FAQ: Belgian DPA’s decision regarding the IAB’s TCF
April 1, 2022
The IAB Europe’s Transparency & Consent framework (TCF) is the most widely-used advertising industry framework for GDPR compliance. Launched in 2018, it is used by Consent Management Platforms (CMPs) who have been validated by the IAB Europe, across the biggest media companies in Europe and the US.
A year ago, a series of GDPR complaints were filed against the IAB Europe by a pan-European consortium of privacy activists, including Johnny Ryan of the Irish Council for Civil Liberties and previously Chief Privacy Officer at privacy-first browser Brave. These complaints were focused on the IAB Europe’s Transparency & Consent Framework; in parallel, there were complaints about Real Time Bidding (RTB).
In November 2021, the investigation by the inspection service of the Belgian Data Protection Authority (DPA), known as the APD, issued a preliminary report with findings that the TCF fails to comply with the GDPR principles of transparency, fairness and accountability, and the lawfulness of processing. Subsequently, this moved to the litigation chamber of the APD. The draft decision was released and sent to the other European DPAs for feedback.
On 2nd February 2022, the APD issued their final decision.
IS MY TCF CMP NON-COMPLIANT WITH GDPR?
Despite some misleading headlines, the TCF itself has not been found illegal.
The IAB Europe has submitted their action plan to the Belgian DPA. Following the DPA’s acceptance of the plan, the IAB has a period of six months to work with the DPAs to fix the identified issues and revise the TCF accordingly. This collaborative work would enable the TCF to become a transnational GDPR code of conduct approved by the full EDPB, which many DPAs have been saying is necessary for some time. We believe this will only strengthen the TCF as a framework for compliance.
In the short-term, publishers who are concerned about whether TCF can still be used to collect valid consent can supplement the information disclosures they make about data processing purposes with simpler, clearer language.
WHAT IS THE BELGIAN DPA’S (APD) FINAL RULING?
On 2nd February 2022, the APD announced that they have decided to give the IAB Europe six months to implement corrective measures, including (among others):
- the establishment of a valid legal basis for the processing and dissemination of users’ preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF;
- the strict vetting of participating organisations in order to ensure that they meet the requirements of the GDPR.
The main takeaways are, according to the decision:
- IAB Europe is a data controller
- The TCF string is personal data
- There are some incorrect designations of legitimate interest
- The IAB has two months to present an action plan, after which the issues will be remedied within 6 months
This ruling from the APD follows their announcement on 25th November 2021, that it had finalized and sent to its European counterparts a draft decision regarding compliance by IAB Europe’s TCF with GDPR. 27 supervisory authorities indicated their willingness to be involved in that procedure.
The DPAs had a period of four weeks to provide feedback, after which the decision was finalized.
You can read the APD’s full decision here.
The IAB has submitted an appeal about the decision. The IAB has published an FAQ here.
WHAT DOES THIS MEAN FOR THE FUTURE OF THE TCF?
We believe this is an opportunity to improve the standard. Sourcepoint is monitoring the situation very closely, but we don’t recommend our clients make any big changes immediately.
We’ll continue to be your partner, and help you adapt to the ever-changing regulatory landscape.
Standards are a very good thing for compliance, and this is something we know that many DPAs agree on.
WHEN WILL I HAVE TO MAKE CHANGES TO MY CMP IMPLEMENTATION?
One of the definitive findings from the APD was that legitimate interest is not an acceptable legal basis. Customers should consult their own legal teams, as always, but we do recommend that you take the opportunity to change the legal basis to consent for any vendor or purpose with flexible legal bases.
Furthermore, we recommend taking this opportunity to audit your vendor list and CMP implementation with your legal team to ensure you’re fully compliant with the current TCF policies.
There will undoubtedly be changes to the TCF, but in the meantime, to ensure you can still benefit from the TCF, you should make sure your house is in order. If you are looking for help surfacing triggered vendors on your website, reach out for a demo of our Diagnose compliance monitoring platform.
Finally, it’s important to remember that this is all going to take time. There is a six-month period for the IAB Europe to fix the issues found by the DPA and revise the TCF accordingly. Such collaborative work would enable the TCF to become a transnational GDPR code of conduct, which many DPAs have been saying is necessary for some time. This would only strengthen the TCF as a framework for compliance.
The IAB Europe submitted the action plan to the Belgian DPA on 1st April. You can read the IAB’s press release here.
What is the IAB’s appeal?
The IAB Europe filed an appeal to the Market Court (Court of Appeal of Brussels) on 4th March against the administrative ruling by the Belgian Data Protection Authority (APD). They dispute that they are a controller for the recording of the TC Strings, and a joint controller for the dissemination of TC Strings and other data processing done by other TCF participants under OpenRTB.
They also requested a suspension of enforcement until the decision on the appeal is handed down. If the court accepts the request for suspension, it would have the effect of delaying the timeline for execution of the action plan.
IAB Europe FAQ
Read the IAB’s FAQ (updated 1st April 2022).
Watch our webinar about the APD’s decision
Sign-up to view our on-demand webinar about the decision. We give an overview of the APD’s decision, talk through different actions publishers and advertisers should consider right now, and do a Q&A. Register here.
An essential part of our business model is anticipating changes in the data privacy landscape and adapting our product and services to help you navigate those changes. We’re prepared to support you in making any changes needed. This is why Europe’s largest publishers choose to partner with Sourcepoint for GDPR compliance.
“It’s not about the TCF, it’s about the future of advertising”
Read Sourcepoint’s co-founder and CEO’s statement on the Belgian DPA’s ruling here.
The Sourcepoint blog is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.