Earlier this month, IAB Europe released its latest comprehensively updated ‘Guide to the Post-Third-Party Cookie Era’.
The Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee and Post Third-Party Cookie Task Force. It provides the latest insights into the many alternative solutions that are being developed to replace third-party cookies when they are depleted in 2023, including context, identity, the use of telco data, and the Google Topics initiative, and expands into new challenge areas including measurement and attribution.
So, what is included in the latest guide and what do you need to know about the post third-party cookie world today?
We caught up with some of the members of IAB Europe’s Programmatic Trading Committee who contributed to the guide to share their thoughts and expertise.
Q&A with:
Tanya Field, Co-Founder & CPO, Novatiq
Piper Heitzler, Head of Growth, EMEA, Amobee
Alex Berger, Senior Marketing Director, Buy-Side Products, Adform
Q1. Since the last updated version of the guide was released in February 2021, what changes have you seen, and what have been the biggest developments?
Piper - “Well, I’ll start with the obvious. On June 24th, 2021, the advertising and ad tech industries let out a sigh (of relief?) when Google announced a two-year delay in phasing out the third-party cookie phaseout. That shift in time frame has allowed the P3PC guide to evolve into a comprehensive mini textbook of the identity market, rather than being a short-term assessment of what marketers should do immediately. There’s been a ton of growth from existing and new players, which means marketers now have a buffet rather than a tasting menu to choose from; all of which are detailed in the guide.”
Alex - “When the guide was first written, there was a big open question pending over what the solution that replaced third-party cookies would be. That began to take shape in 2021, and now this year the industry has a series of functional and proven solutions which are well on their path to implementation. The focus and educational piece about how first-party IDs are perhaps the single biggest solution is a significant addition. There’s also great added clarity around key definitions surrounding things like different types of identity.”
Tanya - “Over the past year, the depreciation of cookies and Mobile Advertising IDs has gathered pace, and the first major impacts of this shift have been registered. One of the more significant news items in this respect include Google’s announcement that it will extend its Privacy Sandbox to its Android Advertising IDs. This is a significant blow to publishers, who are still reeling from Apple’s decision to make its Identifier for Advertisers opt-in. The latter’s move has already had significant consequences, causing a combined £315 million drop in market value for companies like Meta Platforms, Snap, Twitter, and Pinterest, which rely heavily on mobile advertising revenues. In this climate, IAB Europe’s Guide is more relevant than ever.”
Q2. What is your take on what the industry has developed over the last 12 months? Are we any closer to having solutions in place the end of 2023?
Piper - “In short, it’s been a year of extremes. On one end, the industry has developed even more proprietary platform experiences for investment teams – which is fragmenting the media buying experience to a nearly equal degree that consumers’ experience content across screens and platforms – but on the other, there’s been incredible collaboration between advertisers, data providers, DSPs, SSPs, and publishers to drive scale for cookieless ID solutions, which will ultimately allow the open internet to continue.
It’s safe to say that the media plans of tomorrow will require marketers to balance a world of walled gardens with independent ad tech stacks in order to drive combined performance and reach. And in general, having spent much time consulting agencies and brands over the past year(s), I am confident they are learning how to rebalance that pendulum swing more gracefully this time around.
Alex - “Absolutely. We’re now at a point where the leading tech providers have real, functional solutions live. There’s still a lot of functionality to be fleshed out, and key gaps to close/regulatory questions to navigate, etc. – but we’ve gone from the bleeding edge focusing on proof of concept, to a subset of industry leaders now being live with eg first-party ID solutions and fully operational while supporting scaled ad buys. At this point, there are also some fairly significant benefits for advertisers who choose to start embracing these solutions. Every advertiser should be asking their agency and adtech partners how to turn things on immediately, start testing, and come off the sidelines. There’s a temptation to sit and wait it out, but the time for that was 2021.”
Tanya - “As the depreciation of cookies gathers pace, the industry is responding with a range of options.
One of the biggest changes has been from Google, which has abandoned its Federated Learning of Cohorts (FLoC) proposal in favour of Topics for ad tracking, which determines’ web users interests from their short-term browsing history.
We have also seen new players enter the market with authenticated ID solutions, and probabilistic IDs that use AI to stitch together signals from the bid stream. However, neither offers a silver bullet to the industry’s dilemma. Authenticated IDs do not address users on the anonymous web and so will be unable to deliver audiences at scale, while probabilistic IDs will become increasingly inaccurate as signals disappear from the bid stream.
