The Transparency and Consent Framework is a widely-used mechanism that facilitates the management of users’ preferences for online personalised advertising.
Following the French CNIL’s recent decision about cookie consents, the Belgian data protection authority has issued a ruling stating that the TCF developed by Interactive Advertising Bureau Europe (IAB Europe) fails to comply with a number of provisions of the GDPR. The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and that plays a pivotal role in Real Time Bidding (RTB). The Belgian DPA imposed a €250.000 fine on the company, and is giving IAB Europe two months to come up with an action plan to bring its activities into compliance.
Since 2019, the Belgian DPA has received a series of complaints which challenged the conformity of the TCF with the GDPR. Ironically, the TCF was actually developed to contribute to compliance with the GDPR by organisations relying on the OpenRTB protocol which is widely used for RTB.
When users visit a website or application for the first time, an interface (a Consent Management platform or CMP) will pop up where the user may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors. The TCF facilitates the capture, through the CMP, of the users’ preferences which are then shared with the organisations using the OpenRTB system. It places a cookie on the user’s device. These can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including offering tailor-made advertisements.
IAB Europe claimed that it was not a data controller, but the Litigation Chamber of the BE DPA found that it was because of the registration of individual users’ consent signal, objections and preferences by means of the unique Transparency and Consent (TC) String, which is linked to an identifiable user. This means that IAB Europe can be held responsible for possible violations of the GDPR.
Following this, the Belgian DPA identified a series of GDPR infringements by IAB Europe :
In view of these infringements, the Litigation Chamber has decided to impose serious sanctions, particularly because the TCF may lead to a loss of control of personal information by large groups of citizens. It therefore imposed an administrative fine of 250.000 EUR on IAB Europe. It has also ordered IAB Europe to take the following corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR:
The draft decision has been examined within the cooperation mechanism of the GDPR (the “one-stop-shop mechanism”). Following scrutiny and amendment, the decision was approved by the data protection authorities in the EEA.
The Belgian DPA is giving IAB Europe two months to present an action plan to implement these corrective measures. The decision can be appealed.