The European online advertising market is a multimillion-euro industry that is constantly growing. Year after year, new technologies and practices emerge allowing to even better target web users. Last year, many of its actors found themselves under the obligation to change some of their practices concerning the processing of EU personal data for marketing and advertising purposes. Indeed, the Belgian data protection authority (Belgian DPA) declared invalid the Interactive Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF) in February of 2022. The TCF was used by many advertisers.
However, those who used to rely on the TCF may soon be able to do so again: on January 11, 2023, the Belgian DPA approved IAB Europe’s action plan to bring its TCF in compliance with the law.
What is IAB Europe?
As explained in our previous article on the subject, IAB Europe is the European-level association for the digital marketing and advertising ecosystem. This ad industry body develops technical standards and practices, and conducts research on interactive advertisements. The association also claims to have a role in education through its stabilization on the importance of brands, agencies and other actors of the business community on the importance of digital marketing.
What is the TCF and what happened with it?
The TCF “consists of a set of technical specifications and policies to which publishers, advertisers, technology providers, and others for whom the Framework is of interest may voluntarily choose to adhere .” IAE Europe described it as “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach”.
The Belgian DPA completed in 2020 an investigation into IAB Europe’s privacy and data protection practices in connection with its role as the managing organisation of the TCF. It found that the TCF fails to comply with the GDPR principles of transparency, fairness, accountability and lawfulness of processing, and that the TCF does not provide adequate rules for the processing of special category data. The DPA underlined that the TCF was not compliant with the GDPR because it allowed the collection and use of personal data without the concerned user’s prior authorization.
The Belgian DPA imposed in February 2022 an administrative fine of 250.000 EUR on IAB Europe and ordered the company to undertake a series of corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR.
Following work undertaken by IAB Europe to remedy the situation, the Belgian DPA has now formally validated the action plan presented by IAB Europe to do so, which has a maximum of six months to implement the proposed measures, starting January 11, 2023.
Why is this important?
The TCF seeks to provide a common framework to facilitate compliance with data protection laws for every part of the advertising value chain, from publishers and technology companies through to agencies and advertisers. If declared lawful following the implementation of IAE Europe’s action plan, it could prove very useful for actors in the online advertising ecosystem, allowing them to meet certain
requirements of the ePrivacy Directive (and by extension its successor, the upcoming ePrivacy Regulation), and of the GDPR. As a reminder, when the TCF was declared unlawful by the Belgian DPA, all those relying on these standards had to immediately amend their practice in order to comply with the GDPR.
Furthermore, the IAB Europe case reflects the importance given to the respect of data privacy rights in Europe and, increasingly, around the world. Indeed, European DPAs are increasingly imposing hefty fines to non-compliant businesses, which underlines the importance for every organization to comply with all applicable legal obligations in that space. As a reminder, the GDPR has an extraterritorial reach, applying to businesses processing the personal data of EU residents, regardless of whether such businesses are based in the European Economic Area or not.
At The Law Office of S. Grynwajc, PLLC, we practice both US and European law and have particular expertise in the field of privacy and data protection law. If you wish to ensure that your organization complies with its obligations when transferring EU personal data to the United States, please do not hesitate to contact us, we would be delighted to assist you!
