Stating Facts: OpenRTB and GDPR. The Two Do Work Together!
IAB Europe would like to address the recent complaints filed against IAB Tech Lab’s OpenRTB system to data protection authorities in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of ad-blocking browser Brave; and in Poland by Panoptykon Foundation president Katarzyna Szymielewicz. These complaints allege that programmatic advertising using real-time auctions, and specifically the IAB Tech Lab OpenRTB protocol, was inherently incompatible with EU data protection law. Moreover, the complaints allege that the mere use of OpenRTB inevitably entailed large-scale, uncontrolled release of users’ personal data without their being aware or able to do anything about it. The complaints also took aim directly at IAB Europe’s Transparency & Consent Framework (TCF), claiming that the TCF facilitates the purported breaches.
These claims are not only false but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream.
Digital Advertising Complying with GDPR.
In April 2017, a year before GDPR came into force, in the context of discussing the then newly proposed ePrivacy Regulation, IAB Europe sent the European Commission a document to highlight challenges for the digital media and advertising industry to operate under the proposed combination of GDPR and ePrivacy rules. IAB Europe commented that “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario” — a circumstance that was true at the time but has changed since.
Around the same time during 2017, IAB Europe, which represents a cross-section of the media, publishing, and advertising industry, began seeking for solutions to these challenges, and started to design and develop a framework to help all parties in the digital advertising chain comply with GDPR transparency and consent requirements. IAB Europe was concerned that without an industry standard, compliance would — at best — be expensive as a result of a fragmentation of solutions that are not interoperable, and — at worst — practically impossible for a lack of cross-industry cooperation and coordination. The resulting uncertainty and confusion for the online advertising ecosystem could have presented an existential challenge, which no one would want to see happen.
The objective of the Framework is to give media and advertising industry a common way of providing transparency, and a common language with which to communicate consumer choices for the processing of personal data in connection with online advertising and related purposes. IAB Europe managing and operating this Framework and its Policies today, collaborates with the IAB Tech Lab for the technical governance of the technical specifications used in the Framework. The Transparency & Consent Framework (TCF) was launched on 25 April. It’s the only GDPR transparency and consent mechanism that has been built by the industry, for the industry, creating a true industry-standard approach.
The TCF enables users to receive information and give consent “in advance” to a number of vendors who are thereby able to process their personal data lawfully. In effect it creates a pool of 1 or more vendors who have prior permission to process personal data and informs them of their permission status through a near real-time signal. Receiving a signal of prior transparency and/or consent, enables the recipient of the signal to know whether they may lawfully process personal data or access a user’s device (to place cookies for example). The TCF enables users to receive information about, and give consent in advance to a set of controllers, only a subset of whom may end up processing their personal data in connection with any given ad impression. The outcome for the user is the same as if there had been bilateral communication between a vendor wanting to process user data in connection with delivering an ad (with the vendor asking before processing the data). The Framework demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.
OpenRTB is a protocol – that is, a set of rules and guidelines for communicating data. Protocols are neutral – they just say how information is to be laid out so that everyone who implements them understands everyone else. An example of a very simple protocol is the way we typically write out dates in shorthand. In Europe, the expected order is day-month-year. Because everyone uses the same “protocol” for this purpose, we all know what is meant by “01.02.2019” or 01/02/2019 or 01-02-2019. The protocol does not say anything about why anyone wants to flag a particular date – it just gives us a universally-recognised way of doing it so that we do not waste time wondering what the information means. The OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time. Data can inform that determination. Like all tools, Open RTB must be used in a way that complies with the law. Doing so is entirely possible. More importantly, doing so is greatly facilitated by using the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules, most notably the General Data Protection Regulation (GDPR) and ePrivacy Directive.
Neither OpenRTB nor the TCF can be used to physically prevent the illegal transmission of user data to parties that have no legal right to receive it, but the law does not require them to. Instead, it provides for punitive sanctions when such (mis)conduct by those using the systems occurs. A website (or intermediary operating on a site) that knowingly shares user data with parties that have no legal right to receive it is enabling a breach of the law. Processing personal data without a valid legal basis is a clear breach of the law, as well as TCF policies. CMPs and vendors who are found to do so will face consequences, potentially being subject to enforcement action by data protection authorities, and as a consequence be fined up to 4% of its annual turnover or EUR 20 million (whichever is larger) under the GDPR, in addition to being banned from using the TCF.
There are many instances in daily life where the law provides for ex post sanctions in case of breaches rather than ex ante requirements that prevent the opportunity for a breach even to arise. Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit – instead, drivers who do so are sanctioned with fines and/or deprived of their permits. The GDPR does not prohibit all processing of personal data, instead it sets out the conditions under which processing of personal data is lawful. None of these conditions is the absolute technical or require companies to implement technologies to physically block data collection and processing.
IAB Europe has consistently tried to outline the counter arguments and correct information, mentioned above, to the claimants. However, they have consistently chosen to ignore the facts and bring more inaccurate information to their case. Their errors of omission could therefore be characterised as either misrepresentations or just fabrications.