But there’s also the tricky question of auditing the TCF.
TCF data is collected by consent management platforms (CMPs), a category of vendors and open-source tech used by publishers to manage consent pop-up requests, store consent data and distribute it to ad tech or other vendors. CMPs pay $1,200 per year to certify themselves in the IAB Europe’s TCF framework and agree to potential auditing.
There are hundreds of CMPs, and TCF ID strings are shared very broadly, since not only is the ID passed to any SSP a publisher works with, but to any DSP that even evaluates the impression. (After all, whether or not there’s consent to use data for ad targeting determines how much they bid.)
If a rogue employee at a CMP or publisher chose to, it could falsify TCF IDs to allow targeted advertising – the incentive is there, after all – and IAB Europe or advertisers upstream have no way to identify the violation in retrospect, let alone during the milliseconds of real-time bidding.
The Belgian DPA declared that IAB Europe is a data controller for the TCF – a point the industry group has loudly fought against – and is responsible for conducting strict CMP audits and guaranteeing that consent strings can’t be used improperly in programmatic. IAB Europe earns a little more than a million dollars per year from CMP vendor fees, according to the DPA’s back-of-the-napkin math based on CMP membership numbers as of last July.
IAB Europe has six months to overhaul the TCF to meet the obligations determined by the Belgian DPA and must present an action plan for how it plans to do so within two months.
But the beleaguered trade org sees the silver lining, apparently. According to IAB Europe, presenting the TCF for approval as a transnational Code of Conduct – in other words, to get blessed as a single framework that can be used and interpreted cohesively across EU nations – was always in its plans.
“Today’s decision would appear to clear the way for work on that to begin,” according to a blog post.
IAB Europe said it is considering options to continue fighting the Belgian DPA’s conclusion that it is a data controller within the TCF, which makes it responsible for all the data processing, storage and usage when publishers use TCF consent strings for programmatic advertising.
But IAB Europe also noted that the TCF was not declared illegal, and that implicit in the DPA’s decision is that it considers six months adequate to remedy the issues.
If IAB Europe fails to satisfy the Belgian DPA’s judgment in the case, however, the TCF could be ruled illegal, which would require all openRTB consent data storage collected via the framework to be retroactively erased.
If that happens, it would be a potential knockout blow to open web programmatic in Europe.
And although Google isn’t the opponent in the ring this time, Google would still be the big winner. What’s new?
If the TCF doesn’t endure and the Belgian DPA’s decision is codified by other EU DPAs, it would leave Google’s AdBuyers protocol as the only RTB protocol collecting and using consent for online advertising.