For publishers, complying with the impending General Data Protection Regulation and the eventual ePrivacy law continues to involve a series of trust falls — too many for publishers’ comfort.

On April 25 — a month before GDPR takes effect — the Interactive Advertising Bureau Europe and IAB Tech Lab officially released a framework for publishers to ask if it is OK for the publisher and their ad tech vendors to collect and use people’s data. The framework is meant to maintain the status quo of targeted online advertising while abiding GDPR’s transparency rules and preparing for ePrivacy’s consent decree.

But publishers balked at the initial framework, saying it wasn’t transparent enough about how vendors would use the data. Quantcast, along with some publishers in the GDPR Implementation Working Group had “major concerns because they understand that they are liable for everything and wanted to make sure that we were closing loopholes,” said Somer Simpson, product lead at ad-measurement firm Quantcast and a member of the working group.

So a week after releasing the official framework, IAB Europe and IAB Tech Lab released an update that clarified what vendors would do with publishers’ audience data and gave publishers more control over which vendors could access that data.

The updated framework forces vendors to disclose to publishers and, by extension, to publishers’ audiences if they’ll use the data collected from someone visiting a publisher’s site to target them with ads on other sites or apps, or to personalize the content they’re shown on those other sites or apps. Specifically, vendors have to list that use as one of five so-called “purposes” — up from the original four purposes — they can cite when asking for a publisher’s audience data.

“This is mainly driven by requests from publishers because a few of them felt like the original four purposes were bundling too much, which is kind of an anti-GDPR approach,” said Simpson.

Issues remain with IAB Europe’s framework. Most glaringly, the official version of the updated framework won’t be released until after GDPR takes effect. The framework is designed to evolve as the regulation itself evolves in Europe and beyond, said Alice Lincoln, vp of data policy and governance at MediaMath and chair of IAB Europe’s Working Group on Consent. She said more updates will occur to the framework after the May 25 deadline to give publishers additional control.

But it’s unclear how much control publishers would actually get. Publishers can stipulate which vendors are allowed to use their data and condition that access based on what vendors say they plan to do with the data, but it’s more of a request than a requirement or, as Simpson put it, “a strongly worded suggestion.” The framework operates under an honor code, in the same way that Do Not Track (R.I.P.) did. “This requires every vendor to be able to understand and honor the signal, but a publisher can’t actually stop that,” said Simpson.

The flimsy control is made more problematic to publishers by the fact that vendors can claim to be able to use people’s data without consent by asserting they have a “legitimate interest” to do so. But no one knows if the legitimate-interest loophole covers any advertising-related usage of people’s data.

“There’s conflicting legal advice on legitimate interest and whether it applies to advertising at all,” said John Potter, chief technology officer of Purch and member of IAB Tech Lab’s GDPR Technical Working Group.

Regulators have largely left legitimate interest as an open question, and to the extent they have answered it, those answers can vary by regulator. “Different countries within the EU have different definitions for legitimate interest. So not only is it a subjective interpretative piece of legislation, but that subjectivity is slightly more extreme by market,” said Andrew Casale, CEO of Index Exchange.



Despite the lack of certainty, as of press time, 52 of the 99 vendors participating in IAB Europe’s framework claim legitimate interest for at least one of the ways they plan to use people’s data, according to a Digiday analysis. And 21 of the vendors claim legitimate interest for using the data to target ads and personalize content when someone uses a site or app other than the one the person had given consent to collect and use their data.

“Me deciding whether another company has a legitimate interest, it doesn’t really work that way,” Lincoln said. “I can have my own opinion about it, and based on that, recommend whether we work with a company or not. But to determine to whether they quote-unquote really have it, it’s not that black and white.”

Despite the uncertainty involved in complying with GDPR by the deadline, the largest leap of faith by many publishers and ad tech vendors may be the idea that the deadline is not a hard one.

“From a pure regulation standpoint, there is no requirement to be fully ready on the 25th of May,” said Romain Job, chief product officer at ad tech firm Smart. “Regulators have been saying in different occasions that they will allow some time for companies to comply with the GDPR. What they want to see is that everyone has some initiative going in the right direction.”

Download Digiday’s complete guide to GDPR.