03-02-2022

The TCF framework is widely used across Europe for online advertising to manage the preferences of users, including pop-ups asking for consent to use cookies for data tracking in online advertising (Consent Management Platform (CMP)), as well as real-time bidding in programmatic advertising though the OpenRTB protocol. The consent popup system can be found on 80% of the European Internet.

The Belgian DPA’s landmark decision, which it made as lead supervisory authority together with 35 other DPAs, has identified a series of GDPR infringements by IAB Europe, which was found to act as data controller with respect to the registration of data subjects’ consent signals, objections and preferences by means of a unique Transparency and Consent (TC) string, linked to an identifiable user. Summarized, the DPA concluded that:

• IAB Europe did not establish a legal basis for the processing of the TC String, while the legal grounds offered by the TCF for further processing by adtech vendors are inadequate;

• the information provided to data subjects through the CMP is too generic and vague to allow them to understand the nature and scope of the data processing, especially given the complexity of the system. Data subjects can therefore not maintain sufficient control over their personal data;

• there were no organizational and technical measures in accordance with the principle of data protection by design and by default, nor was it possible to effectively exercise data subject rights or to monitor the validity and integrity of choices made; and

• IAB Europe failed to fulfil other standard GDPR obligations on a large-scale, including the keeping of a register of data processing activities, appointing a DPO and to conduct a data protection impact assessment (DPIA).

Due to the serious infringements the Belgian DPA’s Litigation Chamber has imposed an administrative fine of 250.000 EUR. Apart from this, it has ordered the company to undertake a series of corrective measures within six months to bring the current version of the TCF into compliance with the GDPR, including:

• the establishment of a valid legal basis for the personal data processing within the TCF, and the prohibition to use legitimate interest as a basis for further processing by organizations participating in the TCF;

• the strict vetting of participating organizations in order to ensure that they meet the requirements of the GDPR; and

• to meet basic GDPR requirements, including the carrying out of a DPIA, appointing a DPO, taking the necessary technical and organizational measures.

An action plan must be provided by IAB Europe to the DPA within two months, subject to a penalty payment of 5.000 EUR per day in case of failure to comply with this time limit.

The decision has serious consequences for cookie management and many advertisers across the European Union who are coping with further restrictions to consumer data and may have to look for alternative tracking solutions. Moreover, as a consequence of the decision all data that was collected via TCF will have to be deleted as it was unlawfully processed. It also remains to be seen how the TCF will be made GDPR compliant. The decision is still appealable. IAB Europe, which does not agree with the qualification as data controller, is ‘looking at all options’.