Data Collaboration Platform Playbook On-Demand Get Yours Now

Implementing TCF: Why It Shouldn’t Be So Challenging

By Chris Hogg, Chief Revenue Officer

If we work together, we can give consumers what they want from the digital economy — along with the privacy protections that they need.

You won’t find many people in the digital ecosystem who don’t think implementing TCF, a new framework for responsibly obtaining consumer consent and handling consumer data, is a good and necessary step. (Although, to be sure, there are some. More on that later.) Even Google is onboard, and if anyone might have reason to resist a change in the status quo, it would be them.

So why hasn’t it happened yet?

A complete answer would be impossibly long and complicated to piece together. The short answer? It’s difficult to spread accountability among the various stakeholders — publishers, brands, regulatory agencies, etc. — in a way that would be practical even to document, let alone enforce.

There isn’t even an agreement on how to best take that first step: obtaining consumer consent. Moreover, there is a lack of consensus on what the penalties should be for noncompliance — and what the mechanism would be for applying them.

Oh: And there’s also the conundrum of operating within an interconnected global economy that is regulated by an ad hoc collection of rules and regulations created by individual regulatory bodies and government entities that all have different agendas.

As just one example of how blurry the jurisdictional lines can get, there’s the piece of privacy litigation targeted at the high-speed online ad auction process known as real-time bidding (RTB). It was initiated by the Irish Council for Civil Liberties (ICCL) against New York-based IAB Tech Labs through a court in Germany.

How did we reach this point and where do we go next as we try to implement TCF? Let’s try to get some sorely needed perspective.

The TCF Story So Far

TCF, or Transparency and Consent Framework, was launched by the IAB (Interactive Advertising Bureau) Europe on April 25, 2018. It was a good-faith attempt to get ahead of the EU General Data Protection Regulation (GDPR) standards that were set to go into effect a month later.

In IAB Europe’s own words: “TCF’s simple objective is to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other similar technologies. By implementing TCF an environment is created where website publishers can inform visitors of the purposes for which their data is being collected. The TCF gives the publishing and advertising industries a common method with which to communicate consumer consent for the delivery of relevant online advertising and content.”

The keyword in that sprawling paragraph is help. That’s not the same as force. For many of those involved, TCF 1.0 simply added a layer of complexity to a task that they were going to have to do to comply with the GDPR anyway.

On August 21, 2019, IAB Europe released TCF v2.0, which attempted to clarify their goals. The IAB made it clear that they were not making the rules — just trying to establish a framework for complying with the GDPR’s requirements. Again, in the IAB’s own words, TCF 2.0 was intended “to support the overall drive of the TCF to increase consumer transparency and choice, management by digital properties of consent and compliance, and industry collaboration that centers on standardization.”

In other words, the TCF was not an attempt to weaken or undermine the GDPR. In fact, it was the opposite — it was an attempt to help everyone better understand the requirements in order to comply with them.

In a classic case of “No good deed goes unpunished,” the IAB ended up in court. The Belgian Data Protection Authority (DPA) found that TCF, developed by IAB Europe, failed to comply with a number of provisions in the GDPR. The basic issue comes down to two different interpretations of  what consent strings are. 

A final decision may not come until 2024. Many anxious months lie ahead.

What Should We Do While We Wait?

Perspective can be hard to come by when you’re in the middle of a revolution involving the use of evolving technology. Each new challenge is so urgent that it’s hard to appreciate the progress made to that point, or to see an endgame. It’s always about solving today’s problems by tomorrow — or else.

So it helps to take a step back and realise that this is not a new phenomenon. Short-term chaos is the cost of long-term progress. Always has been.

For a historical parallel to the evolution of the modern interconnected world, consider the development of the automobile and its associated economic ecosystem. By the early 20th century, it had become apparent that consumer demand for personal motorised vehicles had the potential to reconfigure not just the economy, but also the entire culture.

That’s a critical point worth reiterating: Consumer demand was the driver. It’s not as if people were forced to buy cars. They wanted them.

It was equally apparent, however, that cars posed certain inherent dangers, and society would need a regulatory framework to keep all those novice drivers, not to mention innocent pedestrians, reasonably safe.

For a time, that goal seemed unattainable. Forget about airbags and ABS — early automobiles lacked such basic safety features as seat belts, turn signals, windshield wipers and brake lights. The roads themselves were also hazardous. There were no traffic lights, stop signs, speed limits, etc. Many roads were just primitive, muddy cow paths. (For a time there were also a number of privately owned “toll roads,” similar to walled gardens.) Fatal crashes were appallingly common. A seamless network of paved roads that enabled drivers to go just about anywhere they wanted to go (think: open web) in reasonable safety was decades away.

But eventually, as a society with a shared interest in making this new car culture work, we figured it out. Opposing factions made reasonable compromises for the common good. Driven by the consumer demand that had started the revolution in the first place, the car culture developed a momentum that drove it to the widespread acceptance that in hindsight seems inevitable. A set of universally agreed-upon safety standards was part of that process.

The Road Not Taken

Now, picture what might have happened if those who took the initiative for setting standards for automobile safety had been held legally responsible every time there was an accident. 

Imagine, for example, if the government had asked a panel of engineers to recommend a nationwide speed limit for all motorways. Let’s call our hypothetical engineering panel the Motorway Advisory Board (MAB). And let’s say the MAB recommended a standard of 60 mph, which the government adopted.

Then let’s say an impaired driver going the wrong way on a motorway at 59 mph caused a fatal crash. And the MAB ended up getting sued on the theory that MAB’s 60 mph safety standard failed to prevent a loss of life.

You can imagine the untenable position our hypothetical IAB would be in if it had to defend itself in court every time there was an accident in which speed might have been a factor. But that’s essentially the situation the real IAB will be in if courts hold it responsible for anyone who violates the standards proposed in TCF v2.0.

Beware the Obstructionists

Those of us in the new digital ecosystem must guard against those whose intent appears to extend beyond providing reasonable privacy protections for Internet users, to essentially trying to legislate the Internet right out of existence. (And, yes, as we noted at the beginning, there are some entities who fit that characterisation.)

It should go without saying (but apparently does not) that ad-supported content and e-commerce exists because the vast majority of global citizens demand it. Consumers want the ability to read the news, pursue their hobbies, research products online and make purchases from the comfort and privacy of their own homes. Inevitably, a vast ecosystem of online sales and marketing has sprung up in support of those consumer goals.

Do consumers demand that their personal information be protected as they participate in the Internet’s value exchange? Absolutely. Do online marketers — publishers and brands alike — share that goal? Absolutely. Besides being the right thing to do, guarding against consumer privacy breaches is a matter of self-preservation. Nothing destroys a company’s reputation faster than a privacy breach.

Is setting standards for consumer privacy and mechanisms for enforcing them easy?

Absolutely not. Implementing TCF is difficult, stressful, painstaking, challenging work for everyone involved. But the work is worth doing to achieve our shared goal — just as developing safer cars and motorways was.

And just as motorways will never be completely free of reckless drivers, so too the digital ecosystem will always have to stay vigilant of bad actors intent on doing harm. But we shouldn’t let the perfect be the enemy of the overwhelmingly good.

The Internet is a valuable utility that is here to stay. We need to get everyone involved in the regulatory machinery to agree on that basic premise before we can move forward in implementing TCF. If we can’t create industry-wide standards, we’ll continue to hand more control over to the walled gardens.