Belgian DPA imposes fine of €250.000 after finding TCF cookie mechanism infringes the GDPR

February 4, 2022

Following the French CNIL’s recent decision about cookie consents, the Belgian data protection authority has issued a ruling stating that the TCF developed by Interactive Advertising Bureau Europe (IAB Europe) fails to comply with a number of provisions of the GDPR. The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and that plays a pivotal role in Real Time Bidding (RTB). The Belgian DPA imposed a €250.000 fine on the company, and is giving IAB Europe two months to come up with an action plan to bring its activities into compliance.

Since 2019, the Belgian DPA has received a series of complaints which challenged the conformity of the TCF with the GDPR. Ironically, the TCF was actually developed to contribute to compliance with the GDPR by organisations relying on the OpenRTB protocol which is widely used for RTB.

When users visit a website or application for the first time, an interface (a Consent Management platform or CMP) will pop up where the user may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors. The TCF facilitates the capture, through the CMP, of the users’ preferences which are then shared with the organisations using the OpenRTB system. It places a cookie on the user’s device. These can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including offering tailor-made advertisements.

IAB Europe claimed that it was not a data controller, but the Litigation Chamber of the BE DPA found that it was because of the registration of individual users’ consent signal, objections and preferences by means of the unique Transparency and Consent (TC) String, which is linked to an identifiable user. This means that IAB Europe can be held responsible for possible violations of the GDPR.

Following this, the Belgian DPA identified a series of GDPR infringements by IAB Europe :

  • Lawfulness: IAB Europe failed to establish a legal basis for processing the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors are inadequate;
  • Transparency and information of the users: the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore, it is difficult for users to maintain control over their personal data;
  • Accountability, security and data protection by design/by default: in the absence of organisational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR is neither adequately guaranteed nor demonstrated;
  • Other obligations relating to a controller processing personal data on a large-scale: IAB Europe has failed to keep a register of processing activities, to appoint a DPO and to conduct a data protection impact assessment.

In view of these infringements, the Litigation Chamber has decided to impose serious sanctions, particularly because the TCF may lead to a loss of control of personal information by large groups of citizens. It therefore imposed an administrative fine of 250.000 EUR on IAB Europe. It has also ordered IAB Europe to take the following corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR:

  • the establishment of a valid legal basis for the processing and dissemination of users’ preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF;
  • the strict vetting of participating organisations to ensure that they meet the requirements of the GDPR.

The draft decision has been examined within the cooperation mechanism of the GDPR (the “one-stop-shop mechanism”). Following scrutiny and amendment, the decision was approved by the data protection authorities in the EEA.

The Belgian DPA is giving IAB Europe two months to present an action plan to implement these corrective measures. The decision can be appealed.