IAB Europe’s flagship framework for gathering internet users’ consent for targeted ads has been found to breach the EU’s GDPR standards.

The finding, in an interim report from Belgian privacy regulators, has implications across Europe, reports The Wall Street Journal.

According to IAB Europe itself, if the interim findings are upheld, they threaten to have “a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers”.

IAB Europe’s framework was investigated by the Belgian data protection authority (APD) over concerns about the use of personal data during electronic auctions that take place in milliseconds when a person’s browser loads a webpage. 

The automated process, known as Real-Time Bidding (RTB), draws on large amounts of personal data, including a person’s date of birth, location, and details of web browsing history that are all used to decide which ads are shown on that web page.

The IAB Europe’s Transparency and Consent Framework (TCF) is widely used in the region, and is seen in pop-ups on web users’ pages as they load, asking people to accept or reject ad trackers in order to help publishers conform with the EU’s GDPR data protection rules.

The TCF was specifically designed by the ad industry body when GDPR came into force in 2018. The IAB said at the time that its framework would “help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive”. 

As IAB Europe is based in Belgium, that country’s data protection agency carried out the investigation. If its findings are upheld by EU privacy regulators, and possibly later in a legal challenge, Belgium’s regulator would have authority over how ad auctions are carried out across the EU, the Journal says.

The Belgian regulator concludes, among other things, that the TCF fails GDPR rules on “transparency, fairness and accountability, and also the lawfulness of processing”. In addition, the framework inadequately complies with GDPR in the proper processing of special category, or especially sensitive data, such as a person’s sexual orientation, political views, and health information, TechCrunch reports.

In response to the findings, IAB Europe issued a statement, which included the following:

“While IAB Europe is currently assessing the APD’s report, we note that the findings point to a number of alleged compliance issues that stem solely from IAB Europe’s role as Managing Organisation of the Framework. We respectfully disagree with the APD’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF. 

“If upheld, the APD’s interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers.

“The TCF is a voluntary standard whose purpose is precisely to assist companies from the digital advertising ecosystem in their compliance efforts with EU data protection law. It contains a minimal set of best practices seeking to ensure that when personal data is processed, users are provided with adequate transparency and choice. Its policies do not assist or seek to assist the processing of special categories of data. It does not intend to replace legal obligations nor enable practices prohibited under the law.”

Sourced from the Wall Street Journal, TechCrunch, IAB Europe