The Belgian Data Protection Authority (APD) has issued its final decision in the long-running case against Interactive Advertising Bureau Europe (IAB Europe), a trade organization for the digital marketing and advertising ecosystem, over its GDPR consent system – the Transparency and Consent Framework (TCF). The IAB Europe GDPR penalty has far-reaching implications for digital advertising in Europe
The TCF was developed by IAB Europe in response to the General Data Protection Regulation (GDPR). The TCF is a system used by online advertisers to obtain consent from Internet users to collect and process their personal data and manage user preferences. The system uses popups to ask for and obtain consent to use cookies that allow individuals to be tracked over the Internet in order to serve online adverts and participate in real-time bidding in programmatic advertising. The TCF is used on around 80% of websites in the European Union.
The real-time bidding system is an automated online auction of users’ profiles related to the purchasing of advertising space on the Internet. Technology companies representing many thousands of advertisers can bid in real-time through the system and pay to display highly targeted adverts based on users’ profiles. The system means adverts can be displayed that are relevant to specific individuals. The TCF is instrumental to the OpenRTB protocol as it collects the consent and manages preferences related to the collection, processing, and sale of user profiles. The TCF passes the consent and preferences of users in a TC string, which is shared with all organizations that participate in the OpenRTB system through a euconsent-v2 cookie. The cookie contains the IP address of an individual which allows that individual to be identified and tracked.
Shortly after the GDPR took effect, a complaint was filed with the APD regarding the use of that system. The APD launched an investigation into the complaint in 2019. The complainants allege the popups are ‘consent spam’ and the system violates the rights and freedoms of European Union citizens.
The APD was the lead supervisory authority in the complaint and has ruled that IAB Europe is a data controller with respect to the TCF and is processing personal data at a large scale. As a data controller, IAB Europe can be held responsible for GDPR violations.
With respect to being a data controller, IAB Europe has obligations under the GDPR which the APD said it has not complied with. Despite being called the Transparency and Consent framework, the APD determined that the system lacked transparency and the consent obtained was not sufficient and IAB Europe was fined €250,000. In addition to the IAB Europe GDPR penalty, IAB Europe must delete all data “from all its IT systems, files and data carriers, and from the IT systems, files and data carriers of processors contracted by IAB Europe.” IAB Europe has been given 6 months to comply with the decision and make its TCF system compliant with the GDPR, after which a fine of €5,000 will be applied for each day that the system is not compliant.
“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge,” said IAB in a statement about the decision.
Specifically, the APD determined there had been several GDPR infringements by IAB Europe:
- A failure to establish a legal basis for the processing of the TC string, which in turn means the legal grounds provided for the subsequent processing of the TC string by adtech vendors is insufficient.
- A lack of transparency regarding the information of users. The CMP interface is too generic and does not allow users to fully understand the nature and scope of the data processing, and users are unable to maintain control of their personal data
- A failure to ensure accountability, security, and data protection by design/by default. It is not possible to ensure the effective exercise of data subject rights and monitor the validity and integrity of the users’ choices.
- Finally, as a data controller that is processing personal data on a large scale, IAB Europe is required to appoint a Data Protection Officer (DPO), conduct a data protection impact assessment (DPIA), and keep a log of processing activities. IAB Europe did not comply with those requirements.
“Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online. Online privacy and the fight against too intrusive forms of advertising is an important priority for us,” said David Stevens, Chairman of the APD.
“Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies,” said Irish Council for Civil Liberties Senior Fellow Johnny Ryan, who filed the complaint against IAB Europe.