The Belgian Data Protection Authority (DPA) ruled that the Transparency and Consent Framework (TCF) does not comply with the General Data Protection Regulation (GDPR). Developed by Interactive Advertising Bureau Europe (IAB Europe), this framework is a mechanism that facilitates the management of user preferences for online personalized advertising.
The GBA has imposed a fine of 250,000 euros on IAB Europe. The company also has two months to present an action plan for improvement.
The GBA has received complaints about IAB Europe since 2019. The complaints showed that the TCF does not comply with the GDPR. On February 2, the Belgian counterpart of the Dutch Data Protection Authority pronounced the verdict that the complaints were well-founded. The decision is supported by all other relevant GDPR authorities, representing almost all 30 countries in the European Union.
David Stevens, President of the GBA, is proud: “Brave little Belgium has once again shown that it is not afraid to tackle important issues, such as this one, which really concerns all European citizens who shop, work or play online. Online privacy and the fight against overly intrusive forms of advertising is a top priority for us.”
The problem of cookie permissions
The IAB Europe TCF is designed to facilitate compliance with the GDPR. It is specifically intended for organizations using the OpenRTB protocol. This is one of the most widely used ‘Real-Time Bidding’ protocols, for selling advertising space. In short, Real-Time Bidding is an instant, automated auction of user profiles. If a website contains advertising space, advertisers can constantly bid on this space through the auction system.
For targeted advertisements, it is necessary to have a user profile of the visitor. This profile is created by means of cookies, among other things. You give (or refuse) permission to place cookies in those well-known pop-ups. These are called Consent Management Platforms (CMPs). The TCF comes into the picture within these platforms.
The TCF facilitates the recording of user preferences via the CMP. The preferences, for example, that you refuse advertising cookies, are stored in a TC string. This string is shared with the organizations participating in the OpenRTB system. In addition, the CMP places a cookie on the website visitor’s device. This euconsent-v2 cookie is associated with your IP address together with the TC string. This way your preferences can be directly traced back to you.
Infringement of the GDPR
The TCF plays a key role in the OpenRTB system, as it represents the preferences you can choose. The DPA has therefore been of the opinion that IAB Europe is the controller when it comes to the registration of consents. However, this process did not follow the legislation of the GDPR. The following violations of the law have been identified:
- Legality. IAB Europe has not established a legal basis for the processing of the TC string. In addition, the legal grounds for further processing by adtech sellers are insufficient.
- Transparency and information of the users. The information in the CMP interfaces is too general and vague to understand. As a result, users cannot properly control their personal data.
- Accountability, Security and Data Protection by Design and by Default Settings. IAB Europe has not taken sufficient organizational and technical measures to protect personal data. It is also hardly possible to guarantee and control the rights of users.
- Other obligations of the controller who processes personal data on a large scale. IAB Europe has not maintained a record of processing activities, has not appointed a Data Protector Officer and has not conducted a data protection impact assessment.
Catch up on more articles here
Follow us on Twitter here