13:51:25 <RRSAgent> RRSAgent has joined #TCF
13:51:25 <RRSAgent> logging to https://www.w3.org/2020/10/30-TCF-irc
13:51:27 <Zakim> RRSAgent, make logs Public
13:51:29 <Zakim> Meeting: IAB Europe's Transparency and Control Framework
13:59:00 <Bert> present+
14:01:05 <kris_chapman> kris_chapman has joined #TCF
14:01:45 <LP> LP has joined #TCF
14:01:48 <AramZS> AramZS has joined #TCF
14:01:52 <kleber> kleber has joined #TCF
14:01:53 <AramZS> present+
14:02:18 <kris_chapman> present+
14:02:30 <robin> robin has joined #TCF
14:02:31 <Ralph> if someone wishes to take notes here, that would be appreciated
14:04:07 <kleber> scribenick: kleber
14:04:21 <dmarti> dmarti has joined #TCF
14:04:51 <kleber> Townsend Feehan: We've been watching the work in the Improving Web Adv BG for the last several months; that is not a venue for debating policy
14:05:08 <kleber> ...TPAC does seem like a place for that sort of discussion, and could possibly inform BG work in the future
14:05:25 <wseltzer_2> wseltzer_2 has joined #TCF
14:05:33 <wseltzer_2> present+ wseltzer
14:05:47 <kleber> ...Want to put the BG work in an EU context, discuss the EU's legislative framework, and discuss the Transparency & Control Framework, IAB's way to address that law
14:05:51 <naomi> present+ yoshi, masaya_ikeo, naomi
14:06:20 <kleber> ...web-adv BG has focused on browsers, and on cross-site tracking for digital advertising
14:06:49 <kleber> ...EU has a very demanding privacy framework, but *does* allow cross-site tracking inside those guidelines
14:07:18 <kleber> ...want to cover EU regulatory framework, and how TCF enables compliance with the two relevant laws
14:07:22 <JohnWilander> JohnWilander has joined #TCF
14:07:29 <pl_mrcy> pl_mrcy has joined #tcf
14:07:29 <JohnWilander> present+
14:07:35 <pl_mrcy> present+
14:07:48 <kleber> ...We believe the future landscape needs to accommodate multiple paradigms, including the one TCF was developed against
14:08:05 <kleber> ...We are actively seeking more browser engagement on TCF's evolution
14:08:20 <robin> present+
14:08:37 <robin> Question: what is meant by "safely" engaging in cross-context tracking?
14:08:39 <kleber> ...EU law has two concepts: Privacy, and Data Protection
14:09:19 <kleber> ...Privacy is addressed by ePrivacy Directive, the "cookie directive"
14:09:38 <kleber> ...opt-in consent based on prior understanding
14:09:52 <kleber> ...doesn't care about personal data; any cookie stored on device requires consent of the user to store or access
14:10:28 <kleber> ...Protection of Personal Data is addressed by GDPR — 2018 extension of preexisting 1995 law
14:11:14 <kleber> ...GDPR's paradigm is that you may not process personal data, but there are exceptions to that prohibition, a.k.a. "legal bases"
14:11:40 <kleber> ...six of these, of which three are relevant for advertising: Consent, Legitimate Interest, and Contract
14:11:46 <asoltani> asoltani has joined #TCF
14:12:26 <kleber> ...Consent must be "specific", "informed", "unambiguous", and "freely-given"; there is a whole corpus on how to intepert those terms
14:12:58 <Ralph> Townsend will look at questions in Zoom chat when she pauses
14:13:07 <kleber> ...key features: personal data is very broadly defined, including "indirectly identify a user", explicitly including IP address and also including pseudonymous identifiers
14:13:13 <Ralph> s/Townsend will look at questions in Zoom chat when she pauses//
14:13:27 <kleber> ...Legal bases for processing are narrower than it was under 1995 directive, and consent is much more constraining
14:14:01 <kleber> ...Basic paradigm is informed choice: As long as certain pieces of information are disclosed to the user at certain moments, the user is informed to make certain choices
14:14:34 <kleber> ...this is coupled with privacy by design and by default, and puts a lot of responsibility on the user, and therefore on the industry, to provide the user with enough information to make meaningful choices
14:14:46 <kleber> ...free movement of information across the EU depends on this
14:15:35 <kleber> ...There are specific user rights and specific data controlled obligations, enforced by independent authorities
14:15:56 <kleber> ...steep monetary fines for breaches for GDPR
14:16:21 <kleber> ... GDPR explicitly speaks to processing of personal data for digital advertising
14:16:49 <kleber> ...Principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy,...
