Belgium DPA rules adtech consent framework in breach of GDPR

On 2 February 2022, the Belgium Data Protection Authority (Belgium DPA) imposed a €250,000 fine against Interactive Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF) for several violations of the EU GDPR. This decision is likely to have great consequences on the ad tech industry, as participants will need to reassess their legal basis for targeted advertising.

Background

IAB Europe, a European industry association for digital marketing and advertising, built the TCF as a GDPR consent solution for the ad tech industry, facilitating and managing users’ preferences for online personalised advertising. It was designed to accommodate the use of cookies, operating with the OpenRTB protocol that enables real-time bidding – the mechanism that serves online adds to users by allowing advertisers to bid behind the scenes through an algorithmic automated auction system.

Upon a user’s first visit to a website or app a Consent Management platform (CMP) appears, allowing the user to consent or object to certain processing activities based on the legitimate interests of ad tech vendors. Users elect whether their data can be collected or shared for targeting advertisement purposes. The TCF captures these preferences, turns it into code and stores it in a “TC String”, which is then shared with organisations participating in the OpenRTB system, creating the targeted ads tailored to individual users profile based on the consent provided.

Key findings by the Belgium DPA

The Belgium DPA has taken the lead role in investigating IAB Europe’s TCF following the receipt of multiple complaints by a number of European supervisory authorities since 2019. It is thought that the fine overall could have been a lot higher, but was based on the organisation only generating €2.5 million in revenue in 2020.

It made several key findings:

• IAB Europe is a joint controller with respect to the registration of individual users’ consent/ objection preferences and the way it shapes how other organisations process their data;
• Lawfulness: IAB Europe failed to establish a legal basis for the processing, as legitimate interest is not a sufficient basis for such processing in these circumstances;
• Transparency – information provided to users through the CMP interface is too generic and vague;
• Accountability, security and data protection by design/by default: IAB Europe failed to demonstrate appropriate technical and organisational measures; and
• Other GDPR breaches: IAB Europe failed to i) keep a register of processing activities; ii) appoint a data protection officer; and ii) conduct a data protection impact assessment in respect to the TCF.

Along with the fine, the Belgium DPA ordered that the personal data collected through consent pop-ups must be deleted. IAB Europe has been given two months to submit an action plan stating how it intends to bring its framework into compliance, although it objects to the findings and has announced its intention to appeal.

Practical implications

Since this ruling, it has been reported that the Dutch Data Protection Authority warned that websites currently using the TCF are in violation of the EU GDPR and businesses could potentially face enforcement. With more than 80% of websites and apps in the EU using the framework as a means of collecting and managing consent for targeted advertising cookies, this is likely to have significant implications for businesses and the ad tech industry overall.

Regulators, such as the Information Commissioner’s Office (ICO) in the UK, have been working to regulate online ad tech for over two years now. Just a few months before this decision by the Belgium DPA, the UK’s former Information Commissioner, published an opinion setting out new privacy standards for online ad tech, which stated that “new initiatives must address the risks that adtech poses and take account of data protection requirements from the outset”.

It will be interesting to see how IAB Europe, the data protection regulators and the industry as a whole react to this and move forward.