The Belgian data protection authority (DPA) has found that IAB Europe’s Transparency & Consent Framework (TCF) does not comply with the GDPR, in a decision which will have significant ramifications for the adtech industry.
Whilst the fine issued to IAB Europe (€250,000) is relatively modest in GDPR terms, the DPA’s findings set a firm deadline for IAB Europe, and the wider adtech industry, to reform their practices.
The decision also has implications more generally when it comes to issues of controllership, joint controllership and data identifiability.
The decision relates to one of the most commonly used frameworks for organisations that participate in real-time bidding (RTB).
RTB is a form of digital advertising transaction in which online advertising space is sold and purchased via an instantaneous automated auction. When an individual accesses a webpage or an application, advertisers instantly bid for advertising space on that media to display targeted advertising tailored to the individual’s profile.
European regulators have long warned of the data protection risks associated with RTB, and enforcement action has been taken against participants in recent years. Such risks include a lack of transparency, a failure to obtain properly informed and specific consent, the analysis or prediction of a user’s behaviour, location or movements on a large scale, and the mass sharing of a user’s personal data with hundreds or potentially thousands of RTB participants.
The Interactive Advertising Bureau (IAB) Technology Laboratory is the developer of “OpenRTB”, which is one of the most widely used technical protocols for RTB.
The Transparency & Consent Framework (TCF), which is the subject of this decision, and which was created by IAB Europe, was designed to facilitate the use of the OpenRTB protocol, with a particular focus on meeting the requirements of the GDPR.
The Transparency & Consent Framework
The TCF, originally launched in 2018, allows for users’ consent preferences to be collected and transmitted to participants in advertising transactions through the generation of a transparency and consent string (the “TC string“). The TCF is also designed to allow participants in the framework to inform users of their processing operations (i.e. to meet participants’ transparency obligations under the GDPR).
The TCF comprises a set of policies, technical specifications and terms and conditions, which are applicable to publishers, advertisers, agencies, vendors and Consent Management Platforms (CMPs).
Under the TCF, when a user accesses a website or application, a CMP will pop up, asking the user to consent (or not) to the collection and sharing of personal data for a range of purposes which are set by the TCF. Alternatively, the TCF allows for processing to be undertaken on the basis of “legitimate interests”, with the user given an opportunity to object to (rather than consent to) the processing of their personal data.
Since its launch the TCF has been widely adopted, with many participants placing significant reliance on it as a means to demonstrate their own compliance with the GDPR. This is particularly the case for adtech vendors who do not have direct relationships with users, but who are reliant on publishers obtaining consent on their behalf through the use of the TC string.
On 2 February 2022, the Litigation Chamber of the Belgian DPA made the following findings:
User preferences contained in a TC String constitute personal data
The TC String itself only contains limited metadata and values, therefore does not itself allow for the direct identification of the user.
However, the CMP which serves the consent pop-up also collects the user’s IP address when the user’s preferences are set. The DPA found that the combination of the IP address and the TC string was sufficient to indirectly identify an individual user, and therefore constituted personal data.
This position appears to reaffirm the EDPB’s position that the ability to “single out” an individual for the purpose of making decisions affecting them was sufficient to make them indirectly identifiable, even in the absence of a direct “real-world” identifier.
The DPA therefore found that personal data is processed whenever the TC string is created and communicated, even where the user’s preferences is to refuse consent for all the related processing purposes.
IAB Europe is a data controller of the personal data collected and distributed through the TCF
The DPA found that IAB Europe is itself a controller of personal data collected and distributed through TCF, even though it does not itself collect and store personal data.
By enabling the generation of the TC string, and by setting and enforcing the framework’s rules and policies, the DPA found that IAB Europe was exerting control over the purposes and essential means of the processing.
This is likely to be a controversial view, as it relies on a very expansive view of controllership. Indeed, IAB Europe made the point in submissions that this view could result in any umbrella organisation producing a code of conduct being found to have had such a degree of influence on the implementation of that code so as to render them a controller.
IAB Europe is a joint controller with publishers, adtech vendors and CMPs
By providing, developing and enabling the ecosystem within which consent, objections and preferences of users are collected and exchanged, the DPA found that IAB Europe is a joint controller with the other TCF participants (e.g. publishers, vendors etc.).
This will likely necessitate additional further arrangements (e.g. contracts or revised TCF Policies) between these parties, and also undermines the view that any such participants are merely acting as processors in relation to the personal data shared through the TCF.
Breaches of the GDPR
Having found that IAB Europe was itself a controller, and that the processing of the TC string amounted to processing personal data, the DPA then considered whether there was a lawful basis under the TCF: (i) in relation to the creation and processing of the TC string; and (ii) in relation to the wider processing of personal data for the purpose of RTB.
No lawful basis for processing: consent signals, objections and user preferences via the TC String
As IAB Europe, as well as the TCF CMPs, did not previously consider that the creation and communication of the TC string constituted processing of personal data, there was no existing mechanism for obtaining separate user consent for this.
