The advertising technology ecosystem has been waiting for Google to implement the IAB Europe Transparency and Consent Framework (TCF), a protocol for collecting consent and conveying it to intermediaries for data-driven advertising.
Google and IAB Europe have been negotiating for almost three months about how to reconcile their technology and interpretations of consent for GDPR, according to sources from both sides of the table.
The ad giant and the trade group (of which Google is a member) have been close to a deal for weeks, but sticking points are keeping the two GDPR frameworks from coming together, sources said.
How broadly can consent be interpreted?
“Framework adopters still see things as open to interpretation and there are a lot of interpretations out there,” said Somer Simpson, Quantcast’s head of product, measurement and privacy.
Some IAB publishers take very narrow interpretations of consent, listing each vendor that will touch the data and accepting only explicit opt-ins. Others, however, interpret a user scrolling down a page or even clicking the “X” on a pop-up request as consent.
Once those forms of consent reach online ad exchanges, splitting the differences can be like picking out blood diamonds in a jewelry store.
The TCF establishes different kinds of requests and levels of consent for intermediaries: third-party vendor consent, first-party vendor consent and first-party publisher purposes consent, which is when a publisher’s first-party data is used in a campaign but not exposed to vendors.
The IAB Europe needs that flexibility because it’s juggling hundreds of publishers and vendors, many with product, ad ops and legal teams wrestling with their own interpretations of the law.
Google is ultra-cautious
But even if TCF publishers’ consent standards match Google’s most of the time, Google isn’t going to expose itself to potential multibillion-dollar fines by accepting consent that doesn’t meet its interpretation.
“For Google, IAB Europe consent is sort of like a pool with a tiny bit of bleach, where it might look totally fine but you actually only need a few parts per million to be dangerous,” said one industry exec with knowledge of the dealings with Google under a nondisclosure agreement.
Another member of the IAB Europe’s GDPR consent policy working group, speaking on condition of anonymity to discuss confidential negotiations, said Google has refused to accept equal liability under the terms of the TCF.
“They aren’t going to expose their own data or campaigns to a source of consent they aren’t either 100% sure of or unless the SSP or exchange are contractually liable,” the person said. “They know every European data regulator is probing them for potential vulnerabilities that could be made into cases.”
Many of the largest ad tech companies have made discrete consent integrations with Google’s DSP, but to receive targeted ad buys they must sign a contract accepting Google’s consent standards and liability for campaigns.
Legitimate interest vs. explicit consent
Another thorny issue is Google’s strict interpretation of legitimate interest, which is when a publisher’s data requirements supersede the interests of the user.
“Many publishers want to rely on legitimate interest and took very bold positioning on that as key players developing the framework,” said Romain Job, product chief of the supply-side tech company Smart. Those pubs include Axel Springer, the largest news publisher in Europe, as well as the Swedish newspaper publisher Schibsted Group.
But there’s no precedent on what qualifies for legitimate interest under GDPR, and the guidance that does exist is opaque, if not downright contradictory.
The most clear-cut legitimate interest cases would cover solutions like fraud detection or site management tech companies like Chartbeat that don’t use data for advertising.
A company like Quantcast fills some of the same roles as Chartbeat for a publisher (such as traffic management and reader data), but by extending data into online media buys it unsettles the balance between a publisher’s interest and user privacy.
“If you look at the IAB Europe framework’s global vendor list and what people are requiring in terms of explicit consent or legitimate interest, there’s not a consensus,” said Joshua Koran, Sizmek’s managing director of DMP product.
New versions of the TCF since May have expanded on the applications of legitimate interest for publishers.
But Google has an unflinching interpretation of legitimate interest, going so far as to set the same baseline opt-in standards for fraud detection services, measurement tools or publisher-first ad tech like contextual targeting that it does for pure DSPs and SSPs.
“With the IAB, if there are thousands of members clamoring for legitimate interest and saying they need this, then the trade group is trying to find out how to make that work,” said one member of the IAB Europe GDPR implementation working group under NDA. “But that isn’t going to shift Google an inch.”
This post was syndicated from Ad Exchanger.