There are a range of options on the table. The full picture is still emerging, and we have yet to hear plans from major players like Apple. What is clear is that the industry still requires a solution that delivers scale. This could be either an alternative ID solution that covers both the authenticated and anonymous web, or a platform that enables interoperability between a range of IDs.”
Q3. ID solutions continue to come to the fore, how can stakeholders best identify and select partners?
Piper - This may seem like a very tactical answer, and keep in mind that I come from a technical Solutions Engineering background, but a humble matrix. The Post Third-Party Cookie Guide provides a breadth of description about ID solutions, much of which may be out of scope for someone’s current day-to-day job, but given the monumental shift that the deprecation of third-party cookies brings, it’s ever more critical to simplify what the past, present and future look like for a brand’s marketing strategy.
To create the matrix: collect any and all solutions (and KPIs!) that your brand uses today. Bucket those by how you capture user data versus reach users, then outline how that practice works today, and finally what effects may change the status quo. With that information you can align solutions from the Post Third-Party Cookie guide to those sections, rank each tactic based on its potential business impact, voilà, now you have a prioritised testing framework.
Alex - “I see a huge amount of confusion, and rightly so, between different types of ID types, ID solutions, and their market coverage. It’s quite clear that there won’t be one universal ID that takes it all. Instead, we’ll see a wide range of first-party IDs across technology providers, geographies, and solutions. This was one of the reasons that Adform opted for an approach that is fully ID agnostic, builds our own platform-based solution, and focuses on integrating with a wide range of IDs. Each ID solution provides different strengths and use cases. So, the conversation to take is much more about what are the benefits of the ID, how does it fit your geographic or media blend, and how does it scale alongside other IDs in your tech stack? It’ll also be very important to cut through the hype and look at who can provide actual data and real live solutions that work in the chaotic and often challenging fragmented adtech landscape.”
Tanya - “There are a broad range of factors that stakeholders will need to consider. First, to be effective the ID needs to be dynamic and able to operate in real-time to reach people at the right moment. Second, they need to be privacy-assured, ideally with patented technology and proven applications. Third, the ID should be interoperable with others and easy to integrate with intelligence sources and the adtech ecosystem. Security is also key. Stakeholders should check that the ID can enable safe data activation at scale. Above all, it is important that consumers feel comfortable giving consent for their information to be used in the ID. Here, finding an ID that is supported by trusted third-party organisations such as telecoms operators will be crucial. These organisations will be guardians of consent and they hold the key to achieving scale.”
Q4. Measurement and attribution are key challenges that have been highlighted in the latest edition of the guide. How do you think it can be possible to deliver effective attribution in a post third-party cookie world?
Piper - “In many organisations, the path of least resistance is to evolve with a degrading framework – for example, ad server and website analytics reports that have weakened to only cookie-supported browsers – rather than overhaul a brand’s entire measurement practice. However, as the proverb goes, “the best time to plant a tree was 20 years ago; the second best time is now”, well, now is the best time to re-evaluate what, why and how you measure each KPI. It is absolutely possible to develop effective measurement practices – which lead to reasoned attribution frameworks – and in the Post Third-Party Cookie Guide, marketers can evaluate the various experimental designs, panel-based strategies, publisher partnerships, and advanced analytics they can use to do so.”
Alex - “Attribution moving forward requires a bit of a mentality shift. It will take a while to be as effective as it was under third-party cookies. However, attribution and measurement aren’t in nearly as bad a shape as was initially feared and as a lot of stand-alone point solutions want folks to believe. What is required are more robust technology solutions that have strong connections. What I think we’re seeing is a lot of sub-par quality measurement and attribution in the old setup getting cleaned up/wiped out. That’s being replaced by measurement and attribution that’s a bit more technologically complex, but which delivers higher quality IDs with superior longevity. It’s also opening new opportunities. I know for our part at Adform, we are focused on making it a simple process, and we’ve really been able to bring back measurement and attribution to things like Safari and Firefox due to first-party IDs and the unique nature of our technology. So, it’s definitely a challenging period, but also exciting.”
Tanya - “In my view, it is only possible to deliver measurement and attribution at scale with a dynamic ID that can be carried through the programmatic ecosystem and into execution, while also being used as a point of reference that ties back to an obfuscated, semi-persistent ID that is held elsewhere. This approach enables brands and publishers to map back to a single user without knowing who that user is. This approach is not theoretical - it is already deployed in several markets today.”
Q5. What are your predictions for the future and how do you see solutions developing over the next 12 months?
Piper - "On a macro scale, the ad tech industry is at an inflection point of many intersecting trends, all of which are underpinned by the concept of “privacy-compliant data access at scale” and rely on either pseudonymous or PII data points. So my predictions are: retail media networks will explode in Europe, streaming services will continue to multiply in number through ad-supported models, and large companies will go on an acquisition spree to gain access to first-party data. In addition, identity-based solutions will be expected to perform cross-domain reconciliation in order to drive value for marketers and cookieless IDs that don’t support data onboarding will be deprioritised by those that do.”
Alex - We'll continue to see a filtering effect. Right now, almost everyone is understandably quite confused by a wild-west in ID solutions, potential fixes, technologies that are still barely proof of concept but “launched”, technologies that are live and rapidly evolving, and folks trying to figure out how to run a third-party cookie dependent business once they’re gone. I think we’ll see major sources of uncertainty such as the regulatory consent component resolve with solutions and more clear-cut guidance being established. I also think we’ll see more consistency in terminology and deeper understanding of which technologies use IDs, which IDs have legs, as well as how they end up getting bundled and used effectively. We’ll also continue to see scale and adoption accelerate. At Adform, we’re already seeing about 80% of top 1,000 publishers in most European markets send first-party IDs. This means the capability is there, and the volumes are ramping up. That’s great news for Advertisers as they look to buy and use platforms and technology that helps them achieve those goals without getting locked into a single ID solution, the walled gardens – which I expect will continue to fracture - or stand alone third-party engineered solutions.
Tanya - “I have three predictions for the year ahead. First, all IDs will become interoperable to deliver an all-encompassing solution for the digital advertising ecosystem. Second, there will be new entrants into the ecosystem from vertical markets as companies with large sources of first-party intelligence provide the underpinnings of new types of ID. Finally, consumer needs will be at the heart of new IDs and there will be a clear focus on direct consent and consent management. This is because nothing works without consumers and consumer confidence. Securing trust must be the starting point for the post-cookie world.”
Since the European Commission’s proposal for the Digital Services Act was first published in December 2020, the legislation has progressed at pace. The trilogue negotiations commenced swiftly after adoption of the Parliament’s mandate in January and as the DSA reaches its final phase – with the co-legislators turning their attention to online advertising-related aspects – IAB Europe believes that policymakers must remain alive to the value of data-driven marketing, the risks of some remaining provisions of the DSA, and finally, the importance of a thriving digital media ecosystem and economy at large for Europe’s future.
The European Parliament proposed to introduce new obligations and further restrictions on digital advertising. Expansive and undue formulations under Art. 13a and Art. 24 raise fundamental questions about the implementation and functioning of the data-driven ads ecosystem as it functions today.
Unintended consequences and real-life implications of the DSA proposals
The proposed ban on so-called ‘dark patterns’ has been making headlines – as clearly no one wants the user to be misled in any way – but sweeping proposals under Art. 13a risk duplication and overlap with the existing privacy & data protection legal framework as well as relevant consumer law, the latter being evident from the recently published Commission’s guidance on the application of the Unfair Commercial Practices Directive.
Art. 13a 1(e) would likely take away the right of a publisher to independently hold a dialogue with the user about access to their very own ad-supported content or services – a growing concern given the ability to set signals such as ‘Do Not Track’ at browser or operating system level. Far from being a technologically neutral provision, this will pose an increasing problem for publishers looking to carry ads, as well as the businesses who rely on the reach of digital advertising to attract new customers. In 2021, Apple’s ‘Ask App Not To Track’ feature was estimated to have cost the biggest internet companies almost $10 billion – a significant sum that smaller players simply could not absorb.
