On Feb 2, 2022, a data protection regulator in Belgium (DPA) made a very significant decision that could have significant implications for online advertising.
The regulator ruled that the Transparency and Consent Framework (TCF), which powers the digital advertising work of thousands of organizations, is incompatible with EU law.
The decision is very complicated, running to 127 pages. Here’s a summary of the background and the main findings.
People involved in the complaint
There were main groups involved in this complaint:
- Johnny Ryan of the Irish Council of Civil Liberties (ICCL) and others, who brought the complaint
- IAB Europe, a trade association for digital marketing companies, against which the complaint was made
- The Belgian Data Protection Authority (DPA), which handled the complaint
Various organizations that participate in the IAB’s Transparency and Consent Framework (TCF)— including publishers, consent management platforms (CMPs), advertisers, and adtech vendors—were also indirectly involved in the decision.
Transparency and Consent Framework (TCF)
The complaint was about the IAB’s Transparency and Consent Framework (TCF), a model that purportedly helps online advertisers comply with the EU General Data Protection Regulation (GDPR).
The IAB describes the TCF as a “cross-industry best practice standard”.
The TCF (currently in its second iteration, TCF v2.0) provides participating organizations with resources and guidelines regarding how to set cookies, collect consent, and inform users about how their personal data is processed.
Cookies are a privacy-sensitive technology because they collect information about users’ online activity and can be used to create profiles for targeted advertising purposes.
The TCF was designed to enable publishers could obtain consent for setting cookies—or, in some cases, establish a “legitimate interest” to set cookies without consent—and for other digital advertising industry players to monetize personal data obtained via cookies.
When a user visits a web page operating under the TCF, a piece of code known as a “TC String” is loaded onto their device. A TC String records that user’s cookie preferences and allows those preferences to be communicated globally across other TCF-participating sites.
The TC String is placed on users’ devices via a consent management platform (CMP), together with the user’s IP address and their cookie preferences, via a cookie called “euconsent-v2”.
The IAB receives the TC String from the CMP as a central record of each unique user’s cookie preferences.
A key question in this complaint was whether the TC String constitutes personal data, as alleged by complaints Jonny Ryan and others. This, Ryan alleged, meant that the IAB would be a “data controller” under the GDPR.
The IAB denied that the TC String constituted personal data and maintained that it was not a data controller in this respect.
Real-Time Bidding (RTB)
Once users’ personal data is collected under the TCF, it enters into the advertising ecosystem and a process known as “real-time bidding” (RTB). Allegations about the non-compliant nature of RTB are another important element of the complaint.
In essence, RTB enables publishers to bid on the opportunity to present an ad to a user based on the user’s profile (built via cookies and often including information about their age, location, and interests).
This interaction all takes place in real-time: during the milliseconds it takes for that user to load a web page.
Findings of the Belgian DPA
The Belgian DPA found a number of issues with the TCF and the IAB’s place within the advertising ecosystem.
The Belgian DPA found that:
- The TC String constitutes personal data, as once placed on a device in combination with a user’s IP address it is used to uniquely identify individuals and information about their cookie preferences.
- The IAB is a data controller owing to how it processes the TC String which constitutes personal data about users’ consent preferences.
- There is a “joint controller” relationship between TCF-registered publishers, CMPs, adtech vendors and IAB, all of whom are jointly responsible for processing users’ personal data (to varying extents).
- That IAB failed to establish a legal basis for the processing of the TC String.
- Users were not informed about the processing of the TC String or offered a chance to refuse the processing of the TC String.
The DPA also had a lot to say about the IAB’s legal basis for processing the TC String under the GDPR:
- “Legitimate interests” is not a suitable basis for processing personal data via the TC String because the risks to users outweigh the interests of the TCF participants.
- “Consent” is not a suitable basis for processing personal data in the RTB system because of—among other reasons—the nature of the personal data involved, the lack of clarity around the purposes for the processing, and the difficulty involved in withdrawing consent.
The DPA found several issues with transparency within TCF:
- IAB did not disclose that it was keeping records of users’ consent.
- The large number of third parties receiving personal data in the RTB system contradicts the principle of transparency.
- The purposes for processing were not adequately explained.
There were several additional findings relating to how IAB failed to appoint a data protection officer, conduct necessary impact assessments, and take effective security measures to safeguard personal data.
Sanctions Against IAB
In light of these numerous GDPR alleged violations, DPA imposed several sanctions against IAB. The DPA ordered the IAB to, among other things:
- Delete any personal data collected via a TC String “in the context of globally scoped consents”
- Prohibit the use of “legitimate interests” among TCF participating organizations
- Require TCF participating organizations to provide GDPR-compliant transparency information
- Pay a fine of €250,000
The IAB has six months to comply but may appeal.
Implications for Publishers
The IAB has yet to produce any guidance on the implications of the ruling for publishers relying on the TCF.
It’s also important to note that the IAB itself is the subject of this decision—not the TCF-participating organizations.
However, given that the TCF v2.0 has now been found to have been deemed incompatible with the GDPR, publishers should consider working with their CMPs to find an alternative ad revenue model.
The DPA’s ruling on “legitimate interests” was particularly important. Publishers who are relying on legitimate interests to set any cookies should consider finding an alternative legal basis.