Meeting minutes
<Ralph> if someone wishes to take notes here, that would be appreciated
<wseltzer_2> Slides
Townsend_Feehan: We've been watching the work in the Improving Web Adv BG for the last several months; that is not a venue for debating policy
… TPAC does seem like a place for that sort of discussion, and could possibly inform BG work in the future
… Want to put the BG work in an EU context, discuss the EU's legislative framework, and discuss the Transparency & Control Framework, IAB's way to address that law
… web-adv BG has focused on browsers, and on cross-site tracking for digital advertising
… EU has a very demanding privacy framework, but *does* allow cross-site tracking inside those guidelines
… want to cover EU regulatory framework, and how TCF enables compliance with the two relevant laws
… We believe the future landscape needs to accommodate multiple paradigms, including the one TCF was developed against
… We are actively seeking more browser engagement on TCF's evolution
<robin> Question: what is meant by "safely" engaging in cross-context tracking?
Townsend_Feehan: EU law has two concepts: Privacy, and Data Protection
… Privacy is addressed by ePrivacy Directive, the "cookie directive"
… opt-in consent based on prior understanding
… doesn't care about personal data; any cookie stored on device requires consent of the user to store or access
… Protection of Personal Data is addressed by GDPR — 2018 extension of preexisting 1995 law
… GDPR's paradigm is that you may not process personal data, but there are exceptions to that prohibition, a.k.a. "legal bases"
… six of these, of which three are relevant for advertising: Consent, Legitimate Interest, and Contract
… Consent must be "specific", "informed", "unambiguous", and "freely-given"; there is a whole corpus on how to intepert those terms
… key features: personal data is very broadly defined, including "indirectly identify a user", explicitly including IP address and also including pseudonymous identifiers
… Legal bases for processing are narrower than it was under 1995 directive, and consent is much more constraining
… Basic paradigm is informed choice: As long as certain pieces of information are disclosed to the user at certain moments, the user is informed to make certain choices
… this is coupled with privacy by design and by default, and puts a lot of responsibility on the user, and therefore on the industry, to provide the user with enough information to make meaningful choices
… free movement of information across the EU depends on this
… There are specific user rights and specific data controlled obligations, enforced by independent authorities
… steep monetary fines for breaches for GDPR
… GDPR explicitly speaks to processing of personal data for digital advertising
… Principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy,...
… THere are user rights and data controlled obligations derived from those principles
… The IAB Transparency & Control Framework (TCF) lives in this framework
… problem TCF is trying to solve: All parties need a legal basis to process data, but only first parties are in a direct position to obtain it due to lack of direct line of communication to user
… TCF standardizes language for UI, an API, and a format for transmitting user choices
… that user choice string provides proof of consent, which is important for showing you had legal basis for processing
… Four parts of the framework: UI, TCF Policies, Global Vendor List, and TCF Technical Specs
… GVL (Global Vendor List) has ~600 vendors who are bound by Terms & Conditions to adhere to policies, provide information that is disclosed to users
… TCF Policies are what the vendors agree to: they describe the purposes under which data may be processed, and govern how information must be disclosed, where, in what layer of a UI, what needs to happen before any data is stored, etc
… v1 of framework & policies came out in 2018, v2 rolled out in Aug-Sept 2020
… Tech Specs implement these policies; this is hosted by the IAB Tech Lab (vs. previous two parts which are hosted by IAB Europe)
… UI is the visible part of the framework — mediated by CMP = Consent Management Provider, providing information disclosure, gets user choices, makes those choices available to site & vendors
… The UI is the part of the experience controlled by the publisher, and some parts are standardized to get legal certainty, but other parts are up to the choice of the site owner
… publishers still get to control and frame their relations to the user, while interpretation of the law is standardized
… TCF interpretation of the law is on the conservative side
… (schematic of basic ad call: user -> web site -> ad exchange -> fanout to many ad tech companies)
… GDPR applies to personal data, broadly construed — includes identified data like name & address, and also identifiable, like IP address or browsing behavior
… Ongoing questions about the legal bases "legitimate interest"
… TCF allows vendors to declare whether they are processing under consent, legit interest, or both
… overall TCF is a new development which enables new transparency not previously available
… (pictures of example UIs)
… Standardization has more benefits, beyond efficiency — consistent presentation of purposes and definitions makes it easier for users to understand
… also helps *companies* better understand what data processing they themselves are doing
… breaking out Basic Ads / Personalized ads profile building / Show personalized ads / Ads measurement / etc, total of 10 purposes
… TCF v1 was shown around to a bunch of EU Data Protection Authorities, got feedback that the language was too legalistic, so in v2 language is much more user-friendly in addition to legal
… also added "stacks of purposes", which are a combination of more atomic purposes, e.g. showing a combined purposes "Personalized ads and ads measurement" comprising the four above
… trying to reconcile the need to make consent informed and specific, with the need to make the information presented to the user understandable
… Governance: IAB Europe + 25 national IABs + IAB Tech Lab
… open-source, cross-industry standard with muti-stakeholder governance
… Compliance enforcement: Suspension for breaches of TCF policies
… Update: Publishers don't register, so don't have exact numbers, but hundreds of thousands of sites, including outside-EU sites since relevant when EU visitors come to them
… over 600 vendors, 120 CMPs
… 70-80% of non-app bid requests from EU web sites carry a TCF string
… Aspiration to have a version of TCF approved as a GDPR trans-national Code of Conduct in 2021
… technical measures are in progress to ensure integrity of the TCF string
Robin Berjon: What do you mean by "safely processing personal data at scale"? By nature, broadcast of personal information is inherently unsafe
<wseltzer_2> Slides
<AramZS> are we managing the queue on here or on Zoom?
