When the European Union initiated the GDPR in May 2018, it was a step taken in order to protect the privacy of everyone in the EU when they accessed the internet for any type of transaction.
These new requirements were put into place because of frequent security risks that left client information unprotected. The implementation of the GDPR put new guardrails on how private data could be accessed and handled.
IAB Transparency & Consent Framework
IAB TCF is the framework used by IAB Europe to convey consent data under the rules of the GDPR. Although in the past the TCF has engendered complaints as to its validity under GDPR, IAB is making progress on improving its GDPR compliance.
On Thursday, January 12, 2023, Belgium's DPA (data protection authority) stated that it has approved the action plan that IAB Europe is taking to comply with GDPR rules. They will be allowed a six-month period to refurbish the TCF as a first step toward compliance.
However, IAB Europe has disputed several factors in the DPA's complaint:
- Whether IAB Europe is a joint data controller for the TCF framework
- Whether the TCF string of data counts as personal information (that requires consent)
Is IAB Europe a Joint Data Controller?
The biggest issue is whether IAB Europe can get Belgian DPA approval to be considered a joint data controller.
If they're not a controller, then the enforcement action is a moot point. Controllers are required to follow the GDPR requirements and those of the individual DPAs. If the EU court determines that IAB Europe isn't a controller, then the program is clearly sustainable.
If it is a controller, the result would be challenging for the TCF. If it's a controller, IAB Europe users would have to provide consent according to the GDPR and be subjected to any liability for complaints against the TCF. IAB Europe would be responsible for policing all of the vendors and publishers for compliance and could get sued if data is misused.
IAB Europe has since presented an action plan to the DPA which has been approved.
Is TCF data personal data?
It still isn't clear whether TCF data strings are considered personal data. IAB Europe says that since TCF strings aren't unique, they also aren't personal data.
Since the GDPR is still relatively new, courts haven't ascertained definitive terms for what is personal data. Third-party cookies are considered personal currently, but there isn't any ruling on TCF data.
Another issue is regarding whether "legitimate interest" is a viable mechanism for collecting data for marketing purposes. Are publishers required to have explicit consent?
"Legitimate interest" is considered a legal basis to collect personal user data if the data is necessary to run a business. Publishers are crossing their fingers that their ad business or analytics qualify too.
How important is the Belgian DPA's approval of the TCF action plan?
Like many legal processes, this is a slow process. However, the decision starts the clock running on a potential acceptance of the implementation of the results of the action plan. IAB Europe has six months to fulfill the plan.
Additionally, all of this overhaul will be completely unnecessary if the EU high court rules that IAB Europe isn't a joint controller. It's important to note that without the IAB TCF, Google is the only compliant first-party consent network for advertising.
Are there other legal challenges to the IAB TCF?
Besides this particular court case in Belgium, there is another active court case in Munich, Germany against Focus' collection of data using the TCF. This case is being decided outside the DPA system, and needs to be verified by a DPA.
Until the decision is made either by the EU high court or the TCF is considered compliant to the GDPR due to its six-month overhaul, using the TCF isn't against the law in Europe.
IAB Europe's Action Plan Approved by DPA
The Data Protection Authority has approved IAB Europe's submitted action plan to make adjustments to their TCF framework. Though details are scarce, the IAB Europe will have to implement the changes and publishers may have to make adjustments to their websites to accommodate the updated framework changes.
More recently, the DPA has agree to suspend the six month timeframe for the framework adjustments, until two court challenges brought by IAB Europe in two separate courts, are decided. IAB Europe has appealed to the Market Court and the Court of European Justice.
They have challenged that they should be considered a controller for TC strings, that they are a joint controller for the distribution of TC Strings, and that TC Strings should be considered personal data.
Need a reliable Consent Management Platform?
Admiral has you covered:
- Single tag installation with built-in adblocker monitoring
- Configurable messaging and consent types to maximize transparency and conversion
- Targeting and segmentation including location-based and site-specific traffic
- Reporting to help monitor conversion tracking and GDPR revenue impacts
- Cross-platform support including mobile web
- Admiral's Customer Love team ensures roll-out is a success
Schedule time to learn more about Admiral's privacy consent options today: