The six-month anniversary of the GDPR implementation date was last week, so we feel it is a good time to look back on the landmark privacy law and its effects on ad tech. Here are some observations and learnings since May 25, 2018.
Publisher adoption of the IAB Transparency and Consent Framework (TCF) remains low
The TCF’s stated goal is to “support global and service-specific consent for all parties in the digital advertising chain.” For those that adopt it and agree to its terms, the TCF provides clear, auditable visibility and control over the collection and transmission of Personal Data in the EU.
Today, there are over 500 registered vendors in the framework, which signals positive adoption from within the ad tech supply chain (vendors can be SSPs, DSPs, DMPs, measurement/fraud/verification companies, advertisers, and more). However, there are still many publishers that have not adopted the framework.
- It was released too late. The TCF was finalized and released to the public on April 25, 2018 — only one month before the implementation date of GDPR — and was available for public comment only about a month before that. This tight deadline did not give publishers the time they needed to properly evaluate and implement the TCF from a legal and technical standpoint before the implementation date, so solutions they utilized in lieu of the TCF are still in effect in many cases. Saying it was “released late” is less of an excuse today than it was right after the implementation date, but it still has some validity.
- The TCF does not provide a good solution for the many publishers operating on legitimate interest as a legal basis for processing. To help with legitimate interest, the IAB released a solution called publishers.json, which allows publishers to whitelist certain vendors to access Personal Data. However, adoption of publishers.json is even lower than the TCF. Publishers operating on legitimate interest simply don’t see the need to adopt this solution and generally aren’t being pressured to do so by others in the ecosystem.
- The TCF still doesn’t work in some environments. For example, there is no CMP or specification to accommodate connected TV environments. Why would a publisher undergo the effort to implement a CMP when it doesn’t work across all of their environments?
- Google hasn’t joined the TCF. Despite allusions that they would join the TCF by August 2018, Google does not appear any closer to joining. Google has indicated that they are still negotiating with the IAB on some definitions and that they wish to join. However, until they do, many publishers are forced to operate under multiple frameworks — which reduces the incentive to join an otherwise “industry-accepted” solution.
- The recent ruling by the Commission Nationale de L’informatique et des Libertés (CNIL, the French Data Privacy Authority) called into question the legality and the implementation of the TCF, which may give some pause. On the other hand, it is possible to read the ruling as an even greater impetus to adopt the TCF since it ruled on a very high bar for consent that makes it difficult to imagine a way to acquire and transmit consent throughout the supply chain without the TCF. Read the response to the ruling from the IAB here.
The jury is still out on consent vs. legitimate interest as the legal basis for processing
As previously mentioned, many publishers are still relying on legitimate interest as their legal basis for processing, rather than consent. Of course, they are still collecting consent for cookie-setting under the ePrivacy directive, but requirements and implementations of this vary country to country.
In general, we observe legitimate interest as the primary legal basis in Germany and the Nordic region, despite a German Data Privacy Authority suggestion that consent may be preferred. Everywhere else, we see consent as the primary legal basis — with the most strict interpretation in the Netherlands.
Even so, legitimate interest is a gray area compared to consent and will require either additional guidance or a court ruling before the industry can be confident in its ongoing utility. For example, can an use legitimate interest to justify frequency capping? One would think so, since it has obvious benefits to the user.
What about other ad tech activities, like fraud verification, measurement, or audience targeting? This will have to be judged on a case-by-case basis given a company’s distance from the data subject may have some bearing on the “balancing test.”
When will we get some case law for guidance?
Until the French ruling, there were few GDPR rulings that substantively addressed concerns in ad tech. Even more challenging is that the recent ruling was released only in French and didn’t get picked up by major news media until days or weeks after it was handed in. How are industry players supposed to learn from and follow the rules if they aren’t well publicized?
Although the major players were sued overnight on the GDPR enforcement deadline, nothing has publicly come of these lawsuits. No entity wants to be tangled up in a long and costly case, and we certainly do not wish that upon anyone. However, until there is precedent and case law supporting nuances and interpretations of the law, it will still remain a gray area and the industry won’t reach consensus on how to properly handle and protect Personal Data.
Where is ePrivacy?
The ePrivacy Regulation is draft legislation that is currently bouncing around the EU Trilogue. It is meant to update the existing ePrivacy Directive (in place since 2002 and updated in 2009) governing electronic communication.
By making it a regulation, all EU member states must follow the law and do not have the same rights to adjust or apply it in their local jurisdiction as they do with with a directive. This should reduce confusion and increase harmony across the EU.
Initially, it was thought that the ePrivacy Regulation and GDPR would be effective at the same time. However, due to a number of reasons, including a “changing of the guard” in the lawmaking institutions in the EU, it might not come into effect until 2020 — if ever.
The specter of ePrivacy creates uncertainty that makes it difficult for publishers and ad tech vendors to plan long-term. For example, initial drafts of the ePrivacy Regulation forbid “cookie walls” and require informed consent for just about any ad tech behavior. However, recent feedback seems to have weakened these stances and may even allow for some form of legitimate interest.
Impacts right here in the U.S.
Recent data breaches have brought data protection to the forefront of U.S. politics and kitchen table discussion in recent months. GDPR is proving to be a testing ground for data protection policy, and it seemed inevitable before the U.S. adopted more robust privacy protection.
This summer, California passed a new law called the California Consumer Privacy Act of 2018 (CCPA), which we wrote about here. Given California’s market power in the U.S. and general consumer sentiment, we expect a federal law to eventually come to the U.S.
A major challenge for this effort is that lawmakers appear to be completely disconnected from any understanding of the modern ad-supported business model — as was captured plainly in the now infamous “we run ads” exchange between Facebook CEO Mark Zuckerberg and Sen. Orrin Hatch during Zuckerberg’s testimony earlier this year.
It has been a whirlwind six months since the GDPR enforcement date. Moving forward, we expect industry consolidation around standards and legal bases, additional case precedent to help clarify ambiguity, and more privacy laws around the globe like the ePrivacy Regulation and the CCPA.
This article was written by Eric Shiffman, product marketing manager at SpotX.