But if you want to deposit your cookies, do you have to apply the TCF protocol? We talked to Me Christophe Landat, co-founder of Axeptio and our official lawyer GetAvocat. He breaks down the advertising jargon for you.
“RTB” is an English acronym for real-time bidding. It’s programmatic advertising that works on the principle of auctioning impressions. It takes place in a few milliseconds.
We set up a system where the highest bid wins the opportunity to display their ad on the site visited by the user based on cookies previously deposited on their device.
Ultimately, RTB is unrestrained competition between advertisers to see who can display their ads to a user.
If I buy advertising space on Facebook Ads or Google Adwords or display these ads on my website, am I necessarily doing RTB or not?
When you use programmatic advertising, you can favor one method over another, and RTB is a way of doing programmatic advertising. It’s the automation, pushed to the extreme, of monetizing your digital inventory, based on the economic criteria you’ve defined. This system will be triggered based on the information collected beforehand.
And in fact, the way personal data is collected and cross-referenced may raise legal questions.
Now, let’s talk about the IAB. What exactly is the IAB? Please tell us more about what they do.
The IAB is a big organization. It’s the abbreviation for Interactive Advertising Bureau. It’s an international organization that brings together the players in online advertising.
Its role is to create binding standards for members (and not for everyone who doesn’t belong…) and make recommendations.
So the IAB creates standards for online advertising and tools that marketing and advertising players (who do a lot of business with data) can use to comply with advertising rules.
This is done with a prism that is primarily focused on data collection. It’s a business-oriented orientation where we try to coexist legal constraints with economic imperatives. The IAB tries to strike the most acceptable compromise possible between these two issues, and it can be challenging.
There’s a desire to prioritize the business side, which inevitably involves reading the GDPR, which is specific to the IAB and can sometimes raise questions.
When you visit certain websites, you see that their cookie modules are designed similarly, giving the user various choices. These publishers apply the IAB’s TCF protocol. What is strict, and why have these publishers adopted this standard?
TCF stands for “Transparency and Consent Framework.” The IAB created it.
The TCF is nothing more than the definition of a configuration and a way of collecting consent through software. If you belong to the IAB and subscribe to the TCF standard, you must collect consent as the IAB requests. And no other way.
This is the primary concern with the TCF. One of the six foundations of data collection is often highlighted, which is that of legitimate interest provided for in Article 6.1.f of the GDPR.
A legal basis is required to collect data: there is six total. It can be done, for example, because the user consents, because the law allows it. Then there’s this “legitimate interests pursued by the controller.”
For me, this is a very clearly dangerous basis. Why? Because to be able to use it, you must first carry out an excellent analysis and balance the objectives of the data collector and the risks it poses to the rights of the people. The CNIL reminds us that “legitimate interests cannot, therefore, be considered as a legal basis “by default”: it requires, on the contrary, careful examination by the organization and the follow-up of a rigorous methodology.”
But where is this “careful examination” when you collect data on the fly without any prior analysis?
There is an opinion that was issued by the former G29 (and now CEPD – European Data Protection Board) on the notion of legitimate interests. This opinion is more than 70 pages long! And in this opinion, we were already questioning how to manage the idea of legitimate interests about appropriately protecting individuals’ fundamental rights and freedoms.
The current use of this basis is excessive. It’s unbalanced and dangerous for those who use it. Before the GDPR, we had case law with the precedent of company-sanctioned cookies (an economic interest in this case). However, we must assess the company’s interests, individuals’ rights, and honest expectations regarding collecting and processing data. We must find balance.