As IAB Europe fights against GDPR-related complaints, Teavaro's Nico Pizzolato discusses the organisation's role as so-called "road builders" who cannot be held responsible for the actions of those using its protocol.
Remember those days, about a year ago, when in the build-up to the GDPR deadline, 25 May 2018, brands and marketing professionals wondered whether the brief, golden era of programmatic was swiftly coming to an end? Some in the ad tech industry freaked out, but the IAB (Interactive Advertising Bureau), which comprises hundreds of companies operating in digital advertising, kept their cool and devised a system that, they claimed, was compliant with the new law while allowing companies to target users in a similar way to before, based on a prima facie consent. They saved the day.
IAB’s Transparency and Consent Framework (TCF) – widely adopted – created a system that enabled publishers to funnel data down the third-party supply chain. That framework signals user choice – regarding consent about the processing of their data – to companies down the chain, who in turn bear co-responsibility for respecting such choice under the terms of the law.
This month, when controversy erupted over the legal compliance of its OpenRTB, the IAB stated that they were only road builders, who could not be responsible for drivers parking illegally or breaking speed restrictions. The power of the metaphor lies in the suggestion that the protocol is a mere infrastructure, neutral to the actual intentions of the companies using it. This metaphor is under strict scrutiny, now that, as reported in specialised and mainstream media, in Poland, UK and Ireland stakeholders have launched lawsuits against the OpenRTB.
The complainants are a mix of commercial companies (such as ad-blocking browser Brave), researchers, and privacy advocacy groups -- in themselves a cross-section of the coalition that has been questioning the compatibility of programmatic in relation to privacy protection. They argue that the way consent is collected is insufficient, as the protocol allows the inference of user data about health, ethnicity, politics and religion that fall into GDPR’s hyper-protected ‘sensitive data’ category. They argue that the content taxonomy the protocol uses to allow brands to find out the context in which their ads are displayed gives away too much. This annotated content taxonomy highlights the categories particularly troubling. By stitching this data with IP addresses, cookies or device IDs, companies can easily fall foul of the law, under the shield of the vast number of actors involved, meaning they cannot be easily detected. The complainants have used IAB’s metaphor against them, claiming that the protocol is akin to a private road with its own rules, and that those rules infringe the law.
No doubt considerations about legal challenges will feed into the new version of the TCF that will soon be released. This second version is boosted by Google’s support, as the tech giant has finally accepted the sign on, chased by its own legal troubles over lack of valid consent. Just a year ago Google was said to consider TCF’s adherence to GDPR dubious, like “a pool with a tiny bit of bleach, where it might look totally fine but you actually only need a few parts per million to be dangerous”, but in the past year the two organisations have worked out ways to address their differences in terms of control of privacy and definition of “legitimate interest” under the GDPR.
When it appeared, TCF seemed a logical move for an industry that worked within the paradigm of third-party cookies and data. It was a conservative response that reformed the system, without moving forward to a new vision of how digital advertising could work in a privacy by design context. TCF’s second version is a way to prolong that vision, but customer preferences and court rulings threaten that future. And with Google on board, the road builders of privacy control might be embarking on managing a highway – the metaphor just got bigger.