The European online advertising market is a multimillion euro industry that is constantly growing. Year after year, new technologies and practices emerge allowing to even better target web users. Nonetheless, its actors might soon be under the obligation to change some of their practices concerning the processing of personal data for marketing and advertising purposes: IAB Europe is under investigation by the Belgian Data Protection Authority and is expected to be found in breach of the GDPR.
What is IAB Europe ?
IAB Europe, which stands for Interactive Advertising Bureau Europe, is the European-level association for the digital marketing and advertising ecosystem. This ad industry body develops technical standard and practices and conducts research on interactive advertisement. The association also claims to have a role in education through its sensibilization of brands, agencies and other actors of the business community on the importance of digital marketing.
The IAB Europe notably developed the Transparency and Consent Framework (TCF), which it describes as “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach”. The TCF, it claims, aims to help actors in the digital advertising chain ensure that they comply with the GDPR and ePrivacy Directive when it comes to the processing of personal data or the access or storage of information on a user’s device (e.g., cookies, advertising identifiers, device identifiers). It offers resources, such as TCF Policy, TCF Terms & Conditions and the Consent Management Platform API. However, the IAB’s TCF is considered as problematic by some, and led the Belgian Data Protection Authority (DPA) to conduct investigations following complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising, where web users’ personal data are broadcast to an important number of companies, thus often falling into the hands of data brokers and advertisers.
What are the Belgian DPA’s findings concerning the TCF ?
The DPA completed in 2020 an investigation into IAB Europe’s privacy and data protection practices in connection with its role as the Managing Organisation of the TCF. The DPA found that the TCF fails to comply with the GDPR principles of transparency, fairness, accountability and lawfulness of processing, and that the TCF does not provide adequate rules for the processing of special category data. The DPA underlined that the TCF was not compliant with the GDPR because it allowed the collection and use of personal data without the concerned user’s prior authorization.
Furthermore, it is expected that IAB Europe will be declared by the DPA as a data controller for purposes of the TCF “TC Strings”. The latter, which are digital signals created on websites in order to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement, will most likely be declared as personal data by the DPA. Thus, IAB Europe, if declared data controller in the context of the TCF, would be in violation of the GDPR, as it has no fulfilled certain obligations imposed on said data controllers.
On the 5th of November, 2021, IAB Europe was informed by the DPA that its Litigation Chamber was close to finalizing a draft ruling presenting its conclusion on the investigation on IAB Europe and its role in the TCF, draft ruling that is to be shared with other DPAs in Europe in order for them to review it. If the European DPAs do not come to a mutual decision, the Belgian DPA’s ruling may then be referred to the European Data Protection Board for a biding decision. The draft ruling will most likely identify infringements of the GDPR by IAB Europe. It might furthermore establish whether they could be remedied in the six-month period following the issuing of the final ruling.
Why is this important ?
The DPA’s decision, if it indeed declares that IAB Europe and its TCF have been violating the GDPR, will have huge repercussions for the online advertising market. Indeed, the TCF is a major tool used by hundreds of thousands of website and app publishers to ensure transparency and consent around online advertising in a manner compliant with the GDPR. The TCF standard is used by many actors in the advertising field to collect consent and determine which data they can share to other companies and individuals. Some major players, such as Google, rely on the TCF’s consent system.
Thus, if the TCF is declared unlawful, so will also be some of the practices carried out by actors of the tracking industry and based on the TCF, which in turn means that millions of Europeans will have been subject to violations of their data privacy rights. Amongst others, the current use of behavioral ads, which function by analyzing the browsing behaviour of consumers in order to present them with targeted ads, might be put into question, as many companies base their behavioural ads practice on the TCF.