EU Supervisory Authorities Led by the Belgian DPA Find IAB Europe’s TCF Infringes EU Data Protection Rules
On February 2, 2022, the Belgian Data Protection Authority (the ‘Belgian DPA’) imposed a number of sanctions against Interactive Advertising Bureau Europe (‘IAB Europe’), for alleged violations of the EU General Data Protection Regulation (the ‘GDPR’) by its Transparency and Consent Framework (the ‘TCF’).
TCF is developed by IAB Europe, in partnership with IAB Tech Lab. It aims to help companies collect and transmit users’ preferences, including as to whether they agree to have their data processed for the purpose of receiving personalized advertising when they browse websites or use apps. Users express their preferences by accepting or denying having cookies and similar tracking technologies accessed/stored on their personal devices. TCF is therefore used by a full range of parties participating in the digital advertising ecosystem, from advertisers and publishers to adtech companies (DSPs, SSPs, ad network providers), which act on users’ preferences (for example, processing data of users who accepted cookies, to show them a personalized ad). According to IAB Europe, TCF was designed as a tool to comply with the consent requirements of the ePrivacy Directive and the GDPR.
However, the Belgian DPA has found that the TCF violates the GDPR by sharing user data on a massive scale without users having a sufficient degree of knowledge or control over such processing.
The concrete implications of this sanction for the adtech industry and for the wider industry are still uncertain. While the economic sanction is a relatively modest EUR 250,000 fine, the DPA required IAB Europe to undertake major changes to the TCF framework, including prohibiting TCF members from continuing to rely on legitimate interest as a legal basis, reinforcing the way Cookie Management Platforms (CMPs) inform and obtain user consent to personalized advertising, as well implementing more robust monitoring of the actors involved in TCF.
How does TCF work?
The framework is widely used by organizations relying on the OpenRTB protocol when trading (i.e., ‘Real Time Bidding’ or ‘RTB’) in programmatic advertising. Real Time Bidding allows advertisers to instantly offer and bid for advertising real estate, in order to display ads tailored to individuals accessing specific pages or apps.
Under the TCF, websites (referred to as publishers) use CMPs to capture users’ consent and/or their objection to companies’ legitimate interest to collect and share users’ data for various purposes, in particular, advertising, in relation to various vendors. This usually takes the form of cookie banners, which users have to accept or deny, which are accompanied by cookie policies and cookie management/preference centers. All together, these tools provide users with more granular information about the purposes of the cookies, related processing, as well as the vendors setting such cookies. CMPs record users’ consent or lack thereof.
Under the TCF protocol, users’ preferences must be embedded in a ‘TC String’, which signals whether companies sharing this data have a legal basis to do so. To this end, among others, TCF provides for the placement of a cookie on a user’s device, which, when combined with the TC String, allows the user preferences to be linked with their IP address, making them identifiable (and therefore, personal data).
What are the Belgian DPA’s findings about?
The Belgian DPA maintains that IAB Europe is a data controller and reaches several findings against IAB Europe, which can be divided into two distinct categories. First, IAB Europe is accused of having processed personal data in breach of the GDPR; second, IAB Europe allegedly violated the GDPR by setting up a framework which itself violates the GDPR. The second category of wrongdoings rely on the Court of Justice the European Union (‘CJEU’) judgment in Jehovah’s Witnesses (C-25/17), in which the CJEU established that access to personal data is not required in order for the entity to act as a data controller.
The first category includes alleged wrongdoings related to the processing of users’ preferences (e.g., registering whether a user consented to accept cookies for different purposes). Essentially, the DPA considers that the collection/storage/dissemination of such consents constitutes processing of personal data under the GDPR.
The Belgian DPA considers that IAB Europe is a joint controller for the registration of the consent signal, objections and user preferences by means of the TC String. Publishers and CMPs are deemed to be joint controllers.
