IAB Europe and the IAB Tech Lab released on Wednesday a commercial version of the Transparency and Consent Framework, a new publishing standard meant to reconcile ad tech with GDPR regulations.
From a consumer point of view, the experience would be similar to the current standard for web browsing in Europe, where there’s already omnipresent cookie notifications and opt-in requests. But instead of just giving a cookie-tracking alert, the new messages will disclose which vendors a publisher works with, what data is collected and how it’s used.
But for tech intermediaries, the difference is critical.
Under GDPR, supply chain intermediaries need to have an explicit user opt in to apply any data for advertising. Ad tech ecosystem companies have no consumer touchpoints, though, and they require processes like the one outlined in the IAB Europe and Tech Lab framework, where publishers collect audience data and allow vendors to piggyback on that connection for advertising.
The IAB Europe and IAB Tech Lab framework includes a list of registered vendors that publishers can pass consent to for data-driven advertising. The tech companies pay a one-time fee between $1,000 and $2,000 to join the vendor list, according to executives from three participating companies.
The framework also introduces the first set of consent management platforms (CMPs), a category the IAB Europe is hoping to develop as the technology and rights management layer between publishers and users and between publishers and ad tech.
Although now that the framework is live, the barriers to adoption are painfully real as well.
The CMP category is pretty bare at the moment, and it may be greeted with suspicion by some publishers.
There are eight initial CMPs: two publisher tech companies with roots in ad-blocker solutions, Sourcepoint and Admiral, as well as the ad tech companies Quantcast and Conversant and a few blockchain-based advertising startups.
Adding new CMPs won’t be an issue, since those with the technology can easily register, said Bill Simmons, co-founder and CTO of Dataxu, who contributes to the IAB Tech Lab’s GDPR working group.
No publishers Dataxu works with have confirmed they’ll pass along consent in accordance with the framework, “but ultimately, economics and liability fears will drive them to put a CMP on their site,” Simmons said.
There will be a drop-off in EU audience inventory rates for publishers not aligned with the IAB Europe’s framework, because buyers won’t be able to apply location data, audience data, device IDs or cookies, said Drew Bradstock, senior VP of product at Index Exchange.
“We’ll send the traffic to buyers and monetize as effectively as we can, but it will be less valuable inventory,” he said.
Most publishers seem content to wait and test the waters of GDPR before adopting the framework.
Implementing the framework is easy from a technical standpoint, “but the larger challenge is interpretation of GDPR,” said Brian Kane, co-founder and COO of Sourcepoint, one of the initial CMPs.
Even in the past month, many in the industry have embraced the notion that publishers can secure consent on behalf of technology companies, Kane said, pointing to Google’s long-awaited announcement of its GDPR strategy.
Publishers, however, may not be on the same page.
Digital Content Next, a trade group representing online news publishers, is advising publishers to reject the framework, which CEO Jason Kint said “doesn’t meet the letter or spirit of GDPR.”
Only two publishers have publicly adopted the Consent and Transparency Framework, but they’re heavy hitters with blue-chip value in the market: Axel Springer, Europe’s largest digital media company, and the 180-year-old Schibsted Media, a respected newspaper publisher in Sweden and Norway.
Schibsted is “confident in the flexible and iterative nature of the framework” to address enforcement standards once GDPR is in effect, said Ingvild Næss, chief privacy officer, in an email to AdExchanger.
The framework will evolve based on feedback from regulators, publishers and users, but what’s important is that it “gives us as publishers complete control over which technology partners we choose to work with and over the purposes for which those partners use user data,” she said.
Publishers have been heads-down on internal GDPR compliance, like data recall requests and overhauling how they collect and use data, so considering a non-existent framework for transmitting consent to partners hasn’t been a priority, Bradstock said.
But now “publishers need to hurry up and get it in place, or they and their partners are going to be in an awkward position,” he said, meaning either inventory devaluations or, potentially, breaking the law.
For some, the choice is a stark one.
“Given what is currently known about the regulatory intent of the GDPR, we believe the framework is currently the best and arguably the only viable industry solution,” Næss said.
