In February of this year, the Belgian Data Protection Authority (DPA) dropped a bombshell on the ad industry when they ruled that the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) violated the General Data Protection Regulation (GDPR) in several critical ways. Admittedly, that alphabet soup doesn’t exactly sound like a bombshell.

So, let’s go beyond the acronyms and break down what this means for publishers going forward.

The ruling

First, the basics. The GDPR requires companies to have a valid legal basis tied to a specific purpose before processing any personal data from consumers. The two most popular bases are consent (affirmative and freely given) and legitimate interest (essentially, the benefit to the consumer from the use of their data outweighs the risk). Although it should be noted that Facebook decided to take its own direction by using a contract as its basis, a strategy that is quickly unraveling.

To maintain the free flow of data that currently fuels a wide swath of digital advertising, the IAB created the TCF which allows companies to transfer their legal basis for the data used in the buying and selling of advertising inventory in a real-time bidding format. Under the TCF, a publisher can note whether or not they have a legal basis to process a consumer’s personal data. Then, advertisers and ad tech companies can decide whether to bid on the ability to show an ad to that person.

The Belgian DPA received several complaints, including one from Johnny Ryan at the Irish Council for Civil Liberties, that the IAB’s TCF violated the GDPR. In short, the TCF was criticized for facilitating the widespread dissemination of personal data to the entire industry without any real controls on the access, use or auditing of that data. Specifically, the DPA found that:

1. The TCF and the ad tech companies using the TCF were processing a ton of personal data without any legal basis and certainly beyond any legal basis claimed by the publisher.

2. The IAB failed to properly educate consumers given the complexity of the data processing.

3. The IAB deployed no technical measures to limit unauthorized access to personal data.

4. The IAB was operating as a controller of data and, thus, should have kept a register of activities, appointed a data protection officer and conducted a data protection impact assessment.

The DPA ruled the TCF invalid and fined the IAB 250,000 Euro per day. The IAB is currently appealing in the hopes of making small changes to satisfy regulators. However, many insiders are skeptical that the IAB’s proposals will suffice. The fundamental problem is that the current ad industry is built on the ability to collect and share consumer data at will and at scale. And GDPR enforcers want meaningful change with meaningful protections for consumers. This approach to maintain status quo simply does not satisfy that requirement.

Impact on data-centric ad businesses

Let’s assume that the Belgian and other European regulators win on appeal and the TCF is required to undergo major changes. What does that mean for the ad marketplace, for real time bidding and for publishers?

For starters, ad marketplaces will be required to handle consumer data more carefully. Allowing free-for-all access to consumer personal data by any company that agrees to the terms of service just won’t fly. They may need to deploy technical measures to mask personal data and/or limit access to only those companies with a sound legal basis.

Of course, this could be a problem for some of the IAB’s biggest members and hundreds of ad tech intermediaries, which are dependent upon the ability to profile consumers silently across the web. However, should a more consumer-friendly, less data-invasive approach win out, advertisers will need to learn to rely far less third party data. The certainly won’t want to open themselves up to liability for using illegally-sourced personal data.

Marketplaces and the shifting data market

The second major impact will be on the organizations that run marketplaces. The IAB attempted to craft a framework which would save the status quo of third-party, behaviorally targeted advertising because that is the moneymaker for its biggest members and the sea of intermediaries who mine and resell access to user profile data as a core business model. However, a fine of 250,000 Euro per day is likely too rich even for the dominant platforms.

Going forward, organizations that want to offer automated ad marketplaces will have to institute more controls and assume greater liability. There is a real question as to whether any organization will want to take on that role certainly for the entire industry. It’s far more likely (at least in the short term) that smaller organizations will stand up marketplaces with segments of industry.

CPRA follows suit

Third, the issues at play on the European landscape are likely to play out similarly on the California coastline. California regulators have just recently proposed a set of draft regulations for compliance with the California Privacy Rights Act (CPRA). Starting next year, the collection and use of Californians’ personal data will be regulated in ways that are very similar to European law. Whatever solutions emerge to satisfy European regulators will have a very good chance of satisfying California regulators.

Future focused

Undoubtedly, the IAB faces significant pressure from its most powerful members such as Google and Facebook and the long-tail of adtech solution companies. Given that their businesses have been built on the ability to collect data (even off-platform, when consumers do not expect it), they are deeply invested in finding a way to comply with emerging regulations in a way that ultimately allows them to continue their business more or less as usual. In Europe, their strategy has been to put off any major interruption to their massive data-collection-and-use model for as long as possible.

But these businesses that have dominated the digital advertising market do not represent the only way of doing business. While regulation certainly changes the market, it does not inherently change things for the worse.

In fact, I’ll leave you with a feel-good fact: A revamped and GDPR/CPRA compliant ad marketplace could elevate premium publishers. They enjoy trusted, direct relationships with consumers. Instead of a wild west marketplace where all kinds of actors stake dubious claims of proper legal bases, the premium publishers, which are on far more solid legal ground, would be in a strong position of controlling access to a limited supply of consumers.