The Curious Incident of the Transparency and Consent Framework: Does IAB Europe's ad-consent popup system have a future?

On 2 February 2022 the Belgian Data Protection Authority ("Belgian DPA") ruled that IAB Europe's Transparency and Consent Framework ("TCF") does not comply with the GDPR and fined IAB Europe €250,000. While the sanctions imposed by the Belgian DPA were limited to the processing of personal data in the TCF itself, the decision potentially has broader implications both for the real-time-bidding ("RTB") ecosystem as well as for intermediaries and providers of technical standards and frameworks involving the processing of personal data.

What is TCF?

The TCF was developed by IAB Europe as a way of obtaining and managing consent for RTB conducted through the OpenRTB protocol. The OpenRTB system and the associated Advertising Common Object Model were created by IAB Technology Laboratories, Inc ("IAB Tech Lab") and Interactive Advertising Bureau, Inc ("IAB"). OpenRTB is one of the main protocols governing how data is collected and shared, and how adverts are served, alongside Google's "Authorized Buyers" framework.

The TCF is a separate set of policies, technical specifications, terms and conditions, created with the intention of providing transparent information to, and obtaining valid consent from, users with regard to the processing of their personal data in RTB.

How does it work?

Key players within the TCF are companies referred to as "Consent Management Platforms" ("CMPs"). A CMP takes the form of a pop-up that appears when a user first visits a site to collect the user's consent to the placement of cookies and other online trackers. The IAB’s CMP generates a character string referred to as the "TC String" (i.e. "Transparency and Consent String"). This is meant to capture the preferences of a site visitor or a party that makes advertising space available on their website (a "publisher") that has integrated the CMP, including consent to processing of personal data for marketing and other purposes, whether to share personal data with adtech vendors, and the exercise of the right to object. Vendors can then decipher the TC String to determine whether they have the necessary legal basis to process a user's personal data for the specified purposes.

When a user accesses a publisher's site, the CMP checks whether a TC String already exists for this user. If not (or the existing TC String is not up to date) the CMP will give the user an option to consent to the collection sharing of their personal data, generate a new TC String reflecting the user's choices and place a "euconsent-v2" cookie on the user's device (or updates the existing cookie).

Why was the Belgian DPA investigating the TCF?

A total of nine complaints were filed with the Belgian DPA in the course of 2019 in respect of alleged breaches by IAB Europe of various provisions of the GDPR. The complaints related to principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, as well as to accountability. Five of these were filed with supervisory authorities in other EU countries.

What was the Belgian DPA's decision?

The Belgian DPA concluded that:

• Even if the TC String does not process data that directly identifies an individual, when combined with other data (e.g., the user’s IP address), this allows for the singling out of a natural person. At a conceptual level, the TC String must inevitably be associated with a particular user to identify their preferences. As the Austrian supervisory authority also flagged in its decision relating to transfers of personal data to Google Analytics (see our earlier comments on this decision [here]), the ability to single out an individual is enough for information to be considered "personal data" for GDPR purposes. Since the very purpose of processing the TC String is to single out and identify individuals, the TC String must constitute personal data. In practice, even if the information in the TC String was only linked with a user's IP address through a cookie at the CMP and adtech vendor level, each of these participating organisations was under a contractual obligation to make this information available to IAB Europe on request – i.e., the information was obtainable by means that could reasonably be used by IAB Europe.
• IAB Europe acts as a controller of the personal data contained in the TC String jointly with participating organisations (i.e., publishers and adtech vendors) and CMPs, with the court relying in particular on the ECJ's decision in the Jehova Witnesses case (CJEU judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta C-25/17).
• IAB Europe failed to:
  • demonstrate that it had an adequate legal basis for processing personal data through the TCF;
  • provide information to data subjects with respect to its processing of personal data through the TCF;
  • comply with obligations as to accountability, security and data protection by design and default.

In addition to imposing a €250,000 fine, IAB Europe also was ordered to work with the Belgian DPA to:

• make the TCF compliant with obligations of lawfulness, fairness and transparency within six months;
• delete any personal data collected by means of a TC String in the context of the globally scoped consents;
• prohibit organisations participating in the TCF from relying on legitimate interest as a legal ground for processing.

How does this affect RTB in general?

