On 2 February 2022 the Belgian DPA found that IAB Europe's Transparency and Consent Framework (TCF) fails to comply with the GDPR. While this decision will no doubt be a blow to the IAB and to those in the RTB ecosystem, this decision is not unexpected.
So what is the issue here?
Online advertising and, in particular, ‘Real-Time Bidding’ (“RTB”) is complex. When users access a website or app that has advertising space, tech companies representing advertisers can "in real time", i.e. instantaneously, bid behind the scenes for that advertising space, using an automated auction system, so they can show advertising tailored to that individual's profile.
The TCF is a set of technical specifications and policies pursuant to which participants to collect, store and communicate (via ‘signals’) users' preferences and consents with respect to processing purposes and individual vendors. Although TCF has been widely criticised by privacy activists and generally considered not to be particularly user-friendly, it is seen by many to be the only viable solution to tackle the problem of consent and transparency within the RTB ecosystem.
Following a number of complaints, the Belgian DPA investigated and found that IAB Europe is acting as a data controller "with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user." As IAB Europe is a controller it "can be held responsible for possible violations of the GDPR."
How did IAB Europe infringe the GDPR?
The Belgian DPA found that IAB Europe had infringed the GDPR in the following areas:
IAB Europe failed to establish a legal basis for processing the TC String, and further the legal grounds of the TCF were inadequate for the subsequent processing by ad-tech vendors.
- Transparency and information of the users
The consent management platform information provided to users was "too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF." The Belgian DPA found this made it "difficult for users to maintain control over their personal data".
- Accountability, security and data protection by design/by default
The principle of data protection by design and by default requires consideration to be given to organisational and technical measures to ensure that data subjects can effectively exercise their rights. Such measures were absent and therefore the TCF was found not to comply with the GDPR.
- Other obligations pertaining to a controller processing personal data on a large-scale
IAB Europe also failed "to keep a register of processing activities, to appoint a DPO and to conduct a DPIA".
The Belgian DPA believes that using the TCF “may lead to a loss of control of their personal information by large groups of citizens", therefore it imposed an administrative fine of €250,000 and ordered IAB Europe "to undertake a series of corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR".
This decision was also approved by the other relevant DPAs across Europe in line with the one-stop-shop mechanism provided for in the GDPR.
So what next?
IAB Europe now has 2 months to present an action plan showing how it will implement these corrective measures and a further 4 months to complete them, with a further penalty of €5,000 per day for failure to comply within the timescale.
Although IAB Europe can appeal this decision, when the draft decision was announced back in November, IAB Europe remained upbeat and talked of "stand(ing) ready to work with the APD (Belgian DPA) and other DPAs to support companies in the digital advertising industry to ensure that they fully comply with the requirements of EU law."
Although this decision is problematic for the industry, it has unfortunately been a long time coming and it will be interesting to see how the IAB plans to tackle it. While the TCF undoubtedly has its flaws, as it is relied on by many in the industry as the ‘best game in town’, we think it unlikely the TCF will go anywhere soon. We do however expect to see further iterations of the TCF that move towards the GDPR’s high consent standards.
The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.