In the last month, countless news articles have been published about the Belgian Data Protection Authority (DPA) ruling against IAB Europe for alleged violations of the GDPR through its Transparency and Consent Framework (TCF). What have been the IAB’s breaches and what are the implications of this ruling?
In this article, we want to outline the essence of the Belgian DPA ruling against IAB Europe and why our clients relying on the TCF framework shouldn’t worry.
However, before diving into the ruling and its implications, it is worth mentioning that the IAB TCF is a framework that allows publishers and broadcasters to configure the legal basis they deem most appropriate, whether it be consent or legitimate interest.
Following Article 6 of the GDPR, you must have a legal basis for collecting data. That legal basis can be obtained, among other means, through consent or legitimate interest.
Additionally, and as a starting point, you must take into account the difference between measurement and targeting, given that this ruling puts particular emphasis on targeting services and not on measurement activities.
The IAB TCF framework operates with 12 different purposes ranging from traditional web analytics to personalised targeting. Each purpose can be configured with a different legal basis. The ruling in question puts particular emphasis on the TCF purposes related to targeting.
Now, what have been the IAB’s breaches?
From the eight GDPR breaches found in the judgement, most of the concern was about the legal basis for collecting data. Therefore, this article will describe in-depth what have been the breaches in terms of both legitimate interest and consent.
As to legitimate interest, relying on legitimate interest as a legal basis under EU laws means that you need to carry out an assessment that considers whether the processing is actually necessary – or whether another less intrusive method could be used to achieve the same result.
Furthermore, you must perform a legitimate interest balancing test, which considers whether you are protecting people’s rights and freedoms.
In this regard, the Belgian DPA found that the IAB failed to provide evidence that the interests, in particular the fundamental rights and freedoms, of data subjects were adequately considered in the process. But again, only when it comes to targeting.
“(…) The question is then to what extent the organisations participating both in the TCF and the OpenRTB (adtech vendors) can legitimately rely on Article 6.1.f GDPR for the predefined processing purposes that entail targeted advertising or profiling of the users, as opposed to non-marketing related purposes such as audience measurement and performance measurement (…)” (para. 441).
And in relation to this, it looks like legitimate interest will most likely be banned from the TCF framework, at least for targeting purposes.
However, in our case, though we offer both measurement and targeting services, AudienceProject’s TCF configuration only allows consent as the legal basis for targeting purposes, not legitimate interest. Regarding measurement, our TCF services also support non-PII logging on non-consented events.
Hence, regardless of whether we are doing measurement or targeting activities with you under the TCF framework, it would be lawful in any case.
As to consent, the Belgian DPA found that the IAB’s TCF consent was not lawful because it was not given in a sufficiently specific, informed, and granular manner, as clearly required by the GDPR.
Article 7 of the GDPR clearly states that consent must be freely given, informed, unambiguous, distinguishable from other matters, and presented in clear and plain language.
Hence, the Belgian DPA has urged the IAB to amend its consent framework in order to make it GDPR compliant.
In relation to this, there is nothing in the Belgian DPA’s decision that suggests that consent prompts are illegal or that they should not be employed by the digital advertising ecosystem to comply with legal requirements under the EU’s data protection framework.
“(…) By establishing a legal basis for the processing as well as the sharing of user preferences in the context of the TCF (…)” (para. 536).
“(…) By requiring TCF-registered CMPs to take a harmonised and GDPR-compliant approach regarding the information to be provided to users through their interface. The information, which covers the categories of data collected, the purposes for which they are collected, and the applicable legal grounds (…)” (para. 536).
The Belgian DPA ruling just appears to require the disclosure of additional information in consent pop-ups to request additional consent for personal data collection and processing to store user preference signals.
“(…) The consent of the data subjects is currently not given in a sufficiently specific, informed and granular manner (…)” (para. 535).
“(…) The Litigation Chamber orders the defendant to render the TCF compliant with the obligation of lawfulness, fairness and transparency (Articles 5.1.a and 6 GDPR), by establishing a legal basis for the processing (…)” (para. 536).
Hence, when it comes to consent, the IAB has only been asked to amend how consent is asked from data subjects because it did not meet the GDPR requirements. They have to make sure consent is specific, informed, given in a granular manner, unambiguous… (see Article 7 of the GDPR).
See the official ruling from the Belgian DPA here.
Furthermore, you must not forget that the Belgian DPA ruling is an administrative decision, and thus the IAB has the right to appeal the ruling (as it has done), which means that the decision is not yet final and binding.
Consequently, the Belgian DPA has not prohibited the TCF. Instead, they have been urged to amend their consent framework so it is conducted in a GDPR compliant manner.
Hence, the IAB will amend the mistakes and come up with a stronger, fully compliant renovated version.
And in the meantime, it is perfectly possible to rely on consent for the processing of data, as stated by IAB Europe on February 11, 2022, when their appeal was officially announced:
“(…) The APD’s decision only concerns IAB Europe, not any vendor, publishers or CMPs, but it does hint at the possibility of an order for a given publisher or CMP to delete TC Strings if they contain “personal data that has been collected in breach of Articles 5 and 6 GDPR”. This is nothing new: if personal data is collected in breach of the GDPR it cannot be processed. Yet no GDPR breach has been established for any vendor, publisher or CMP (…)”.
See IAB’s official communication on the matter here.
Consequently, the IAB’s TCF remains completely lawful for users to use, and data collected would only be unlawful if collected by any publisher, vendor or the like in breach of the minimum standards of the GDPR – as it has always been, regardless of this ruling.
Lastly, and as stated on IAB’s official statement on March 4, 2022, you must always keep in mind that the IAB operates by offering a minimum standard of compliance, to which vendors, publishers, and Consent Management Platforms can add at their own discretion.
“(…) The TCF lays down minimum requirements to help companies comply with a narrow range of requirements in the GDPR, notably to do with establishing a valid legal basis for data processing for advertising and content personalisation (…)”.
See IAB’s official communication here.
In this regard, AudienceProject’s configuration of the TCF framework is not solely based on the minimum standards granted by the IAB but goes beyond such minimum requirements to ensure compliance with the law. Hence, we are fully compliant with the GDPR.
Consequently, regardless of what the outcome of legitimate interest is as a legal basis within the TCF for targeting purposes, AudienceProject’s TCF configuration relies on consent when it comes to targeting, not legitimate interest. Thus, even if legitimate interest was banned for targeting purposes, it would not be an inconvenience for us, given that we do not rely on it. We fully rely on the consent of our clients for targeting services.
And as to consent, the IAB has just been asked to amend their wrong-doings. However, nothing in the ruling suggests that vendors, publishers or the like cannot rely on the framework.
Hence, you can rest assured that if you rely on the IAB TCF framework, you can continue doing business with us as usual and that the Belgian DPA ruling against the IAB’s TCF does not impede its use.