The collection and dissemination of TC Strings was designed to facilitate processing of personal data through the OpenRTB protocol and compliance with the requirements of the ePrivacy Directive and the GDPR. The decision that the processing of TC Strings is unlawful and the obligation to delete any data collected by means of a TC String inevitably undermines the lawfulness of processing of personal data in the broader context of the OpenRTB system.

In addition, the criticism of the TCF framework by the Belgian DPA are likely to be relevant for the RTB ecosystem as a whole.

The Belgian DPA reiterated that legitimate interests of participating organisations cannot be deemed an adequate legal ground for the processing activities occurring under the OpenRTB. In line with the EPDB's assessment^[1], the same would apply to RTB in general.

With respect to consent, the Belgian DPA's view is that the TCF does not, in its current format, obtain valid consent under the GDPR for processing in the context of OpenRTB on the basis that:

• processing purposes are insufficiently described;
• the TCF makes it difficult for users to obtain more information about the identity of data controllers to whom they give consent to process their data before obtaining their consent;
• information provided to users is too general to reflect the specific processing operations of each vendor, therefore lacking the necessary granularity for valid consent under the GDPR;
• enrichment of data through information already held by adtech vendors and data management platforms means users cannot be properly informed, since the TCF in its current format does not provide an option to indicate what information is already held by participating organisations;
• withdrawal of consent by users is ineffective, as it is not proactively communicated to adtech vendors, and no steps are taken to ensure that adtech vendors cannot continue their processing based on a previously received consent signal.

While most of the above can, potentially, be remediated, one of the criticisms of the consent mechanism implemented through the TCF is that the list of recipients is so long that users would need a disproportionate amount of time to read this information, which means that their consent can rarely be sufficiently informed. Given the number of organisations involved in RTB in general, this point will apply to any consent mechanism for processing in the RTB ecosystem, not just TCF.

What next for organisations that rely on the TCF?

In its response to the Belgian DPA's decision, IAB stated that "it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct." This process has essentially been accelerated now that a specific deadline has been set by the Belgian DPA for updating the TCF to address the Belgian DPA's concerns. The IAB Europe has published an FAQ relating to the decision, here.

There is therefore scope for optimism that, at the end of this process, users of OpenRTB might have a privacy framework for RTB approved by an EU regulator that has, traditionally, taken a relatively conservative approach in interpreting the GDPR.

In the meantime, as complaints and individual claims become more frequent across Europe and the UK, ongoing use of TCF and RTB comes with a heightened risk of enforcement action and compensation claims.

Any other key takeaways?

The decision once again highlights the broad approach taken by data protection authorities to the concepts of "personal data" and "controller", thus reinforcing the risk that:

• situations where information is personal data when processed by a transferring party, but are no longer personal data "in the hands of" a receiving party, are relatively few and far between and need to be assessed in detail, taking into account processing purposes, technical ability and contractual rights to access additional information required to single out the individual;
• platforms that set standards for data processing frameworks could be deemed to act as controllers, even if they do not have access to the data processed.

There is a temptation to argue that the implementation of a data processing "rulebook" for users of a platform falls outside the scope of data controllership, either because the platform provider has no access to the data being processed or because its processing operations are limited to facilitating technical integrations to give effect to the processing "rulebook" binding participating users. IAB Europe is certainly not alone in grappling with this issue, it just happens to do so in an area that is receiving increasing attention from regulators and individuals given the growing awareness of data processing practices within RTB.

Organisations that perform a similar intermediary role, such as data collection and sharing platforms or technical integration service providers acting as "pass-throughs" for data, may need to assess the level of contractual and practical control they have over the purposes for which data are processed by their customers. A relaxation of control would also need to be balanced against the regulatory and contractual risk exposure faced by such intermediaries as a result of customers' use of data, particularly where such customers are located and process data outside of the EEA and UK.

Note also that contractual risk mitigation strategies may also not be sufficient to excuse data intermediaries' responsibilities. In fact, the Inspection Service's submissions to the Belgian DPA's litigation chamber flagged exclusions of liability and disclaimers of warranties as aggravating factors that showed IAB Europe's failure to carry out its responsibilities as a data controller, which should have included verification of the degree of data protection compliance by participating publishers and CMPs and did not meet the requirements of Articles 24 and 25 of the GDPR.

^[1] “Article 29 Working Party, Opinion 03/2013 on purpose limitation, p46: "consent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research."