IAB Tech Lab, an industry trade group which creates technical standards and specifications, has today released an updated version of its Transparency and Consent Framework, TCF 2.2. The reworked framework, used by businesses across the industry to guide the collection and sharing of consent signals for use of personal data in advertising, notably removes legitimate interest as a basis for consent.
The IAB has been reworking the framework partly in response to an ongoing legal battle over the TCF’s compatibility with the EU’s General Data Protection Regulation (GDPR). But the trade group has also been looking at tweaks based on evolving case law and rulings from various data protection authorities (DPAs) across Europe.
The removal of legitimate interest as a legal basis for advertising and content personalisation is significant, sending a clear signal to those using the TCF that use consent is the only valid legal basis for data collection for these purposes.
Not so legitimate interest
The GDPR sets out rules around the collection and processing of personal data in the EU, specifying how and when companies are able to collect personal data.
In most cases, companies must ask for specific opt-in consent from the person that data belongs to. But the GDPR also allows for collection and processing of personal data based on “legitimate interest”. The ideas is that businesses can process data without consent where there is a legitimate interest in doing so, so long as that legitimate interest isn’t overridden by the rights of the person the data belongs to.
This clause was included to make it possible to process data where there was a clear wider benefit to doing so. Examples outlined in the UK’s GDPR recitals include fraud prevention, ensuring network and information security, and indicating possible criminal acts or threats to public security.
However the vague wording meant it became seen by some businesses as a GDPR loophole, allowing them to claim legitimate interest and avoid collecting user consent for data collection.
In advertising, it was argued by some that publishers have a legitimate interest in processing personal data for use in targeted advertising, as this (they argued) was crucial to their business model.
A number of DPA rulings, as well as GDPR guidelines released by authorities including the UK’s ICO, made it clear that this wasn’t the case. For targeted advertising, consent must be collected, legitimate interest is not a valid legal basis.
But nonetheless, many continue to cite legitimate interest within their consent management platforms. In some cases, this is done quite deceptively – users are asked to opt-in to consent to use of their data, but then another tab on the consent mechanism states that legitimate interest is being used as the basis for data collection for the very same purposes. It’s often, confusingly, the case that these same consent mechanisms give the user the option to opt out of legitimate interest, which is contradictory to legitimate interest’s purpose.
Today’s update to the widely-adopted TCF should help bring an end to these practices, making it even clearer to all parties that for content personalisation and advertising purposes, user consent is the only legal basis for data processing.
But it could also mean the industry sees another drop in the volume of personal data available for ad targeting and measurement as the change comes into effect. Rightly or wrongly, it seems a number of companies have been using legitimate interest in order to collect data without consent. In the coming months this will no longer be possible, at least while still using the TCF.
The full list of updates to the TCF provided by IAB Europe are as follows:
- Removal of the legitimate interest legal basis for advertising & content personalisation: within the scope of the TCF, Vendors will only be able to select consent as an acceptable legal basis for purposes 3, 4, 5 and 6 at registration level;
- Improvements to the information provided to end-users: the purposes and features’ names and descriptions have changed. The legal text has been removed and replaced by user-friendly descriptions – supplemented by examples of real-use cases (illustrations);
- Standardisation of additional information about Vendors: Vendors will be required to provide additional information about their data processing operations – so that this information can in turn be disclosed to end-users;
- Categories of data collected
- Retention periods on a per-purpose basis
- Legitimate interest(s) at stake – where applicable
- Transparency over the number of Vendors: CMPs will be required to disclose the total number of Vendors seeking to establish a legal basis on the first layer of their UIs;
- Specific requirements to facilitate users’ withdrawal of consent: Publishers and CMPs will need to ensure that users can resurface the CMP UIs and withdraw consent easily.