The trouble is that if you read the coverage on Campaign today, it is hard to see how it can assuage the concern that led the ICO, the UK's data privacy watchdog, to "call out" Real Time Bidding and programmatic advertising just two months ago for failing to comply with GDPR. The reason for this is clear for all to see. Nobody can remember giving their consent for any of this to happen, for the very good reason that it is possible they were never asked properly.
To quickly sum up, GDPR needs people to give informed, granular consent to each use of their data. There is the possibility for companies to get around this by saying it is a "legitimate interest" of the business to use their data, but it's stretching the definition somewhat to apply this to targeted advertising.
It also doesn't apply to any data that might relate to sensitive information, such as religious and political views, trade union member or a person's health.
So, version two of the TCF rightly puts more effort into ensuring that people are more in control of their data. Everything would appear to be fine. The ICO had to fire a warning shot, but now we can rest assured that version two of the TCF will be in place by next spring, when Google will be signing up -- and that means everything should be fine.
Only, as I say, read the comments in today's marketing press, and you see it isn't. In fact, with a strict reading of the GDPR, it's hard to see how it ever could be.
The most obvious point, as one campaigner tells Campaign today, it that it is impossible for people to give informed consent because the person asking for the consent cannot be clear on what data is involved and whom it will be shared with -- both prerequisites of gaining legal consent.
Another problem comes with those sensitive data sets. Can every advertising business really expect to ask users for permission to hold data about their religion and health? If given a truly transparent consent request, surely everybody would just say "no."
One possible solution will be for advertising networks and ad-tech companies to stop processing any data around sensitive categories, but exactly what that means for the health and insurance industries, to name just two, is anyone's guess.
Data could be anonymised so it is no longer personal, but my reading is that if data has been strung together by combining knowledge about a person because they are logged in to a service -- such as Google -- then the data is still personally identifiable. It might take a lawyer who is far more clever than I to argue the counter point, but a cautious reading of the law is to assume that if you collected data about a person when you knew who they are were, it is problematic to then pretend you don't know who they are.
If the data comes from cookies and is anonymised, then advertisers will have to concede that the clock is ticking on the lifetime of the cookie that is being blocked by browsers and is limited to the desktop.
It is not all bad news -- senior executives are greeting the new guidelines as a step in the right direction that should give the sector renewed confidence.
It's hard to tell what the real story will turn out to be. Will clear consent guidelines work? The more difficult question is whether it is actually ever possible to gain GDPR compliant permissions for RTB and programmatic to work.
The ICO has given the industry until around Christmas or New Year to clear up the issue. There is the potential that deadline could be pushed back a few months to see how the new TCF works.
What is for sure is that this is undoubtedly a conundrum that will go on and on. Perhaps completely anonymised data sets which never touch on sensitive categories is the way forward -- a compromise both sides could live with?
We'll know more when the ICO revisits its request for end-of-year action. This truly is a fascinating thing to watch unfold.