Feehan: Challenging the assumption that underlies the web-adv BG work. We believe it is possible to process personal information in a way that protects privacy
Robin: The question is the scale and the frequency — how can you make that more safe?
Feehan: TCF is a legal compliance standard, not about changing processing practices. Means to achieve consumer protection
Gerben: Q about Belgian DPA investigation finding TCF to be in conflict with GDPR
Feehan: A fair reading is that the TCF itself isn't in conflict. Mostly there is a novel and contestable finding that IAB Europe itself is a data controller
… THe report queries the legality of the TCF using Legit Interest. GDPR allows that; this is a DPA opinion about cross-site tracking. What's written in the report is that the framework may breach the law by offering Legit Interest as a basis for profiling
… Second, report says that TCF doesn't offer adequate rules regarding sensitive data, e.g. sexual orientation, trade union membership, etc. You can't use TCF to process those sorts of data, so really doesn't apply to us
… Third, provisional conclusion that TCF breaches GDPR because it allows a CMP to stop working with a publisher if it suspects the publisher breaches policies, but it doesn't *require* that suspension
… but actually policies say CMPs must stop acting on any information from a publisher it knows to be violating policies, and to pass along that information
… Overall this is not central to the TCF framework, and all stuff we will explore with them
… Surprising that IAB Europe might be a data controller — this should be of major interest to the W3C which likewise creates standards for other companies to implement
… GDPR provides encouragement for trade associations to draft codes of conduct; pretty obviously, nobody will want to draw one up if the host association is going to be found a co-controller with everyone who imlements
Libor Polcak: Publsihed research that CMPs and publishers don't respect user choice.
… you said that you have a program to check compliance, but I don't think we see that in practice
Feehan: There are surely instances of non-compliant behavior by websites that implement TCF (and sites that don't also!)
… Between 15 Aug and 30 Sept, it was still allowed to use TCF v1.1 signals, v2 only started on Sept 30, and we have some enforcement actions underway at the moment
… happy to have our attention brought to any violations
… noncompliance is in nobody's interest
Aram Z-S: What plans to implement auditing in the middle of the ecosystem, not just at publisher? Any plans to implement a mechanical method to avoid leaking information on the back-end?
… reports in the trade press about consent string fraud occurring among vendors
… I haven't seen any middle vendors brought up for such violations
… what happens to people who don't follow the rules?
Feehan: If you don't follow the rules, we suspend you from the framework, and publicize information about the nature of breaches, including communicating to DPAs
… Law enforced by regulators, not by us
… We started by enforcing against CMPs (around 140), harder to enforce against vendors (around 600)
… We are in the process of developing tools, automated and manual, to check on the behavior of vendors
… Can't speak yet to what it will consist of, but acceptance among publishers is conditional of compliance falling not only on CMPs but on other layers of stack also
… stay tuned, more to come, probably later this year
Alex Cone (IAB Tech Lab PM): We have two working groups at Tech Lab dedicated to technical accountability, and to continued iteration on frameworks
… work in progress right now include signing of consent strings to combat consent-string fraud
… and the technical auditing mechanism to support compliance, including standardized logging of transactions, scrubbed of user data, but enough to data-mine for anomalous behavior that is a sign of mis-behavior
… there is a lot of incentives by publishers to keep their data protected, not having publishers taken down by bad behavior of others
<robin> kleber: how many companies have been enforced against so far, is there a public list?
kleber: Any suspensions yet? How many? And public list of suspensions?
Feehan: No suspensions yet in v2, just in transition from v1 right now
Feehan: What happens if Belgian DPA concludes TCF is not in compliance? (The three questions from before)
… Way to fix these: (1) don't use Legit Interest as a legal basis for profiling, (2) don't process special-category data with TCF which you shouldn't anyway, (3) stop working with publishers who are non-compliant
Aram Z-S: Is there any intent to lower cost bar for CMPs to register? To allow non-profits or orgs motivated in different ways to participate
Feehan: Currently 1200 euro annual fee for CMPs. We would be open to considering adaptations of fees. Reach out to us