Art. 13d 1(b) would in effect introduce a blanket approach to establishing validity of ‘consent’, imposing a prohibition of repeatedly requesting a recipient of the service to consent to any - not just ad-related - data processing when they have already refused. These matters - including the storage duration of user consent or refusal - are already being addressed by Data Protection Authorities (DPAs) guidance on the basis of their analysis of the GDPR provisions. It is important for any such interpretation of the GDPR requirements to be made on a case-by-case basis, including taking into account the context of different business models. Adding new, overlapping and possibly contradictory language on the matter of obtaining ‘consent’ would obfuscate the GDPR, and render DPAs efforts to-date irrelevant. For similar reasons, the added value of Art. 24 1a should be questioned.
Finally, though provisions that stand for an online environment that protects children and vulnerable people are important, they present cause for concern about how they might work in practice. The ban on targeted advertising to minors proposed under Art. 24 1b should take into account the business context and technical possibilities, avoiding a full ban on targeted advertising when the means of reliably discerning an internet user’s age - fully in line with the data protection regulation - cannot be found.
Preventing websites from asking vast swathes of users for their consent to advertise would remove a vital element of websites’ autonomy and concentrate it in the hands of a small number of gatekeepers – something European legislators are explicitly seeking to prevent and which has not been subject to any impact assessments.
Sustainability of the digital media ecosystem at stake
In this situation, many publishers could find themselves struggling, deprived of yet another crucial source of revenue. Facing years of declining print circulations, small publishers across Europe have turned to digital advertising to sustain themselves, often with great success. The Reuters Institute for the Study of Journalism reported that digital advertising revenues grew at their fastest rate ever in 2021, at over 30 per cent year on year, accounting for almost two-thirds of advertising spend.
Making digital advertising unviable would ultimately result in declining media pluralism across Europe. Even as policymakers strive to improve it. The Parliament’s Culture and Education Committee reflected on the fact that a shift to a subscription economy without advertising could lead to a decline in the availability of free quality information, stressing underlying liquidity issues of media organisations on another occasion. Diminished access to free, reliable content provides space for disinformation to take root, something that has plagued governments trying to combat uncertainty of the current times . Far from solving a problem, restricting digital advertising in this way could make the problem worse.
Digital advertising is no longer simply a nice to have. It is a crucial element of the modern media ecosystem, supporting pluralism and the proliferation of free, high-quality information. Severe restrictions on digital advertising could have equally severe, negative consequences.
Authored by Industry Leaders From Across the Digital Advertising Ecosystem
The Latest Version of the Guide Provides the Most Recent Updates to Support the Digital Advertising Industry in the Transition Period and Beyond
10th March 2022, Brussels: IAB Europe, the leading European-level industry association for the digital advertising and marketing ecosystem, has today released its latest comprehensively updated ‘Guide to the Post-Third-Party Cookie Era’, to enable brands, agencies, publishers, and tech intermediaries prepare for the impending post-third-party cookie era.
The Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee and Post Third-Party Cookie Task Force. It succeeds the second edition of the guide, which was released in February 2022. It provides the latest insights into the many alternative solutions that are being developed to replace third-party cookies when they are depleted in 2023, including context, identity, the use of telco data, and the Google Topics initiative, and expands into new challenge areas including measurement and attribution.
It is clear that innovation around alternatives to third-party cookies continues, and the industry will have multiple solutions available. As such, the Guide continues to help and encourage the industry to keep testing, learning, collaborating and developing across 2022, right through to the newly extended deadline for cookie deprecation in late 2023.
Commenting on this latest work, Lauren Wakefield, Marketing & Industry Programmes Director, IAB Europe said “Although the deadline has been extended to 2023, the digital advertising ecosystem must continue to collaborate, innovate and deliver on the solutions that are outlined in the latest update of the Guide. As the European-level association for digital advertising and marketing, we must continue to help our members embrace these changes, educate the market on what is available and offer support to ensure we create a thriving future for programmatic advertising.”
Explaining the reasons for supporting this initiative, contributors highlighted the integral role of the guide in keeping brands, agencies, and publishers updated on the technological advancements and evolving opportunities available with identity. A new contributor this year is Amobee. Their Head of Growth, EMEA, Piper Heitzler, commented “What's happening in the world at large and more closely within the ad tech industry is a renewed appreciation for the power of collaboration. IAB Europe’s Post Third-Party Cookie Guide is an excellent example of what can be produced when experts from diverse principles, like our own Solutions Engineering lead in EMEA, Zara McDonald, work together to aggregate collective insights that are refined and reviewed by each other's experience and perspectives. A must read for brands and agencies looking to stay up-to-date on technological changes and opportunities in the Identity space."