14:17:09 <kleber> ...THere are user rights and data controlled obligations derived from those principles
14:17:58 <kleber> ...The IAB Transparency & Control Framework (TCF) lives in this framework
14:18:54 <kleber> ...problem TCF is trying to solve: All parties need a legal basis to process data, but only first parties are in a direct position to obtain it due to lack of direct line of communication to user
14:19:37 <kleber> ...TCF standardizes language for UI, an API, and a format for transmitting user choices
14:20:06 <kleber> ...that user choice string provides proof of consent, which is important for showing you had legal basis for processing
14:20:46 <kleber> ...Four parts of the framework: UI, TCF Policies, Global Vendor List, and TCF Technical Specs
14:21:22 <kleber> ..GVL (Global Vendor List) has ~600 vendors who are bound by Terms & Conditions to adhere to policies, provide information that is disclosed to users
14:22:15 <kleber> ...TCF Policies are what the vendors agree to: they describe the purposes under which data may be processed, and govern how information must be disclosed, where, in what layer of a UI, what needs to happen before any data is stored, etc
14:22:34 <kleber> ...v1 of framework & policies came out in 2018, v2 rolled out in Aug-Sept 2020
14:23:09 <kleber> ...Tech Specs implement these policies; this is hosted by the IAB Tech Lab (vs. previous two parts which are hosted by IAB Europe)
14:24:06 <kleber> ...UI is the visible part of the framework — mediated by CMP = Consent Management Provider, providing information disclosure, gets user choices, makes those choices available to site & vendors
14:24:39 <kleber> ...The UI is the part of the experience controlled by the publisher, and some parts are standardized to get legal certainty, but other parts are up to the choice of the site owner
14:25:28 <kleber> ...publishers still get to control and frame their relations to the user, while interpretation of the law is standardized
14:25:39 <kleber> ...TCF interpretation of the law is on the conservative side
14:26:22 <robin> robin has joined #TCF
14:26:23 <kleber> ...(schematic of basic ad call: user -> web site -> ad exchange -> fanout to many ad tech companies)
14:26:59 <kleber> ...GDPR applies to personal data, broadly construed — includes identified data like name & address, and also identifiable, like IP address or browsing behavior
14:27:16 <kleber> ...Ongoing questions about the legal bases "legitimate interest"
14:27:39 <kleber> ...TCF allows vendors to declare whether they are processing under consent, legit interest, or both
14:28:34 <kleber> ...overall TCF is a new development which enables new transparency not previously available
14:28:58 <kleber> ...(pictures of example UIs)
14:29:35 <kleber> ...Standardization has more benefits, beyond efficiency — consistent presentation of purposes and definitions makes it easier for users to understand
14:29:51 <kleber> ...also helps *companies* better understand what data processing they themselves are doing
14:30:31 <kleber> ...breaking out Basic Ads / Personalized ads profile building / Show personalized ads / Ads measurement / etc, total of 10 purposes
14:30:46 <wseltzer_2> rrsagent, pointer?