In the absence of a consent mechanism, the DPA therefore considered that the only possible lawful basis for processing personal data via the TC String could be the legitimate interest ground.
However, while the purpose and necessity limbs of the legitimate interest test were met, the balancing test was not, because the DPA found that:
- Users are not informed anywhere of the lawful basis for the processing of their preferences.
- Users are not given the option to completely oppose the processing of their preferences within the TCF. Regardless of the choices they make, the CMP generates a TC String and links it to the user’s unique user ID through a cookie placed on their device.
- Users are not informed of their right to object to the processing of the TC String data.
- A large number of participating organisations are given access to the user’s TC String without the user’s knowledge or control.
Taken together these factors meant that the DPA found that legitimate interests did not provide a valid lawful basis for processing the TC String.
However, it may be that with certain enhancements (e.g. greater control for users over whether the consent string is generated), regulators may in the future be willing to consider legitimate interests as an appropriate lawful basis for the creation and communication of the TC String.
No lawful basis for processing: collection and dissemination of personal data in the OpenRTB system
The DPA came to a very firm conclusion that legitimate interests cannot be an appropriate lawful basis for the processing of personal data occurring through OpenRTB. This was on the basis that:
- The TCF purposes were not sufficiently specific.
- The number of participants and the range of processing operations meant that users would not reasonably expect the processing.
- There were insufficient technical controls to prevent inappropriate personal data (e.g. special category data) from being disseminated.
This approach follows similar previous guidance from the EDPB, and from the UK ICO, which made clear that legitimate interests could never be a valid lawful basis for real-time-bidding.
The result of this is that consent is the only possible lawful basis for the processing of personal data through the TCF. However, the DPA found that in its current form the TCF does not allow for valid consent to be obtained. This is because:
- There is insufficient detail in the CMP user interface to enable users to understand what they are consenting to, and the information provided is too general.
- The TCF makes it difficult for users to fully understand all the organisations that will process their personal data. Due to the volume of participants, users are simply not in a position to read all the information needed to give informed consent.
- Bid stream data is often enriched (e.g. by a data management platform) as it is passed through the ecosystem. This means users cannot possibly give properly informed consent due to the lack of visibility over when and how this occurs.
- Consent, once given, cannot be easily withdrawn. This is because a consent withdrawal would only take effect the next time an adtech vendor receives a specific user’s data, and there may be ongoing processing of the user’s personal data in the meantime.
Therefore, the DPA found that user consent is not currently a valid lawful basis for processing personal data through the TCF. However, there is some scope in the decision for IAB Europe to make changes to its user interfaces in order to try and address these shortcomings.
Failure to meet transparency requirements
The DPA found that the TCF fails to inform data subjects of the processing of personal data in the TC String, and of IAB Europe’s role as controller. This is unsurprising given IAB Europe’s position that it was not a controller and that the TC String itself does not amount to personal data.
The DPA also found that the provision of information to users about RTB is not sufficiently transparent, comprehensible and accessible.
In addition to the above, the DPA found that IAB Europe failed in the following respects:
- It breached its security obligations, as there was a risk of falsification and modification of a TC String within the TCF.
- It failed to keep adequate records of processing activities of users’ consent signals, objections and preferences.
- It failed to carry out a data protection impact assessment, which is necessary considering the large number of data subjects who come into contact with websites and applications implementing the TCF and a growing number of organisations participating in it.
- It failed to appoint a data protection officer, despite there being large-scale processing of personal data.
Again, given IAB Europe’s prior position on controllership these findings are unsurprising, and it would seem relatively straightforward for IAB Europe to remedy them.
Aside from an administrative fine of €250,000, the DPA required IAB Europe to come up with an action plan to address the identified areas of non-compliance within two months of the decision, and once approved, to implement the changes within six months.
IAB Europe has rejected the DPA’s findings as wrong in law, and are openly considering an appeal.
However, they have expressed their support of the action plan requirement, given that they had always intended to submit the TCF for approval as a GDPR Code of Conduct. However, the path to obtaining such a Code of Conduct status seems long and uncertain, especially given the paucity of approvals given to such codes to date.
The position for publishers and adtech vendors who participate in the TCF is unclear, although it is likely that these players will wait to see if IAB Europe can produce a revised framework which meets the Belgian DPA’s concerns, as well as for the outcome of any appeal.Publishers may look to revise and strengthen their user interface consent wording in light of this decision, in order to provide users with more detail about how their personal data is collected and shared. However, publishers are not in a position to develop their own means of transmitting the consent signals to other participants with whom they share personal data. Publishers will also continue to be under contractual obligations to advertisers and their representatives, many of whom will continue to impose a requirement to meet TCF requirements (at least for now).
The position is even more difficult for adtech vendors, due to their lack of direct relationship with the users from whom consent is obtained. However, until either an enhanced TCF or an alternative framework is launched, they may have little option but to continue to use the TCF to support their processing.