Rémi Lemonnier Co-founder & President of Scibids, who is also a new contributor this year, continued, "Given the importance of the topic for the industry, we were more than happy to contribute to the update of IAB Europe's Post Third-Party Cookie Guide and share the expertise we have gathered in the past years, building a private by design AI. As marketers navigate this new era of privacy, we are convinced that providing knowledge and clarity will help the industry move forward!"
This was echoed by Tanya Field, Co-Founder and CPO at Novatiq who said, “The updated IAB Europe Guide could not come at a more important time. With protocol updates from the major platforms, lawsuits from privacy campaigners, and continuous industry innovation, the market is at risk of fragmenting, as interoperability challenges hinder growth. It is clear that advertisers and publishers need clarity on the best way forward. This is what the Guide provides and why Novatiq was delighted to contribute towards its creation.”
The extensive Guide provides a comprehensive and complete deep-dive into the following key themes:
Commenting on the depth of knowledge contained within the Guide and the importance of this continued conversation, Chair of the IAB Europe Programmatic Trading Committee and Integral Ad Science’s Head of Programmatic and Publisher Development, Nick Welch, said “Ensuring consumer privacy in digital advertising is essential and the demise of third-party cookies is one such industry initiative that aims to achieve this. Advertisers today must be armed with the right resources to deliver efficient and effective campaigns that meet the needs of consumers and must have the tools available to thrive in a post-cookie world. This Guide has been produced by IAB Europe’s Programmatic Trading Committee in a collaborative effort to include expertise from across the value chain to support brands, agencies and publishers in this new era. It aims to show the latest updates and solutions available, it demonstrates how far we have come and the opportunities we have to continue to move forward together.”
IAB Europe will be continuing the conversation and education around the post third-party cookie era throughout 2022 in a series of workshops, blogs and podcast conversations.
The IAB Europe ‘Guide to the Post-Third-Party Cookie Era’ is available here.
4 March, Brussels, Belgium: IAB Europe confirms it will file an appeal today against the administrative ruling by the Belgian Data Protection Authority (APD) regarding IAB Europe and the Transparency & Consent Framework (TCF).
IAB Europe disputes the controversial and novel allegation that it acts as a controller for the recording of TC Strings (the digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.
The appeal, filed before the Market Court in Belgium (part of the Brussels Court of Appeal), includes a request for suspension of the execution of the decision, which would pause all orders of the APD until a decision on the merits is rendered by the Market Court.
“Immediate enforcement of the decision would deny an appeal of its relevance and effectiveness, and would have irreversible and serious consequences for our organisation”, said Townsend Feehan, IAB Europe CEO.
“Eliminating the grounds on which the APD considers IAB Europe to be a data controller would reduce the TCF to a mere open-source standard without enforceable policies. Paradoxically, this would render ineffective the consumer protection objective that underlies the APD’s jurisdiction, and the apparent reason for which proceedings against IAB Europe exist. We do not believe this is the aim of the law, nor that self-regulatory standards should be weakened because of a misguided interpretation of the law. This is why we are challenging the decision.”
IAB Europe will communicate on the outcome of the request for suspension in the next few weeks.
For further information, please read and download the IAB Europe FAQ Document here.
3 March 2022, Brussels, Belgium – IAB Europe today announced a suspension of all cooperation with IAB Russia and IAB Belarus, following the Russian invasion of Ukraine earlier this week and the announcement that Belarus is acting in support of the government of Vladimir Putin.
“We regret taking this step against partner organisations, but the brutality of Russia's unprovoked attack against a sovereign European country gives us no choice but to use every lever at our disposal to increase its isolation,” said IAB Europe CEO Townsend Feehan. “IAB Europe stands with our innocent Ukrainian colleagues in Kiev and elsewhere, who are continuing to work under shocking circumstances.”
About IAB Europe
IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Through its membership of national IABs and media, technology and marketing companies, its mission is to lead political representation and promote industry collaboration to deliver frameworks, standards, and industry programmes that enable business to thrive in the European market.
24 February, Brussels, Belgium - IAB Europe today expressed its solidarity with, and support for, its colleagues in Ukraine and their families. “In the week-to-week cut and thrust of our policy advocacy in Brussels, it is easy to forget why the European Union was created”, said IAB Europe CEO Townsend Feehan. “The events of the past few days are a powerful reminder. We are alarmed and saddened that in 2022, friends and colleagues in a sovereign European country can be confronted with armed conflict and a military invasion of their homeland. We hope and pray for their safety.”
