IAB Europe's GDPR situation explained | WARC | The Feed

Clear filters

You didn’t return any results. Please clear your filters.

03 February 2022

IAB Europe's GDPR situation explained

GDPR & privacy law Belgium

Belgium’s Data Protection Authority (DPA) has found the IAB Europe’s Transparency and Consent Framework (TCF), an off the peg solution for gaining consent, breaches GDPR rules.

Why it matters

Time is of the essence, even though the Bureau told members that it expected the decision to go against it. The IAB has two months to come up with a plan to rectify its problem. In the meantime, advertisers cannot use the TCF through the legitimate interest argument for the use of tracking data.

What it means is that any advertiser using the TCF to make sure their activity on the OpenRTB protocol is GDPR compliant, is now in a tricky spot. This is a protocol that allows Real Time Bidding, an instant online auction of user profiles, to then advertise to them. The TCF facilitates the capture of users’ preferences, the DPA explains.

It has become an incredibly important way of doing online advertising legally, and the decision could hit the online ad system as we know it hard.

What’s happening

On Wednesday, the Belgian DPA announced that it would impose a €250,000 fine on the IAB Europe as well as its demands for swift action. It will also have to appoint a data protection officer, which as AdExchanger points out, could cost it more than the fine. It will also need to delete all improperly gathered data.

“Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller”, the decision continues, noting that the IAB Europe determines the purposes and means of data processing. Under GDPR, acting as a controller brings specific responsibilities such as keeping a register of processing activities and having a data protection officer.

The IAB, accepting the decision on the whole, disputes the controlling element. “We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry.”

Effectively, having found two critical parts of the OpenRTB architecture – the TCF’s “TC String” and the euconsent-V2 cookie – could unpick much of the basis of the whole system.

In context

It’s particularly interesting in light of the adtech industry’s general position that new laws like the Digital Services Act (DSA) is an overreach and that the GDPR works fine.

What it also shows is that the GDPR’s delegated enforcement to national bodies means it is inconsistently applied across the bloc. Part of the DSA involves appointing a central body able to enforce the law.

Sourced from BE DPA, AdExchanger, TechCrunch

Email this content

Send colleagues a link to this content.
To send to more than one recipient, put a comma between email addresses.

Sender name:

Sender email:

Recipient name:

Recipient email:

Message (optional):

Send me a copy of this email as well.