The Belgian Data Protection Authority penalised IAB Europe 250k euros on Wednesday, finding that its Transparency and Consent Framework, which is utilised by much of the European Union’s advertising industry, violates several EU General Data Protection Regulations (GDPR) provisions.
This decision comes at the time when the AdTech ecosystem is being impacted by several legislative and industry changes.
More marketers, publishers, and industry thought leaders are dealing with providing personalised experiences to customers while respecting user privacy.
For more information on the decision, join Seers privacy webinar on“Cookie Compliance – Emerging Challenges And their Solutions” on 23rd February 2022, at 16:00 GMT. You can register for the webinar here.
Findings of Belgian DPA
The DPA stated that IAB Europe operates as a data controller and can be held responsible for potential GDPR violations due to data processing under the TCF, which facilitates the administration of users’ preferences for online customised advertising.
The authorities challenged the legality of IAB Europe’s TCF standard for the following reasons:
- It does not ensure the security or confidentiality of personal data (GDPR Articles 5(1)f and 32);
- It lacks transparency on the individuals’ personal data (art. 12, 13 and 14 GDPR)
- It does not take any steps to ensure that data processing complies with the GDPR (art. 24 GDPR)
- It does not require consent in the proper manner and is based on a legal justification (legitimate interest) that is unacceptable in the context of online tracking (art. 5(1)a and art. 6 GDPR);
- It does not adhere to the principles of accountability, security, and privacy by design, as IAB has not proved to the authority that it can ensure the exercise of data subjects’ rights and monitor the authenticity and integrity of user preferences.
- IAB Europe’s incorrect designation as a data controller and, as a result, failure to comply with the corresponding obligations, including the appointment of the DPO, the creation of processing registers, and a DPIA connected to the TCF (indeed large-scale processing).
In addition, the Belgian DPA found that IAB Europe, consent management platforms (CMPs), publishers, and collaborating AdTech vendors should also be considered joint data controllers to collect and process the consent preference of the data subject.
Response from IAB Europe
IAB Europe has six months to revamp the TCF to comply with the Belgian DPA’s requirements and must submit a two-month action plan outlining how it intends to do so.
IAB Europe responded that it is considering options to challenge the Belgian Data Protection Authority’s decision that it is a data controller under the TCF, making it responsible for all data processing, storage, and usage when publishers utilise TCF permission strings for programmatic advertising.
IAB Europe said that the TCF was not declared illegal, and the DPA’s judgement implies that six months is adequate time to address the concerns.
However, if IAB Europe fails to comply with the Belgian DPA’s judgement in the case, the TCF may be declared invalid, necessitating the retroactive erasure of any openRTB consent data collected via the framework. If it occurs, it might be a game-changer for open web programmatic in Europe.
If the TCF is not renewed and other EU DPAs codify the Belgian DPA’s ruling, Google’s AdBuyers protocol will be the only RTB protocol that collects and uses consent for online advertising.
Impact on publishers using IAB TCF
This decision occurs in the context of various regulatory and industry shifts affecting the AdTech ecosystem. More publishers, marketers, and thought leaders in the industry are wondering how they can provide personalised experiences to consumers while respecting user privacy.
The Belgian DPA’s ruling found underlying compliance difficulties with real-time bidding. As a result, the industry must collaborate to improve existing standards or frameworks that foster confidence between publishers, advertisers, and consumers. First-party data and cookie blocking solutions are likely to become increasinlgly relevant in the future.
Publishers that rely on the TCF may reconsider switching to an alternate consent and preference management system in order to comply with the GDPR. After removing the TCF, publishers may need to block AdTech signals until the audience provides approval ultimately.
How Is Seers Responding?
Seers is monitoring the whole scenario very closely have taken some necessary actions until we see some positive development from IAB Europe. We have removed the IAB TFC banner from our CMP and requested all of our customers to move to the non-IAB banner. The customers have the option of loading non-personalised or relevant advertisements until the website visitor approves.