IAB Europe is recruiting a full-time Privacy Compliance Officer to join our Brussels-based privacy team. The candidate should have a basic understanding of the European data protection framework and an interest in its impacts on technological development, especially digital advertising and media.
Scope of the Role: Key Responsibilities
The Privacy Compliance Officer will report to IAB Europe’s Privacy Director. The Privacy Compliance Officer will be responsible for executing IAB Europe’s compliance programmes in the context of the association’s GDPR compliance standard, the Transparency & Consent Framework (TCF). Tasks and responsibilities include but are not limited to:
Profile
Professional attributes:
Personal attributes:
What’s in it for you?
Location: Brussels
Type: Full-time
Salary: Commensurate with experience
Contract type: Indefinite
To apply, please send your CV & a covering letter by email to jobs@iabeurope.eu with a subject line: ‘Privacy Compliance Officer - Application’.
While we may not be able to reach out to every applicant, we will contact candidates whose skills and experience are a strong match for the position.
Following the publication of the Decision of the Belgian Data Protection Authority of 2 February 2022 on the Transparency & Consent Framework (TCF), many sources have published partial or incorrect information about the scope of that Decision. This information includes guidance from two European data protection authorities (DPAs) advising publishers and others to switch from using the TCF, despite the fact that (i) the Decision is an administrative one that is subject to appeal (see IAB Europe’s announcement in this respect) and (ii) the Belgian DPA gave a period of two months to come up with a plan with corrective measures to remedy alleged non-compliance and an additional six months to implement such measures.
The DPAs making statements in this respect are aware of this, as they have been involved in the decision-making process led by the Belgian DPA and endorsed the remediation period.
IAB Europe wishes to reiterate that the TCF is a voluntary minimum standard created to help publishers establish and document the GDPR legal basis for the processing of users’ personal data by third parties who deliver and measure digital advertising on their sites. The Belgian DPA has not prohibited the TCF, but has instead ordered IAB Europe to introduce additional functionality and propose corrective measures, confirming that the alleged infringements can in its view be remedied. The version of the Framework that emerges from this process will be an even stronger standard.
If publishers, vendors and CMPs wish to adapt their use of the TCF in the meantime, they remain free to do so, and they can in this context take into account the Belgian DPA’s suggestions of additional information disclosures as well as its guidance regarding the use of legitimate interests as a legal ground for profiling.
11 February, Brussels, Belgium: IAB Europe confirmed today that it will appeal the Belgian Data Protection Authority (APD)’s administrative ruling regarding IAB Europe and the Transparency & Consent Framework (TCF) to the Belgian Market Court.
The administrative ruling’s finding that IAB Europe acts as a joint controller for profiling and other data processing done by TCF vendors in the context of OpenRTB is disputed by IAB Europe.
“IAB Europe is a small trade association that has been creating and iterating on a framework for data protection best practices in continual consultation with the authorities. It cannot have been the intention of the European legislator that a body like ours should bear legal responsibility for the data processing activities of an entire industry,” said Townsend Feehan, IAB Europe CEO. “We have no choice but to appeal.”
“We believe the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law. This establishes an irrational legal precedent. It will have the perverse effect of discouraging other standard-setting organisations from investing in instruments that aim to protect users and facilitate the exercise of their rights under the GDPR.”
IAB Europe believes appealing is the right decision to avert unintended negative consequences that go well beyond the changes that the APD wants to see made to the TCF, and which could impact the wider digital advertising industry. Notwithstanding, IAB Europe looks forward to working with the APD and other data protection authorities to ensure the TCF’s continuing utility in the market, and with the ultimate aim of having the TCF approved as a transnational GDPR Code of Conduct.
Supervisory authorities from across the European Union were involved in the process that led to the APD’s administrative ruling. While we believe it is unlikely that these authorities will take measures against IAB Europe or any commercial actors using the TCF until a final judicial ruling is rendered, we nevertheless call upon such authorities, in the spirit of EU-wide consistency and legal certainty, to publicly acknowledge that intent. We also believe that any civil litigation that might ensue in other jurisdictions will likely be stayed pending resolution of IAB Europe’s appeal in the Market Court.
