The Belgian data protection authority (DPA) has found that the Transparency and Consent Framework (TCF), developed by advertising body IAB Europe, does not comply with the GDPR.
TCF, which is responsible for the pop-ups that greet users of 80 per cent of European websites and is used by Google, Amazon, Microsoft and other advertisers to obtain consent, contravenes a number of provisions of the GDPR, the DPA found. The OpenRTB real-time bidding system used by advertisers, which is closely entwined with TCF, will also be affected by the ruling.
IAB Europe argued that the TCF pop-ups enable users to make informed choices about what happens to their data and are compliant with GDPR. It also claimed it was not a ‘data controller’ under GDPR when it came to processing user consent.
However, the Belgian DPA disagreed. It found that the system is not sufficiently transparent in allowing users to make an informed decision and that the activities of IAB Europe make it a data controller, and thus responsible for safeguarding the personal data.
Under the TCF scheme, users’ preferences are shared with organisations that participate in OpenRTB in the form of an encoded packet – a ‘TC String’. This allows the organisations to know to what the user has consented to or objected to via their browser. However, the system puts an ‘euconsent-v2′ cookie on the user’s device to store the consent data. When combined with the preferences, this can be linked to the IP address of the user, making the author of the preferences identifiable. Therefore, under the GDPR the consent information is personal data.
The Belgian DPA identified several ways in which IAB has infringed the GDPR, including: failing to establish a legal basis for processing and sharing the TC String; using pop-up designs that make it hard for users to easily understand and control what’s happening with their data; neglecting to implement the principle of “data protection by design and by default”; and failing in other duties, including properly accounting for its personal data processing.
On the question of its status under GDPR, the watchdog found that IAB Europe is “acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user”.
“This means that IAB Europe can be held responsible for possible violations of the GDPR”, it said in a statement.
The Belgian DPA imposed an administrative fine of €250,000 on IAB Europe, and ordered the company to come up with measures to bring TCF into compliance with the GDPR within two months.
The ruling also prohibits the use of ‘legitimate interest’, a loophole used by publishers and advertisers, as a basis for the processing of personal data by organisations participating in the TCF.
The decision was made in agreement with 27 other EU data protection authorities, and is immediately binding and enforceable across the EU. IAB Europe can appeal.
Hielke Hijmans, chairman of the Litigation Chamber of the Belgian DPA, said: “The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.”
He continued: “People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads.”
Hijmans added that although the judgement concerns the TCF and not the whole OpenRTB real-time bidding system, it will have a “major impact” on the protection of personal data.
Companies that access data collected through TCF must delete it “without undue delay”, the ruling says. According to the Irish Council for Civil Liberties (ICCL), which was one of the organisations that brought the original complaint against IAB Europe to the Belgian DPA, these include Google, Amazon and Microsoft.
ICCL says 80 percent of websites in Europe use the TCF to manage user consent.
Dr Johnny Ryan of ICCL welcomed the IPA’s move: “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.”
The Belgian DPA’s ruling will send a shockwave through the online advertising industry, in the same way, albeit on a smaller scale, to the collapse of the EU-US data transfer mechanism Privacy Shield. As well as forcing IAB Europe and its members to rethink their business models, it is another sign that Europe’s DPAs are increasingly willing to act on breaches of the rules.
In January, The Austrian DPA ruled that Google Analytics also breaks the GDPR, prompting the adtech giant to urge negotiators to redouble their efforts to come up with a replacement for Privacy Shield.