2. EU RTB report fallout: Brave “I told you so”; IAB willing to talk about TCF modifications
Reaction to last week’s 35-page report by Britain’s top digital privacy watchdog is highlighting the GDPR’s challenge to the incumbent Real-Time Bidding service that has dominated web advertising for about a decade.
The clear implication of the report and reactions from the IAB and its protagonist, the browser maker Brave, is that personal data sent around ultimately has to become much less personal to be legal in Europe. And the public is becoming aware.
UK Information Commissioner Elizabeth Denham wrote in a forward that researchers “found an industry that understood it needed to make improvements to comply with our law.” She said the Information Commission Office (ICO) report found “the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening.”
One visit to a website, prompting one auction among advertisers, can result in personal data seen by hundreds of organizations, Denham says.
The ICO commissioned Harris to undertake research into online advertising. The research documented that 63% of the 2,300 participants indicated initially they found it acceptable that ads funded free content. But when they were given an explanation of how RTB works, this fell to 36%.
IAB Europe, along with Google, are the key industry voices seeking to find a way to avoid fines and censure for practices regulators say are forbidden by the General Data Protection Regulation (GDPR). IAB Europe CEO Townsend Feehan responded to Denham’s “Adtech Update Report.”
“The ability to address the ICO’s concerns is near impossible to achieve without a standardized industry solution,” Feehan wrote, pledging IAB would work closely with the ICO and other privacy authorities on making unspecified changes in its Transparency and Control Framework (TCF) to ensure less privacy risk and more user trust “to ensure the sustainability of this innovative sector which underpins the ad-funded internet.”
Feehan’s detailed response is found at the bottom of this TechCrunch post.
An early and frequently critical of ad-tech’s response to GDPR has been Johnny Ryan, a former Irish journalist and ad-tech researcher who now works for Brave, a California company. Brave’s business promotes the idea that user information should stay within their web browser and that advertising selection should occur there, rather than as the result of a bidding process that sends user data to millions of points. Thus, Brave argues for disruption of RTB.
Ryan released this week a blog with point-by-point analysis of the ICO report, saying it “vindicates” Brave’s concerns about RTB. The core problem cited by both Brave and the ICO report is that bid requests send as part of the RTB process, sensitive information about individuals and that cannot comply with GDPR.
Audience segments are described by the IAB as “subsets of user data signifying specific facts, interests” in the IAB 2016 Data Segments & Techniques Lexicon, on page 4. There is also an overall content taxonomy published by the IAB in 2017 and announced in an IAB news release in November of that year.
The ICO report asserts “the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (ie processing relating to the placing and reading of the cookie and the onward transfer of the bid request).” It adds: “Our work has established that, at present, some parts of the ad-tech industry are unaware of this advice.” ICO’s report says ad-tech and publishers involved within it have to understand, document and be able to demonstrate how their user-data processing operations work, what they do, who they share data with and how they can enable individuals to exercise their rights under GDPR.
“This report is rather unhelpful for the thousands of publishers and ad-tech vendors involved in RTB and the online advertising industry,” concludes London-based media-tech attorney Lara White, in a Norton Rose Fulbright report. “It sets out a number of deficiencies, but leaves open how many of these can be addressed, especially in the absence of a widespread change in the way the industry works.”