As for the specific wrongdoings, the Belgian DPA concludes that:
- Users are not informed anywhere of the lawful basis for the processing of their own individual preferences in relation to purposes and permitted adtech vendors by CMPs, which takes place through the TC String. The DPA also finds that information is not provided to the recipients of such preferences, nor how long their preferences are stored.
- CMPs fail to obtain unambiguous consent of users before capturing their preferences in a TC String, which is placed on the end devices of users thanks to a euconsent-v2 cookie which users’ IP addresses are linked to. It also considers that CMPs/IAB Europe lack legitimate interest.
- Under the GDPR, data controllers have to be able to demonstrate that the data subject has consented (Art 7.1). In principle, keeping a record that a data subject consented would be in line with the GDPR. In this case, the Belgian DPA does not assess the processing of the TC String by CMPs from this perspective, probably because: (a) data of non-consented users is also recorded, and (b) because in both cases, in addition to capturing users’ preferences in a TC String, the concern relates to the transfers of such consent to third party vendors.
The second category of wrongdoings refers to the TCF framework itself. The framework is composed of TCF policies and technical specifications. The wrongdoings under this category are mainly related to the way the framework provides for individuals to be informed, and obtains legal grounds in relation to the purposes for which their data will be processed. In particular, the DPA concludes that the TCF framework:
- Provides inadequate information: Does not provide for sufficiently clear processing purposes (and in some cases the purposes are even misleading). The notice provided to users when they interact with the TCF through the CMP is inadequate and does not allow users to understand the processing under the TCF.
- It does not provide for an adequate protocol to obtain valid consent. This is because it does not provide a simple list of recipients of the information nor an overview of the categories of data collected. This is even more so given that the data is further enriched by the DSPs, making it impossible to provide, a priori, meaningful consent. As a result of the above, it concludes that consent to cookies under the TCF is not valid consent. This is probably one of the most important findings of the DPA decision. The DPA assesses and concludes that legitimate interest of the participating organizations does not outweigh the protection of the fundamental rights and freedoms of the data subjects. This is in line with the ePrivacy Directive, given that it does not allow for legitimate interest to be the legal basis for setting/accessing cookies. Interestingly, the decision of the Belgian DPA seems to ignore the existence/application of Art 5.3 of the ePrivacy Directive requiring consent for cookies, which are not strictly necessary. Instead, it assesses the application of the GDPR.
- Right to withdraw: TCF does not provide for proactive communication of the updated consent preferences signals to adtech vendors. This seems to ignore that currently publishers (and adtech vendors) have to ensure that individuals have a right to withdraw consent, which is often provided by a dedicated withdrawal option on each website (sometimes vendors provide an universal opt-out option). The Belgian DPA decision seems to imply that there should be a universal right to withdraw.
- Lack of security in the TCF protocol: IAB Europe allegedly failed to implement appropriate technical and organizational measures to ensure an effective exercise of user (data subject) rights, and to monitor the validity and integrity of user choice. The Belgian DPA considers that the initiative to introduce the TCF Vendor Compliance Program is insufficient to bring the defendant into compliance with the security obligation. An example of measures to be put in place under Art. 32 of the GDPR is a strict vetting process for organisations participating in the TCF.
- DPO, ROPs and DPIA: IAB Europe has also allegedly failed to maintain records of processing activities, appoint a DPO, and conduct required data protection impact assessment (‘DPIA’) in relation to the TCF network.
Regulatory unity after all?
Although the investigation is the result of the Belgian DPA’s efforts that started in late 2019 after the Belgian DPA received a number of complaints against the Belgium-based IAB Europe’s TCF, the finalized decision from February 2, 2022 carries a somewhat newly-found message of unity from the EEA supervisory authorities.
