Privacy group’s accusations against IAB Europe question ‘the bedrock upon which programmatic is built’

This week a group of privacy advocates took a shot at the Interactive Advertising Bureau (IAB) Europe, claiming that the industry trade group knew in advance that real-time bidding (RTB) was not compatible with Europe’s General Data Protection Regulation (GDPR). IAB Europe vehemently denies the charges.

IAB Europe is a non-profit membership organization that provides guidelines and standards for digital marketers. Its Transparency & Consent Framework (TCF) is considered the industry standard for consent collection under GDPR. Open RTB is an IAB Tech Lab protocol through which advertisers bid against each other for impressions.

What happened. Johnny Ryan, chief policy & industry relations officer for open-source browser Brave, along with a group of international privacy activists, filed new evidence with data authorities in the UK and Ireland that they say proves that IAB championed RTB for the industry knowing it wasn’t “compatible with consent under GDPR.”  The group also includes Jim Killock, executive director for the Open Rights Group, Michael Veale, a researcher at University College London and Panoptykon Foundation CEO Katarzyna Szymielewicz.

From Johnny Ryan’s Twitter feed | February 20, 2019

Key to the group’s complaint is a letter IAB Europe wrote in 2017 that says in part: “As it is technically impossible for the user to have prior information about every data controller involved in an RTB bidding scenario, programmatic trading, the area of fastest growth in digital advertising spend would seem, at least prima facie, to be incompatible with consent under GDPR …”

From the complaint:

“The new evidence, taken from Google and IAB (an industry rule-setting body) documents, shows that the online ad auction system broadcasts highly sensitive data about web users. This occurs hundreds of billions of times a day. There are no technical controls to prevent thousands of receiving companies who receive these data from monitoring what every person on the web reads, watches, and listens to online.”

What IAB said. “These claims are not only false but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream,” said Helen Mussard, marketing & business strategy director, IAB Europe.

Mussard said that when IAB Europe made the statement about RTB’s incompatibility with GDPR it was true, but that has changed.

“In the years since this statement was made, IAB Europe has worked with its members — making up a cross-section of the media and advertising industry — to offer solutions to this challenge by developing and releasing the IAB Europe TCF in April 2018,” Mussard said.

“The TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes,” Mussard said, adding that the TCF “demonstrates that real-time bidding is certainly not ‘incompatible with consent under GDPR.'”

“The complaints lobbed against OpenRTB and the TCF take the view that their inherent incompatibility with the law stems from a hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes. This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to,” she said.

Why you should care. Nine months after GDPR has gone into effect, it’s still unclear how it has affected marketers in the U.S. and abroad, particularly in the area of consent. Earlier this year, France’s data authority slapped Google with the first big GDPR fine — $57 million for not properly disclosing required information to users or validly obtaining their consent. Google has not yet signed on to the TCF, but says it plans to later this year when the framework is updated.

Susan Wenograd, account group director at Aimclear, said the case is crucial for marketers “because it’s essentially questioning the bedrock upon which programmatic is built.”

While privacy concerns in closed environments such as Facebook can be more contained, “programmatic is a different beast,” said Wenograd, “and it also deals with a different group of constituents. Now we’re talking about  data that is housed by a third party, which is then bought by an advertiser, and it’s used in the blink of an eye on hundreds of thousands of web properties.”

“The recent complaint in the UK and Ireland highlights a couple of issues with enforcing GDPR in programmatic: how the information is obtained and used, and who has the onus of getting consent when the party collecting the data isn’t the one using it,” she added.

Randy Frisch, CMO of content experience platform Uberflip, said it all boils down to trust.

“With consumers often making a split-second decision on whether or not they trust marketers before divulging their personal information, it’s crucial that marketers show they are worthy of responsibly and safely handling their data out of the gate,” Frisch said. “If marketers want to get their audiences to consent to having their activity tracked, they will need to create and deliver a meaningful and personalized experience —  proving that they are worthy of being trusted.”