14:30:46 <RRSAgent> See https://www.w3.org/2020/10/30-TCF-irc#T14-30-46
14:31:38 <kleber> ...TCF v1 was shown around to a bunch of EU Data Protection Authorities, got feedback that the language was too legalistic, so in v2 language is much more user-friendly in addition to legal
14:32:08 <Jemma> Jemma has joined #tcf
14:32:21 <kleber> ...also added "stacks of purposes", which are a combination of more atomic purposes, e.g. showing a combined purposes "Personalized ads and ads measurement" comprising the four above
14:32:50 <kleber> ...trying to reconcile the need to make consent informed and specific, with the need to make the information presented to the user understandable
14:33:16 <Jemma> rrsagent, make minutes
14:33:16 <RRSAgent> I have made the request to generate https://www.w3.org/2020/10/30-TCF-minutes.html Jemma
14:33:21 <kleber> ...Governance: IAB Europe + 25 national IABs + IAB Tech Lab
14:33:43 <kleber> ...open-source, cross-industry standard with muti-stakeholder governance
14:34:03 <kleber> ...Compliance enforcement: Suspension for breaches of TCF policies
14:34:56 <kleber> ...Update: Publishers don't register, so don't have exact numbers, but hundreds of thousands of sites, including outside-EU sites since relevant when EU visitors come to them
14:35:08 <kleber> ...over 600 vendors, 120 CMPs
14:35:25 <kleber> ...70-80% of non-app bid requests from EU web sites carry a TCF string
14:35:41 <gendler> gendler has joined #TCF
14:35:45 <kleber> ...Aspiration to have a version of TCF approved as a GDPR trans-national Code of Conduct in 2021
14:36:03 <kleber> ...technical measures are in progress to ensure integrity of the TCF string
14:36:44 <gendler> present+
14:36:54 <florian_irc> florian_irc has joined #TCF
14:37:28 <kleber> Robin Berjon: What do you mean by "safely processing personal data at scale"?  By nature, broadcast of personal information is inherently unsafe
14:37:41 <wseltzer_2> -> https://lists.w3.org/Archives/Public/www-archive/2020Oct/att-0011/IAB_TCF.pdf Slides
14:38:16 <Jemma> present+
14:38:34 <AramZS> are we managing the queue on here or on Zoom?
14:38:36 <kleber> Feehan: Challenging the assumption that underlies the web-adv BG work.  We believe it is possible to process personal information in a way that protects privacy
14:38:39 <wseltzer_2> i|Townsend Feehan|-> https://lists.w3.org/Archives/Public/www-archive/2020Oct/att-0011/IAB_TCF.pdf Slides
14:38:49 <wseltzer_2> s/Townsend Feehan/Townsend_Feehan/
14:38:55 <kleber> Robin: The question is the scale and the frequency — how can you make that more safe?
14:39:24 <kleber> Feehan: TCF is a legal compliance standard, not about changing processing practices.  Means to achieve consumer protection
14:40:15 <kleber> Gerben: Q about Belgian DPA investigation finding TCF to be in conflict with GDPR
14:40:54 <kleber> Feehan: A fair reading is that the TCF itself isn't in conflict.  Mostly there is a novel and contestable finding that IAB Europe itself is a data controller
14:42:04 <kleber> ...THe report queries the legality of the TCF using Legit Interest.  GDPR allows that; this is a DPA opinion about cross-site tracking.  What's written in the report is that the framework may breach the law by offering Legit Interest as a basis for profiling
14:42:52 <kleber> ...Second, report says that TCF doesn't offer adequate rules regarding sensitive data, e.g. sexual orientation, trade union membership, etc.  You can't use TCF to process those sorts of data, so really doesn't apply to us
14:43:33 <kleber> ...Third, provisional conclusion that TCF breaches GDPR because it allows a CMP to stop working with a publisher if it suspects the publisher breaches policies, but it doesn't *require* that suspension
14:44:04 <kleber> ...but actually policies say CMPs must stop acting on any information from a publisher it knows to be violating policies, and to pass along that information
14:44:41 <kleber> ...Overall this is not central to the TCF framework, and all stuff we will explore with them
14:45:10 <kazho> kazho has joined #TCF
14:45:28 <kleber> ...Surprising that IAB Europe might be a data controller — this should be of major interest to the W3C which likewise creates standards for other companies to implement
14:46:06 <kleber> ...GDPR provides encouragement for trade associations to draft codes of conduct; pretty obviously, nobody will want to draw one up if the host association is going to be found a co-controller with everyone who imlements
14:46:45 <kleber> Libor Polcak: Publsihed research that CMPs and publishers don't respect user choice.
