The General Data Protection Regulation (GDPR) and its impact on Real Time Bidding (RTB) in Europe has been a hot topic and will continue to be as the ecosystem evolves under the lens of recently invigorated market regulators. In this two-part article for ExchangeWire, Lloyd Greenfield (pictured below), senior client partner at The Programmatic Advisory, examines the impact of an increasingly rigorous consent interpretation on the Real Time Bidding (RTB) ecosystem.

Firstly, in part one, the industry’s current approach to consent – the Transparency and Consent Framework – is examined, and how greater compliance can be encouraged is discussed.

Getting Ready for GDPR Day

Lloyd Greenfield, Senior Client Partner, The Programmatic Advisory

The arrival of GDPR put new legal requirements on organisations for handling and processing personal data. Cookies were included in this definition of 'personal data' which meant the RTB ecosystem (largely reliant on the sharing of personal data in the form of cookies and IDs) faced scrutiny for the way it processed this personal data.

The RTB ecosystem, with the guidance of IAB Europe, set out to reform the way it facilitates the collection and processing of personal data. This cross-industry effort concluded with The IAB Tech Lab’s release of the Transparency and Consent Framework for RTB on 25th April 2018. The framework allowed user consent (now recognised as the only legal means of processing user data for advertising and analytics purposes) to be passed and recognised by stakeholders in the ecosystem. In theory, it could help websites move away from non-compliant notices, to a legal solution that is connected to the RTB ecosystem.

Criticisms with TCF 1.0

TCF 1.0 provided specific guidance – in time for implementation – ahead of 25th May 2018. While being a good step in the right direction (and infinitely better than nothing), it came under criticism. The reasons for this were five-fold:

1. The DaisyBit, which contains an 'anonymised' consent profile, has enough information to identify an individual.
2. Consent information can be shared with everyone in the ecosystem. Even if they can’t use it, the framework shares the information with businesses that users have not consented to.
3. Consent requests for multiple purposes were often grouped together and not compliant.
4. It did not cater for legitimate interest as a basis for processing personal data.

Moving to TCF 2.0

The IAB has taken the constructive criticism from the industry on-board and made a number of improvements to the framework. In the most recent update to the Transparency and Consent Framework, TCF 2.0:

• Users can now exercise their right to object to data being processed.
• Publishers can also restrict the purposes for which personal data is processed by vendors on the site on a vendor-by-vendor basis.

 
Google have now also committed to adopting the TCF by March 2020 which helps to standardise the industry’s effort to be compliant.

Not only this, IAB Europe have stated that it “has continued its close-working relationship with the ICO and is confident this update to the TCF will allow companies to adopt a GDPR-compliant approach to RTB within the UK”.

The spread of non-compliant consent is still a challenge

Despite the recent update, in its current form, the RTB framework does not allow RTB stakeholders to validate the consent that has been sought and non-compliant consent can very quickly spread across stakeholders in the ecosystem.

Validating consent is important because as some data collectors in the ecosystem today are not compliant with GDPR. Although the amount of non-compliant consent that is powering personalised advertising is currently unknown, I have a strong feeling that it is significant. Think about the percentage of consent forms you’ve seen across websites: how many of those provided genuine choice or even just clear information on how your data will be processed?

The example below is a common implementation of consent management that goes some way to provide information on how user data is processed. However, the way it has been implemented means that it does not offer the user an opportunity to reject consent for all purposes as easily as the opportunity given to accept. Consent provided through this form may be deemed invalid by a regulator.

Improving how we gather consent – from carrot to stick?

Many critics point to perceived gaps in the framework as a fundamental barrier to improving consent gathering. However, this overlooks the problems that stem from three main groups of stakeholders within the ecosystem using the framework:

• Firstly, those that do not have a strong enough incentive, currently, to ensure the collection of fully compliant user consent.
• Secondly, those that simply do not yet have a full understanding of data protection legislation.
• Finally, those that do not have the resources to implement the required changes.

 
I believe the IAB recognises the need for a compliant ecosystem, and the need to constantly improve their framework to enable this. The framework enables stakeholders in the ecosystem to be compliant, while ensuring that they should not be held accountable for its misuse. To analogise: Are car manufactures held accountable when drivers break the speed limit?

So, if the carrot doesn’t work, will the stick? The European data protection authorities (DPAs) will need to start allocating fines to ad tech firms that are actively in violation of GDPR and I think they’ll do just that. A large fine from the ICO (or equivalent DPA) would be the catalyst for significant change in the industry. The implementation of Consent Management Solutions would start to look very different from what we have today, and we’d see a scramble, like pre-25th May 2018, from those that have been slow to react.

The example below is a good example of a Consent Management Platform implemented to provide information on the data collected and gives clear choice on the purposes for how that data is processed. Consent is freely given as the user needs to click into each purpose. It also displays the specific cookies dropped for each purpose however does not give the user a choice to disable specific providers. It’s a good step in the right direction.

Consent is a critical aspect of a compliant RTB ecosystem; and in the current ecosystem this could be tighter. In part two, we’ll look at the impact of a tighter consent framework on the ecosystem.