Publishers are wary of the latest attempt to standardize GDPR compliance

For the last two years, trade bodies and steering groups have created a more palatable version of the first framework that suits more stakeholders. Due to roll out in March, the IAB extended the deadline to August so companies hamstrung by coronavirus could get organized. Here’s an update on the progress.

The purpose of the framework is to standardize how businesses —  publishers, ad tech vendors and agencies — can continue running programmatic advertising on the open exchange in a way that is compliant with GDPR. The updated version has been improved, particularly in giving more clarity around how data processors, like Google and vendors, can use publisher user information.

Google’s involvement, like all publisher and platform partnerships, is both a boon and causing some consternation.   

As Google controls so much of the ad market, having it join TCF is key to the framework’s success. But publishers are still keen for more details on how exactly this will look while the clock is ticking down.

“The main problem for us is the IAB and Google haven’t actually agreed how they will work and Google joining was the main selling point,” said one publishing executive. “Google’s policies are shifting faster than a gearbox in a Formula 1 car so it is hard to work out how that side of compliance looks.” 

German media company Axel Springer and Nordic group Schibsted are irked by Google seemingly dictating how others should process data, allegedly using its strength to push on what was initially agreed in the framework to suit its own needs.   

“We should not be having our compliance dictated by a vendor, no matter how big,” said the first publishing executive. 

Google, and IAB Europe, maintain the tech giant is working within the confines of the framework. Like any other vendor or publisher, Google can set any contractual terms that it likes,” said Filip Sedefov, legal director at IAB Europe. “[Google] would probably do that with or without TCF,” he said. “It’s a fake idea to think that TCF would reinforce that position in any way.” 

Vendors using the out-of-date framework after August 15 — although there is a grace period until September 30 — would be potentially flirting with GDPR non-compliance.

For the second version, consent strings — which represent the permissions the vendor needs to use data — contain more elements and segments about that user than the first iteration. Vendors need updated information on user consent to be processed. 

For publishers who are ready for the deadline, they will have to ask for consent again, but it’s unlikely to lead to a drop in consent and so a drop in revenue from ads that can’t be targeted, according to sources.

Currently, 460 vendors are operational on TCF 2.0, about 80% of vendors. Roughly 600 vendors signed up to the first iteration. Sedefov is confident they will in time but it’s causing some vexation among publishers. The question, come August, will be whether publishers cut vendors, throttling supply, if they haven’t switched over.

“Ad tech players aren’t quite ready for it,” said a second publisher. “All publishers are getting ready.” It’s true that publishers and consent management platforms have to do less development than vendors. Vendors have to do more development work than publishers to make sure they can receive and read the right signals.   

“DSPs and SSPs could indeed be a risk towards the deadline,” said a former publisher, “since they have to technically ‘digest’ all the tracking pixels, which are to be passed on from publishers to advertisers, and vice versa.”

Europe’s patchwork of different regulatory boards and data protection authorities make standard implementation difficult and local interpretations likely. 

“Not a lot of DPAs seem to have a deeper knowledge of the details TCF will be providing,” said the former publisher. “There’s more work for IAB Europe and the local IABs to do.”