Finally, we are aware that certain advocacy organizations are calling upon advertisers to cease using TCF and OpenRTB. We find such a conclusion unfounded, first, because no advertisers are named parties in the Belgian ruling and second, because the APD has not ordered the IAB Europe to discontinue use of TCF pending its submission of a plan to the APD.
For further information, please read and download the IAB Europe FAQ Document here.
The Belgian Data Protection Authority (APD) handed down on 2 February 2022 a decision on IAB Europe and the Transparency & Consent Framework (TCF). What does this decision actually say, and what does it mean for the TCF itself, for IAB Europe, for vendors, publishers and consent management platforms (CMPs)?
Read our FAQ document to find answers to these questions and more.
The document addresses questions including:
Read and download the full FAQ document here.
2nd February, Brussels, Belgium: IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe. We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.
We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.
Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.
For more information on the APD decision on IAB Europe and the TCF, please visit our FAQ document here.
In a note published last week, the Irish Council of Civil Liberties (ICCL) criticised IAB Europe’s efforts to monitor adtech vendors’ compliance with their commitments under the Transparency & Consent Framework (TCF). In particular, it called out IAB Europe’s “inability to audit what 1000+ companies that use TCF do with personal data”, and concluded that transparency and control “cannot be established”.
Presumably, the above reasoning explains why, according to the ICCL, data-driven advertising should be banned and any industry compliance initiative should itself be immediately discredited and prohibited. In other words, since it is impossible to guarantee absolute compliance, it would be better to do nothing. If one would, by analogy, apply the same reasoning to national data protection authorities (DPAs) - responsible for enforcing data protection rules - then these should all just close shop in light of their inability to continuously audit all data processing everywhere.
Luckily, both DPAs and IAB Europe take a somewhat less defeatist attitude to compliance and enforcement. And while IAB Europe is in no way a DPA, nor does it have the same powers as a DPA, it continuously strives to improve its monitoring and auditing capabilities in the context of the TCF.
As a reminder, the TCF is a voluntary standard that companies which serve, measure and manage digital, including personalised, advertising or content can use to assist with their GDPR compliance. It doesn’t guarantee compliance, nor does it seek to help companies shirk their legal responsibility. It’s just a step in the compliance process that every business that implements the Framework must undertake individually. Portraying it as anything else signals a misunderstanding of the instrument and its objectives.
As an integral part of the TCF, IAB Europe has been running a Consent Management Platform (CMP) compliance programme since 2019. That programme comprises a pre-implementation validation stage and a post-implementation enforcement stage.
In August 2021, the programme was improved and expanded to include monitoring of Vendor implementations for compliance with the TCF Policies and Technical Specifications. You can read more about the Vendor Compliance Programme here.
While it should be absolutely clear that the responsibility for correct implementation of the TCF, and ultimately compliance with the EU’s data protection framework, lies with the businesses that are subject to it, IAB Europe provides support and develops dedicated procedures to make sure the TCF is implemented properly. As managing organisation of the Framework, IAB Europe also imposes penalties in line with its prerogatives under the TCF Terms and Conditions to contractually sanction non-compliance.
The first iteration of the Vendor Compliance Programme launched in August last year falls within this objective. And while client-side vendor operations constitute the focus of what is only an initial phase, its scope includes systematic large-scale monitoring of vendor behaviour at the point of data collection and, thus, an assessment of compliance with critical TCF policies, directly rooted in requirements set out in the ePrivacy Directive and the GDPR.
In particular, and contrary to the claims put forward by the ICCL, the programme not only monitors the writing and reading of cookies by Javascript and non-Javascript tags. It also audits all http requests and responses, and attempts to identify instances where vendors may not be collecting or transmitting personal data in accordance with the user’s preferences.
Crucially, to ensure accuracy of results, the auditing relies on both automated crawls and manual testing of web pages. This precludes any bad players within the system from circumventing the programme and evading their commitments towards the user and the industry as a whole.
It’s worth noting that such compliance monitoring and auditing is possible precisely because of the standardised and open format for signaling user preferences established by the TCF. This would not be possible with any other consent structure in use today. Our hope is that DPAs in particular, will consider leveraging the compliance auditing opportunities it offers.
For more information on the TCF Vendor Compliance Programme, please see this dedicated notification.
