The Belgian Data Protection Authority penalised IAB Europe 250k euros on Wednesday, finding that its Transparency and Consent Framework, which is utilised by much of the European Union’s advertising industry, violates several EU General Data Protection Regulations (GDPR) provisions.
This choice is being made as various governmental and commercial changes have an impact on the AdTech sector.
More marketers, publishers, and industry thought leaders are dealing with providing personalised experiences to customers while respecting user privacy.
Findings of Belgian DPA
The DPA stated that IAB Europe operates as a data controller. It can be held responsible for potential GDPR violations.
The authorities
The authorities challenged the legality of IAB Europe’s TCF standard for the following reasons:
- It does not ensure the security or confidentiality of personal data (GDPR Articles 5(1)f and 32);
- It lacks transparency on the individuals’ personal data (art. 12, 13 and 14 GDPR)
- It does not take any steps to ensure that data processing complies with the GDPR (art. 24 GDPR)
- It does not require consent in the proper manner and is based on a legal justification (legitimate interest) that is unacceptable in the context of online tracking (art. 5(1)a and art. 6 GDPR);
- It does not adhere to the principles of accountability, security, and privacy by design, as IAB has not proved to the authority that it can ensure the exercise of data subjects’ rights and monitor the authenticity and integrity of user preferences.
- IAB Europe’s incorrect designation as a data controller and, as a result, failure to comply with the corresponding obligations, including the appointment of the DPO, the creation of processing registers, and a DPIA connected to the TCF (indeed large-scale processing).
IAB Europe has six months to revamp the TCF to comply with the Belgian DPA’s requirements and must submit a two-month action plan outlining how it intends to do so.
IAB Europe
It responded that it is considering options to challenge the Belgian Data Protection Authority’s decision that it is a data controller under the TCF, making it responsible for all data processing, storage, and usage when publishers utilize TCF permission strings for programmatic advertising.
According to IAB Europe, the TCF was not deemed illegal. The DPA’s ruling says, six months is sufficient time to resolve the issues.
However, if IAB Europe fails to comply with the Belgian DPA’s judgement in the case. Which will necessitate the retroactive erasure of any openRTB consent data collected via the framework. If it occurs, it might be a game-changer for open web programmatic in Europe.
This decision occurs in the context of various regulatory and industry shifts affecting the AdTech ecosystem. More publishers, marketers, and thought leaders in the industry are wondering how they can provide privacy driven experiences.
The Belgian DPA’s ruling found underlying compliance difficulties with real-time bidding. As a result, the industry must collaborate to improve existing standards. Or frameworks that foster confidence between publishers, advertisers, and consumers. First-party data and cookie blocking solutions are likely to become increasingly relevant in the future.
Publishers that rely on the TCF may reconsider switching to an alternate consent and preference management system in order to comply with the GDPR. After removing the TCF, publishers may need to block AdTech signals until the audience provides approval ultimately.
How Is Seers Responding? (IAB Europe)
Seers is monitoring the whole scenario very closely. It has taken some necessary actions until we see some positive development from IAB Europe. We have removed the IAB TFC banner from our CMP. Also we have requested all of our customers to move to the non-IAB banner. The customers have the option of loading non-personalized or relevant advertisements until the website visitor approves.