Belgium’s data protection authority has today ruled that the Transparency and Consent Framework (TCF), a consent framework designed by IAB Europe to help the ad industry comply with the EU’s general data protection regulation (GDPR), actually infringes the GDPR.
The data protection authority (DPA) has issued a €250,000 fine to IAB Europe, and given the industry trade group two months to create an action plan of how it will bring the TCF into compliance.
The Transparency and Consent Framework was developed specifically in response to the GDPR. GDPR requires that the majority of businesses get explicit opt-in consent in order to be able to use any personal data – the only exception is ‘legitimate interest’ (which is itself another thorny issue that has been debated in the ad industry).
But capturing and sharing users’ consent preferences during programmatic transactions is difficult, especially since many of the companies involved have no direct relationship with consumers. For businesses which use IAB Europe’s OpenRTB protocol for real-time bidding, the TCF was designed to help solve this problem, creating a standardised means for capturing and transmitting consent preferences.
However a number of privacy advocates took issue with the TCF itself, stating that the mechanics of the TCF result in unauthorised data processing by IAB Europe. And many of these critics have argued that IAB Europe should be held responsible for many of the GDPR violations cause by companies using the TCF.
These complaints were handled by Belgium’s DPA, since IAB Europe is based in Belgium. Hielke Hijmans, chairman of the Litigation Chamber of the Belgian DPA, said that today’s ruling “will have a major impact on the protection of the personal data of internet users,” adding that “order must be restored in the TCF system so that users can regain control over their data”.
How long is a TC string?
The key issue according to the DPA comes down to ‘TC strings’, which are used within IAB Europe’s framework. When a user submits their consent preferences on a website or other media channel via a consent management platform (CMP), these preferences are coded and stores in a TC string, which can be shared through the OpenRTB system. The CMP will also drop a cookie on the user’s device once their consent preferences are collected.
When combined, TC strings and the cookies dropped by CMPs can be linked to a user’s IP address. The DPA says that as a result, TC strings can essentially be linked to identifiable users, meaning they constitute personal data.
And the Belgian DPA says that IAB Europe is a “data controller” (a legal term specified under the GDPR) in relation to these TC strings – something which IAB Europe disagrees with. Data controllers have specific obligations under GDPR, which IAB Europe hadn’t been fulfilling, since it doesn’t consider itself a data controller. As a result, the DPA has held IAB Europe responsible for a number of violations of the GDPR which are associated with the TCF.
Specifically the DPA found that:
- That IAB Europe has no legal basis for processing TC strings, and that legal grounds offered by the TCF for subsequent processing by ad tech companies are inadequate
- That information provided through the TCF’s CMP interface is too generic and vague, meaning users don’t understand what they’re consenting to
- That IAB Europe has insufficient organisational and technical measures in place to ensure data protection by design and by default, which is required under GDPR
- That IAB Europe hasn’t kept a register of processing activities, appointed a data protection officer, or conducted a data protection impact assessment, all of which it’s required to do as a data controller
Further fights ahead
IAB Europe had hoped to persuade the DPA that it shouldn’t rightly be considered a data controller, and will be disappointed that it failed to do so. The trade group said in a blog post that it continues to reject the notion, and may file a legal challenge to contest the result.
IAB Europe did however claim a small victory in the ruling, noting that the ruling doesn’t completely prohibit the TCF, leaving a path for the framework to be reworked in a way which satisfies the Belgian DPA.
Privacy advocates will dispute that notion. Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, claims that the DPA’s decision means that the TCF has been “ruled unlawful”, and that data collected through companies involved in the OpenRTB system will now have to be deleted.
Momentous news.
5 long years.
The TCF is finally ruled unlawful. All data collected through it by Google, Amazon, Microsoft’s tracking businesses is unlawful and must be deleted. https://t.co/F75XTrT4yr— Johnny Ryan (@johnnyryan) February 2, 2022
Thus, the case looks far from over. The DPA has outlined a path towards compliance for IAB Europe. Establishing a valid legal basis for processing and disseminating TC strings (or an alternative mechanism within the TCF), prohibiting the use of legitimate interest as a legal basis for processing personal data within the TCF, and strict vetting of organisations which use the TCF would bring IAB Europe close to compliance.
But whatever steps IAB Europe takes, opponents will likely claim they fall short of the mark. We’ve already seen some of this debate play out. The ICCL recently wrote in a blog post that it’s impossible for IAB Europe to properly vet all the businesses which use the TCF (which is one of the requirements laid out by Belgium’s DPA). But IAB Europe swiftly fired back, arguing that by the ICCL’s logic, all auditing of data processing by data protection authorities is effectively useless.
Expect the blog post wars to continue as the battle for the future of the TCF rages. And the stakes are high. Critics of real-time bidding and the widespread sharing of data it facilitates hope that if the TCF can be torn down, real-time bidding itself (or at least use of personal data within RTB) will collapse soon after.
