that their silence is a surprise. The situation is ultimately delicate, as evidenced by the response from IAB Europe.
“It may also seem incoherent that on the one hand IAB Europe has announced that it will appeal the decision but on the other has started working on the ‘action plan’ requested by the DPA [Belgian regulator], a spokeswoman for the trade body said in an emailed statement. “In fact, these two things are perfectly compatible. While the IAB Europe disagrees with a number of the substantive conclusions of the decision, it is clear that some of them – for example, the question of whether the definitions of the purposes of data processing can be written more clearly and easier to understand – are things that reasonable people may disagree about and that we should be open to trying to improve.