The decision by the Belgian DPA has been issued following the approval of all concerned EEA supervisory authorities. According to the Belgian DPA, national supervisory authorities from 21 EEA countries have indicated their willingness to act as concerned supervisory authorities, namely, Austria, Croatia, Cyprus, Czechia, Denmark, Finland, France, Germany (Berlin, Rhineland-Palatinate, North Rhine-Westphalia, Saarland, Lower Saxony, Brandenburg, Mecklenburg-Western Pomerania, Bavaria), Greece, Hungary, Ireland, Italy, Latvia, Luxemburg, the Netherlands, Norway, Poland, Portugal, Slovenia, Spain, and Sweden.
Sanctions
In addition to the EUR 250,000 administrative fine, the Belgian DPA imposed a number of other sanctions, that have the potential to significantly affect the TCF and by extension, the RTB network. Most notably, IAB Europe is to:
- Provide a valid legal basis for the processing and dissemination of users’ preferences within the TCF;
- Prohibit (via the TCF ToU) the organizations participating in the TCF from relying on legitimate interests as a legal ground for processing under the TCF;
- Vet all participating organizations vis-à-vis their GDPR compliance; and
- Prevent TCF consent checkboxes (slider buttons, etc.) from being ticked or selected by default in the CMP and prevent automatic authorization of participating organizations relying on legitimate interest.
The Belgian DPA also implied that all personal data collected so far by means of a TC String shall be deleted without undue delay. These measures should be adopted within a maximum period of six months, following the Belgian DPA’s validation of an action plan, which IAB Europe is required to submit to the Belgian DPA within two months after the date of the Decision.
What’s next?
The Decision can be appealed before the Belgian Market Court within 30 days from its notification (i.e., before March 4, 2022). When appealing the Decision, IAB Europe can also request the Market Court to suspend the enforcement of the Decision until the end of the appeal process. We anticipate IAB Europe will avail themselves of this right. Meanwhile, the Decision is provisionally enforceable (with the exception of the order to delete personal data).
Belgian courts may (and probably should) consider filing preliminary questions with the CJEU, given the breath of the questions raised in this sanction.
Future potential courses of action/consequences
In the meantime, most actors in the advertising ecosystem, who participate in different roles in the TCF, may be wondering how to approach this Decision. In the short term, they may want to keep a close eye on the developments, in particular IAB Europe’s likely decision to appeal the decision and/or IAB Europe’s changes to the TCF framework.
Independent of the Belgian DPA/Courts proceedings, IAB Europe may decide to present a plan to the Belgian DPA in order to produce a revised TCF framework, which meets the regulators’ concerns fully or partially. Constructive engagement with the DPA may be a positive way forward, which is likely to require focusing on the following aspects:
- Structural changes to the TCF framework: While some of the DPA sanctions/remedies would not be particularly cumbersome for IAB (appointing a DPO or inserting an additional consent for the setting of a cookie recording/allowing for distribution of user preferences), other findings would require more substantive changes to the TCF framework. This may be the case of the legitimate interest removal as a lawful basis and enhancing the description of various purposes of processing in order to obtain valid consent, as well as adding an additional veto powers in relation to vendors who wish to participate in the TCF.
- CMPs: An important number of alleged wrongdoings focus on the CMP integration of the TCF framework. CMPs are likely to need to change the user interface, providing enhanced transparency regarding the purposes of the processing, the types of data processed, and third party vendors. This is in addition to having to obtain consent for the storage of users’ preferences in relation to the TC String. In some cases, the Belgian DPA considers them to be joint controllers with publishers (and not processors), which means that the contractual framework between CMPs and publishers will need to be adjusted accordingly.
- Publishers: Changes to CMP interface will mean, later on, that changes to publishers’ web sites may also be needed.
- Adtech Vendors should expect more scrutiny from IAB Europe and publishers, given the Belgian DPA request for IAB Europe to monitor and vet vendors, its objective being to guarantee the integrity of the consent signals and ensuring that they only honor reliable signals.
We will continue analyzing the Decision and monitoring developments.
Read all 127(!) pages of the Belgian DPA’s decision here and a much more digestible press release here.
Read IAB Europe’s reaction here.