On 2 February, the Belgian Data Protection Authority fined IAB Europe €250,000, ruling its Transparency and Consent Framework (TCF), which has widespread use across the advertising industry in the EU and UK, does not comply with several GDPR provisions.  A summary and the full decision of the Belgian DPA can be found here. 

It is important to note that this decision has been made pursuant to the One-Stop-Shop Mechanism of the GDPR; this means that a draft decision was sent to each of the other concerned EU supervisory authorities for their views before it was finalised (in accordance with Article 60 of the GDPR). As part of this process, two objections were raised, and the Belgian DPA incorporated those objections in its final decision, which was approved by all concerned authorities.

Background

IAB developed the TCF to assist organisations in complying with the GDPR when relying on the OpenRTB protocol in programmatic advertising. The OpenRTB protocol enables advertisers to bid in real time on ad inventory contained on a publisher’s property (e.g., website or app), in order to deliver targeted advertising tailored to the profile of the website or app user.  It is a voluntary framework which can be adopted and complied with by organisations for such purposes; it is not mandatary.  So how does it work? To summarise, when a user visits a website or app for the first time, they will often be met with an interface known as a Consent Management Platform or CMP which seeks consent from the user to collect and share their personal data for several purposes, including sharing with third parties.  The user may also be presented with the opportunity to opt out of such processing.  This is where TCF applies – it facilitates the capture, through the CMP, of the users’ preferences. These preferences are then coded and stored in a “TC string”, which is shared with the organisations participating in the OpenRTB system so that they know what the user has consented/objected to.

The Belgian DPA purports to having been in receipt of complaints about IAB and the conformity of the TCF with the GDPR since 2019 so following such complaints, it began investigating IAB and the TCF. 

Findings

During the Belgian DPA’s investigations, a clear position was determined by the Belgian DPA which set the scene for the key findings.  As TCF is an optional framework, one may wonder why it was the IAB that was fined and not the organisations opting to use it.  Well, whilst the IAB asserted that it does not act as a controller for its collection of users’ consents, objections and preferences through the TCF, since the ad tech vendors following the OpenRTB protocol determine the purposes of processing without IAB Europe’s intervention, the Belgian DPA wholly disagreed.  The Belgian DPA found that in fact IAB does act as a controller with respect to data collected pursuant to the TCF and therefore could be held responsible for violations of the GDPR.

In coming to this conclusion, the Belgian DPA then found the following violations of the GDPR:

1. Lawfulness: it found that IAB failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors were inadequate.
2. Transparency and Information to Users: it also found that the information provided to users through the CMP interface was too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. In the DPA’s view therefore, it was difficult for users to maintain control over their personal data.
3. Accountability, Security and Data Protection by Design and Default: In the absence of organisational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR was not adequately warranted nor demonstrated.
4. Other Obligations: IAB failed to keep a register of processing activities, to appoint a DPO and to conduct a data protection impact assessment.

Sanctions

Based on such findings, the Belgian DPA imposed a fine of €250,000 on IAB.  In addition, it ordered the company to undertake a series of corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR. These measures include, among others: 

• the establishment of a valid legal basis by IAB for the processing and dissemination of users' preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF; and

• the strict vetting of participating organisations in order to ensure that they meet the requirements of the GDPR.

What’s Next?

Well, IAB now has 2 months to present an action plan to implement the corrective measures ordered by the Belgian DPA, including those listed above.  It can also choose to appeal the decision with 30 days. 

This decision by the Belgian DPA will undoubtedly have unnerved the many organisations relying on TCF currently and those operating across the adtech space in the EU more broadly.  It may be that we start to see organisations ceasing to rely on TCF entirely, and possibly the emergence of models similar to TCF that aim to be a “compliant” alternative.  One thing is clear though – this is another significant message from the authorities across the EU that adtech is an area of concern from a compliance perspective and the authorities are not afraid to take serious action against organisations they consider to be in violation of the law in this respect.