While Google is busy dismantling how the open web functions, the ad industry is busy trying to re-architect it.
The IAB Tech Lab released several technical specifications for review on Tuesday in support of Project Rearc. The industry initiative began last year by developing a framework for online targeting without reliance on third-party cookies, including standards for hashed email-based identifiers.
But what about Google’s position that email-based IDs aren’t a sustainable solution for the future?
“There are some things we don’t have clarity on and we’re following up with Google, so TBD, but this doesn’t change our plans,” said Dennis Buchheim, CEO of the IAB Tech Lab. “This is about a portfolio approach, meaning that what we’re doing is part of it, but it’s also going to include publisher ID solutions and the Privacy Sandbox, too.”
Taken together, the purpose of the new specs is to lay the foundation for addressable targeting, measurement and attribution solutions that incorporate accountability and compliance, Buchheim said.
“A lack of trust over the years means that it’s critical for us to set clear rules and be able to independently audit and validate that people are following those rules,” he said. “That includes being able to revoke their privileges, in a sense, if they’re not.”
UID 2.0’s cop on the beat
Speaking of enforcing the rules, Buchheim confirmed to AdExchanger that he expects the IAB Tech Lab will take on the administrator role for Unified ID 2.0, the open source industry initiative to replace third-party cookies with hashed and encrypted email-based IDs. The UID 2.0 code is being developed based on the principles currently getting hammered out as part of Project Rearc.
In February, Prebid.org signed on as the first of what will likely be multiple independent operators of UID 2.0. Its job will be to issue the ID themselves and to host the underlying software.
The IAB Tech Lab’s role would be to police the use of the UIDs, most likely through at least one central database. Buchheim acknowledged that there are some industry stakeholders with concerns about the implications of too centralized an approach, but that “anywhere IDs are made available, it’s critical to have accountability,” he said.
Accountability
Rearc plans to develop an “accountability platform” that will house specs and best practices for auditable data structures and standardized guidelines to ensure that everyone in the supply chain can prove that they’re abiding by a user’s preferences.
“The best practices would start by defining who are first parties, what is personal data, what is a token, how do you tokenize and what are the requirements around transparency,” Buchheim said. “And then a good chunk of it is also about security, as in how to make sure that consumer data is protected and that the IDs and tokens themselves are encrypted.”
Although the IAB Tech Lab could plausibly be one of the entities that audits and confirms that all supply chain participants are keeping kosher, that process would likely involve multiple auditing bodies.
Exactly who they will be is “an open question,” Buchheim said.
Related to the accountability platform is a proposal for a “global privacy platform” that would plug into the accountability platform and provide support for compliance with the Transparency and Consent Framework in Europe and the CCPA compliance framework in the US. The privacy platform would also help companies propagate user preferences through the supply chain in a consistent way that adheres to regional data regulations.
Addressability
As “sister standards” to the work on accountability, the IAB Tech Lab is also publishing two proposed addressability-focused specs for public comment. One spec creates consistent standards for the use of contextual data and other non-ID based audience segmentation. The second spec focuses on best practices for identifiers, including but not limited to email.
The aim of the “Taxonomy and Data Transparency Standards to Support Seller-Defined Audiences and Context Signaling” – “just rolls off the tongue, doesn’t it,” Buchheim joked – is to use the existing content and audience taxonomies built on top of OpenRTB to create standard names for audience segments based on the data transparency standards the IAB Tech Lab released in 2019.
“Hopefully, this will be a good forcing function for companies to support interoperability through a common taxonomy,” Buchheim said. “If you know something about your audience as a publisher, you should be able to share that without an ID in a consistent way.”
The purpose of the “Best Practices for User-Enabled Identity Tokens” spec is to develop a set of guidelines to make sure that personalization tied to a user-provided email or phone number is secure and privacy compliant.
Chicken and the egg
Although the goal is for the principles that underpin Project Rearc to incorporate the parameters set by the advertiser-led Partnership for Responsible Addressable Media (PRAM) – the fact is that PRAM hasn’t yet published its guidelines.
So, in that sense, Rearc isn’t strictly being developed based on PRAM’s requirements, because they don’t exist yet.
It’s just another example of how working on the online identity problem is sort of like attempting to change the tires while a car is in motion.
“Welcome to my life,” Buchheim said.
But PRAM has identified a handful of key business cases that need to be solved for on both the buy side and the sell side, which the IAB Tech Lab is using as its guiding light, including how to select audiences, how to handle consent and how to activate, measure and optimize.
“The business cases PRAM shared in January came well after we were pretty far along in drawing up the specs, and PRAM’s policy work is ongoing, so it’s a little bit of a cart-before-the-horse scenario,” Buchheim said. “But we’ve been carefully tracking what’s happening in the policy group, and it’s also the case that PRAM has more to do with the operation of IDs as opposed to the technology behind IDs – which is us – so that makes all of this a little less of a chicken-and-egg problem.”
The comment period for the global privacy platform spec is 30 days, ending on April 8. The comment period for the accountability platform and the two addressability specs is 60 days and ends on May 7.