14:47:02 <kleber> ...you said that you have a program to check compliance, but I don't think we see that in practice
14:47:21 <kleber> Feehan: There are surely instances of non-compliant behavior by websites that implement TCF (and sites that don't also!)
14:48:02 <kleber> ...Between 15 Aug and 30 Sept, it was still allowed to use TCF v1.1 signals, v2 only started on Sept 30, and we have some enforcement actions underway at the moment
14:48:20 <kleber> ...happy to have our attention brought to any violations
14:48:41 <kleber> ...noncompliance is in nobody's interest
14:49:26 <kleber> Aram Z-S: What plans to implement auditing in the middle of the ecosystem, not just at publisher?  Any plans to implement a mechanical method to avoid leaking information on the back-end?
14:49:37 <kleber> ...reports in the trade press about consent string fraud occurring among vendors
14:49:52 <kleber> ...I haven't seen any middle vendors brought up for such violations
14:49:59 <kleber> ...what happens to people who don't follow the rules?
14:50:34 <kleber> Feehan: If you don't follow the rules, we suspend you from the framework, and publicize information about the nature of breaches, including communicating to DPAs
14:50:47 <kleber> ...Law enforced by regulators, not by us
14:51:12 <kleber> ...We started by enforcing against CMPs (around 140), harder to enforce against vendors (around 600)
14:51:31 <kleber> ...We are in the process of developing tools, automated and manual, to check on the behavior of vendors
14:52:06 <kleber> ...Can't speak yet to what it will consist of, but acceptance among publishers is conditional of compliance falling not only on CMPs but on other layers of stack also
14:52:15 <kleber> ...stay tuned, more to come, probably later this year
14:53:16 <kleber> Alex Cone (IAB Tech Lab PM): We have two working groups at Tech Lab dedicated to technical accountability, and to continued iteration on frameworks
14:53:41 <kleber> ...work in progress right now include signing of consent strings to combat consent-string fraud
14:54:26 <kleber> ...and the technical auditing mechanism to support compliance, including standardized logging of transactions, scrubbed of user data, but enough to data-mine for anomalous behavior that is a sign of mis-behavior
14:54:48 <kleber> ...there is a lot of incentives by publishers to keep their data protected, not having publishers taken down by bad behavior of others
14:55:48 <robin> kleber: how many companies have been enforced against so far, is there a public list?
14:56:08 <kleber> kleber: Any suspensions yet?  How many?  And public list of suspensions?
14:56:22 <kleber> Feehan: No suspensions yet in v2, just in transition from v1 right now
14:56:29 <sauski> sauski has joined #TCF
14:56:51 <kleber> Feehan: What happens if Belgian DPA concludes TCF is not in compliance?  (The three questions from before)
14:57:36 <kleber> ...Way to fix these: (1) don't use Legit Interest as a legal basis for profiling, (2) don't process special-category data with TCF which you shouldn't anyway, (3) stop working with publishers who are non-compliant
14:58:22 <kleber> Aram Z-S: Is there any intent to lower cost bar for CMPs to register?  To allow non-profits or orgs motivated in different ways to participate
14:58:53 <kleber> Feehan: Currently 1200 euro annual fee for CMPs.  We would be open to considering adaptations of fees.  Reach out to us
15:00:17 <wseltzer_2> rrsagent, draft minutes
15:00:17 <RRSAgent> I have made the request to generate https://www.w3.org/2020/10/30-TCF-minutes.html wseltzer_2
15:09:57 <Ralph> zakim, end meeting
15:09:57 <Zakim> As of this point the attendees have been Bert, AramZS, kris_chapman, wseltzer, yoshi, masaya_ikeo, naomi, JohnWilander, pl_mrcy, robin, gendler, Jemma
15:09:59 <Zakim> RRSAgent, please draft minutes v2
15:09:59 <RRSAgent> I have made the request to generate https://www.w3.org/2020/10/30-TCF-minutes.html Zakim
15:10:03 <Zakim> I am happy to have been of service, Ralph; please remember to excuse RRSAgent.  Goodbye
15:10:07 <Zakim> Zakim has left #TCF