The Bottom Line
- The EU’s decision has struck at the heart of the ad tech industry’s system designed to ensure compliance with the GDPR when personal data is collected for retargeting.
- The program behind the scenes when an EU data subject sees a cookie banner may require significant modifications.
The Belgian Data Protection Authority (DPA) has ruled that the Transparency and Consent Framework (TCF) adopted by Europe’s ad tech industry violates the General Data Protection Regulation (GDPR).
The decision, announced yesterday, came in response to complaints filed against Interactive Advertising Europe (IAB Europe) by Dr. Johnny Ryan of the Irish Council for Civil Liberties and others asserting that the TCF breached various provisions of the GDPR with respect to the large-scale processing of personal data. IAB Europe represents the digital advertising and marketing industry in Europe.
The regulators found that IAB Europe is a “data controller” within the meaning of the GDPR and ordered it to bring its processing of personal data in line with the GDPR within six months following the validation of an action plan by the DPA in Belgium, where IAB Europe has its registered office. That plan is due within two months of this decision.
Publishers and consent management platforms (CMPs) may need to remove all personal data collected under the TCF since this data was not collected in compliance with the GDPR and is in essence fruit from the poisonous tree.
In a statement, IAB Europe said that it would work with the Belgian DPA “to ensure the TCF’s continuing utility in the market.” IAB Europe added that it rejected the finding that it is a data controller in the context of the TCF and indicated that it is “considering all options with respect to a legal challenge.” It has one month to appeal the Litigation Chamber’s ruling.
The TCF
IAB Europe developed the TCF in an effort to satisfy the GDPR requirement to have a legal basis for any processing of personal data and storing and accessing of information on a user’s device. Under the TCF, when an internet user visits a publisher’s site and sees a pop-up banner, the user typically consents to the collection and sharing of the user’s personal data, such as retargeting cookies. At that point, a “TC String” is generated and a cookie is placed on the user’s device or an existing cookie is updated. Legitimate interest is also an option under the program.
The TCF passes the user’s consent to ad tech and other companies in Europe, which then rely on that consent to collect and share a user’s personal data to deliver targeted advertisements based upon that data.
The Findings
The regulators found that the TCF involves the processing of personal data within the meaning of the GDPR. It also decided that IAB Europe’s responsibility goes “beyond merely designing a framework,” that it determines the “means of generating, storing and sharing the TC String by which the preferences, objections and consent of users are processed,” and that IAB Europe is a data controller within the meaning of the GDPR. As a result, IAB Europe has not met all of its obligations under the GDPR as a data controller.
Moreover, the regulators decided that TCF participants may be “joint data controllers” for the collection and dissemination of users’ preferences, objections and consent and for the subsequent processing of their personal data.
The regulators concluded that IAB Europe had not demonstrated a valid legal basis to permit the processing of personal data under the TCF in its current format. Currently, (i) consents are invalid because users are not given specific, informed and granular consent and (ii) legitimate interest is invalid because the interests of the data subjects outweigh the interests of the TCF participants.
Sanctions
The regulators ordered IAB Europe to, among other things:
- Establish a legal basis for the processing and sharing of user preferences in the context of the TCF;
- Conduct strict audits of organizations that join the TCF;
- Prevent consent from being ticked by default in cookie banners;
- Maintain records of processing activities;
- Carry out a “data protection impact assessments”; and
- Designate a Data Protection Officer responsible for ensuring the compliance of personal data processing activities in the context of the TCF.
These compliance measures must be completed within six months following the validation of an action plan by the Belgian DPA, which IAB Europe must submit to the Litigation Chamber within the next two months.
The Litigation Chamber also imposed an administrative fine on IAB Europe in the amount of EUR 250,000.