Online advertising has long been in the firing line by various data protection authorities (take a look at our recent article on the ad-tech challenge here) and now it seems that the Belgian DPA are about to conclude their say on IAB Europe's 'Transparency and Consent Framework' (TCF), the industry's solution that aims to obtain GDPR compliant consent for the use of cookies and the processing of personal data by ad-tech vendors.
While it may be subject to challenge, IAB TCF is presently the only viable solution to the transparency and consent problem faced by ad-tech vendors, and it has the backing of the largest players in the industry, including Google. But IAB TCF has faced multiple legal challenges. In one such challenge, the Belgian DPA's Litigation Chamber is expected to affirm the DPA's October 2020 decision and find (amongst other things) that: a) IAB TCF fails to comply with the GDPR's consent requirements; and b) the IAB Europe has responsibility (which it's not currently meeting), as a controller, for ensuring that the consent signals (or 'strings'), which communicate a user's consent status between ad-tech vendors, comply with the GDPR.
Some herald this as a win, but the IAB Europe remains confident that it will have six months to remedy the findings. It also remains to be seen whether the Belgian DPA will be able to convince other European data protection authorities (including the UK's ICO which is yet to conclude its own investigation into the ad-tech industry) to follow suit. So, expect IAB TCF to survive for now but for it - and the wider ad-tech industry - to continue to come under sustained pressure by privacy regulators and activists alike.
We are optimistic that work on the action plan under the APD’s supervision should enable the approval of the TCF as a GDPR trans-national Code of Conduct (CoC) by the APD and the full European Data Protection Board (EDPB).