Unified ID 2.0 testing could hit a serious snag in Europe.
Although beta testing of UID2 in the US and Canada is already well underway, multiple sources tell AdExchanger that The Trade Desk is having trouble lining up an independent administrator to govern and police the use of UID2 in territories where GDPR is the law of the land.
This administrator would very likely be on the hook for any violations of GDPR, a hefty liability that’s scaring off potential administrators.
UID2 is an industry initiative originally spearheaded by The Trade Desk that aims to replace third-party cookies with hashed and encrypted email-based IDs.
But it’s unclear who will serve as the data controller and who will serve as the data processor in the management and use of UID2 identifiers. Until that gets settled, UID2 testing is grounded in Europe.
Google ran into a similar roadblock in March during the initial set of origin trials for its Federated Learning of Cohorts proposal in the Privacy Sandbox. FLoC testing has still not kicked off in the European market.
The Trade Desk disputed that UID2’s European roadblock is stalled and noted that it’s working to comply with GDPR. “Everything is progressing very much as planned,” a Trade Desk spokesperson said.
The struggle is real.
An ad tech company based in Europe told AdExchanger that it’s been unable to get onboarded for the UID2 test phase in the US because the company is based and does most of its business in the European Union.
This company was later approached by The Trade Desk to serve as an operator for the initiative in Europe. It declined the opportunity and hasn’t received an update from The Trade Desk on next steps for potential UID2 testing in Europe.
But there’s no doubt The Trade Desk is keen to figure out how to get testing going in the EU.
During a meeting of IAB Europe’s Post Third-Party Cookie Task Force earlier this year, a Trade Desk representative said finding a way to make the ID compatible with GDPR is a priority. If it’s unable to do so, The Trade Desk would consider the entire initiative a failure.
Europe is a material market, and any third-party cookie replacement needs to work there. Digital ad spending is set to hit $91.44 billion in Western Europe by 2025, according to Magna Global.
Processors and controllers
But what exactly is the issue under GDPR?
Under GDPR, a data controller is defined as a person or entity that determines the purposes and the means of processing personal data.
Both data processors and data controllers are legally liable for any challenges related to processing activities that infringe the GDPR (although controllers bear the most responsibility).
It’s a big question as to who would want to take on that responsibility, especially considering an imminent draft ruling from Belgium’s data protection authority that will likely find IAB Europe’s Transparency and Concept Framework to be a violation under GDPR.
If consent strings are invalidated, for example, it’s unclear exactly how the permissions collected through OpenPass will be shared across publishers and ad tech partners. OpenPass is the single sign-on solution set to serve as the consumer-facing, consent-gathering mechanism for UID2.
Will you be my admin?
The UID2 design protocol calls for three main supporting functions: multiple independent operators, auditors and an administrator.
An operator’s job is to issue the UIDs themselves, host the underlying software and generally make sure the IDs are functioning properly. Prebid.org signed on as the first operator earlier this year.
But the administrator’s role is proving a lot harder to fill.
An administrator’s duties involve serving as a centralized database of sorts to manage access to the UID2 ecosystem of partners. One of its main responsibilities will be to distribute email encryption keys to the operators and decryption keys to participating demand-side platforms. The admin will also handle sending user opt-outs to the Unified ID 2.0 operators and DSPs.
As one executive at a European ad tech company who asked to remain anonymous put it, “There’s a heck of a lot of potential liability there – and who wants that?”
The IAB Tech Lab did signal support for UID2 earlier this year, but it’s not yet officially volunteered itself to serve as administrator.
Bill Michels, The Trade Desk’s general manager of product, told Digiday over the summer that The Trade Desk remains the initiative’s sole administrator, although it’s looking into other entities that could take on the task.
Although The Trade Desk officially committed the full open source code base for UID2 to the Partnership for Responsible Addressable Media in May, the company is still deeply involved in facilitating the testing process and striking partnerships to support the initiative.
The Trade Desk has publicly stated at events and on several webinars that it’s working with EU bodies to find ways for UID2 to be GDPR compliant.
A Trade Desk spokesperson told AdExchanger that The Trade Desk is working with partners and organizations around the world on the regional rollout of UID2, including the recent beta launch in Canada.