Large-Scale Third-Party Addressability On The Open Web Doesn’t Work – Period

As appeared on AdExchanger on 17 February 2022: https://www.adexchanger.com/data-driven-thinking/large-scale-third-party-addressability-on-the-open-web-doesnt-work-period/  

IAB Europe’s Transparency & Consent Framework (TCF) is flawed and unfixable.

But let’s back up.

On Feb. 2, the Belgian Data Protection Authority (APD) ruled that the TCF violates the GDPR on multiple levels. IAB Europe was given two months to submit a plan outlining a redesign of the TCF to bring it into compliance with the regulation. If approved, IAB Europe will have an additional six months to make the changes. On February 11, IAB Europe released a statement confirming its intention to appeal the APD’s ruling.

After the ruling was published, debate ensued in the industry, and a clear division emerged between those who want to sustain the online advertising ecosystem in its current form (or something very similar), and those pushing for a radically reimagined ecosystem designed around privacy and data protection.

I’m part of the latter group and let me explain why.

The TCF is a framework that was designed in an effort to add “validity” to a system that is unethical at best and unlawful at worst. We need to acknowledge that the online ad ecosystem itself was not designed to protect consumers or their personal data.

Trying to redesign the TCF to make it compliant is therefore futile, because the underlying processes for which it seeks to gather consent will never be compliant unless the system itself is radically redesigned.

People who defend the TCF and OpenRTB often refer to those who seek to address this issue as privacy fanatics, alarmists or attention seekers. They opine ad nauseam about the supposed “rights” advertisers, publishers and tech companies have to operate a system that is out of control in order to sustain the open web (aka their own business models). They talk about how large-scale personalized advertising on the open web creates a meaningful value exchange with consumers.

One word: fugazi.

Industry folk often point to how Google and Facebook stand to benefit from tightened regulations and how the industry is doomed if regulators double down on privacy because supposedly only large walled garden platforms will survive. Yes, the increasing power and domination of advertising giants is concerning. But that’s an area where antitrust regulators play a role, and it should not be addressed with regulatory lenience on privacy and data protection.

Why is there such an utter lack of imagination among leaders in the ad industry? Why try to desperately hold on to a system that is de facto unlawful under most contemporary regulatory frameworks?

I’d argue that advertising has thrived for nearly two centuries without large-scale third-party addressability and personalization. The industry won’t collapse when adjustments are implemented that guarantee the safe and compliant processing of personal data.

At the IAB’s Annual Leadership meeting this month, as reported by Digiday, Allan Thygesen, Google’s president for the Americas and global partners, went so far as to say “our industry can either work together to reinvent the way data is used to deliver personalized ads in more privacy safe ways – or we can stop using personalization of scale altogether and walk away from the model that led to 30 years of global growth and prosperity for so many.”

But the fundamental rights of people should always take precedence over the “prosperity” and “growth” of businesses – and it doesn’t matter how many people are getting rich off the system.

And saying that the deprecation of third-party cookies without a viable alternative to preserve the status quo will “cost a lot of jobs” is also a moot point. Imagine the mafia getting publicly upset about the potential loss of employment for their mobsters because of increased enforcement against crime?

It’s an extreme example to illustrate a point – but law is law. Anti-racketeering regulation is, at its core, no different from data protection regulation. We evolve as a society as does our usage of – and reliance on – technology, and so our regulatory frameworks must evolve as well.

The industry has had its fun, and Thygesen is right. The data-fueled ad tech ecosystem has printed money for corporations for decades. Now, however, it has run its course. Privacy and data protection needs to be given center stage, and uncontrolled access to troves of data by thousands of companies and vendors must be restricted as soon as possible.

Well-informed and compliant ways to add relevance to advertising can still exist, and good media owners will find a way to generate ad income while putting their audience’s rights first. It’s imperative that we are clear about exactly what part of the ecosystem is noncompliant, because no one is saying that all addressability must be removed from advertising. The debate is about the OpenRTB protocol and the large number of businesses that obtain and transact huge amounts of personal data in a highly opaque and, I’d argue, harmful environment.

Under the current regulations, it is impossible to simplify and streamline the way valid consent is obtained for data access and processing by thousands of vendors at once. The purpose limitation principle, for example, invalidates all the unhinged – and largely invisible – ways in which personal data is processed after a user innocently clicks “accept all’ in a consent pop-up. Some people blame regulators for not providing clear guidance and supposedly leaving too much room for interpretation, but the law is clear – and so are the authorities as they ramp their enforcement.

One of the weirdest arguments made by people in the industry is that it would simply be too annoying and, therefore, essentially impossible to obtain valid consent in line with the regulations. And that is exactly right – but not for the reason they think it is.

It’s impossible to implement a quick and dirty one-click solution for obtaining valid blanket consent, but that’s because of the mechanics and unlawfulness of the underlying processing activities themselves, not because of an annoying user experience.

Regulators have no obligation to support businesses as they continue to grow through a reliance on unlawful models. There is no such thing as a fundamental right for corporations to process data, because otherwise their systems or commercial models won’t work. That’s not what legitimate interest is.

Regulators are paying attention and taking action, and now the industry must follow. This is a good thing.

It’s time the industry understands this and moves on in a more constructive way.

 

Digiday also covered this topic with an in-depth article, including commentary from Ebiquity. Find it here.