On February 2, 2022, the Belgian Data Protection Authority (“DPA”) issued a decision finding that the Interactive Advertising Bureau ("IAB”) Europe’s Transparency and Consent Framework (“TCF”) violates key provisions of the GDPR. While the fine appears to be comparatively modest, the DPA delivered a significant blow to the broader AdTech sector when it also ordered IAB to permanently delete personal data already processed under the TCF from its systems, among other remedial measures. IAB has two months to present an action plan to the DPA showing how it will bring the TCF framework into compliance.
Background
IAB-Europe is a trade association for the digital marketing and advertising industry. The TCF is a widely used consent management tool designed to assist companies using advertising cookies to comply with the GDPR in connection with real time bidding (“RTB”). The RTB process involves a website publisher auctioning advertising space on its webpage which is being viewed by a user, and an advertiser buying the space with the specific aim of reaching people like that user. The process involves many players and happens in milliseconds.
The TCF facilitates the capture of an individual’s preferences for the purpose of displaying targeted advertising. The preferences are coded and stored in a “TC string” which is shared with participants in RTB so that they know what those preferences are (i.e., what the user has consented/objected to). In addition, a cookie placed on the user’s device can, when combined with the TC string, be linked to the IP address of the user, thereby making the user identifiable.
The DPA launched an investigation into the TCF following complaints.
The Belgian DPA’s Decision
The DPA determined that, despite IAB’s arguments to the contrary, IAB is a data controller in relation to the TCF and had therefore failed to fulfil a number of data controller obligations (including keeping records of processing; appointing a data protection officer; and conducting a data protection impact assessment). Significantly, the DPA also found other AdTech players (consent management platforms, publishers and AdTech vendors) are joint controllers with IAB for the collection and dissemination of user preferences, objections and consent and subsequent processing of their personal data.
In its criticisms of the TCF, the DPA found that IAB failed to provide a legal basis for the processing of user preferences in the form of a TC string and that consents collected under the TCF were not valid. In particular, the DPA noted that (i) the processing purposes were not clearly described and so provided little or no insight into the processing, (ii) information on the categories of data collected was not given thereby making informed consent impossible, and (iii) the recipients for whom consent is obtained are so numerous that users would need a disproportionate amount of time to read this information, so their consent can rarely be sufficiently informed.
The DPA also concluded that TCF/RTB participants are unable to rely on the legitimate interest basis for their targeted advertising, leaving consent (although not as collected under the current TCF) the only option on the table.
A draft of the decision was shared with the data protection authorities of other European Economic Area countries in November 2021 as part of the GDPR’s “one stop shop” mechanism. The final decision incorporates amendments to address two objections raised by those authorities. One, raised by the Portuguese authority, led to the inclusion of the requirement for IAB to ensure the deletion of personal data processed in violation of the GDPR.
Comment
While the decision stops short of prohibiting the TCF, it is difficult to see a way that IAB will be able to amend the TCF to the satisfaction of the DPA, particularly in relation to consent. Moreover, given that IAB worked for over a year to get industry consensus on version 2 of the TCF, there may not be the appetite to start from scratch if IAB cannot implement such changes. IAB has indicated that it is considering its appeal options but, in the meantime, will work with the DPA on the action plan – the outcome will be one to watch for.
Industry stakeholders should assess their role in the AdTech ecosystem, and their own GDPR compliance, considering the DPA’s joint controllership finding, and plan for potential changes or unavailability of the TCF. Of particular significance is the part of the order requiring deletion of data that was processed under the current TCF framework – a requirement which could affect data used by a wide range of businesses.