TCF and GDPR : Impact of the DPA’s decision against IAB Europe
Be aware of the consequences of the Belgian DPA‘s decision if you use the TCF protocol on your website.
As the publisher of your website, you collect and use personal data about your visitors through a selection of tools.
You do this in order to accomplish the objectives you have chosen.
But what if one of these tools don’t meet the General Data Protection Regulation (the GDPR) compliance criteria?
Or worse, what if you were found to be a “joint controller”, alongside other organizations, for using that tool?
In this article we’ll provide you with more information.
The Real-Time Bidding system (RTB) and the use of personal data
In simple terms, using an RTB means that every time a visitor browses your website and comes across an advertisement, a real-time automated bidding system is set up.
These auctions are designed to determine which organization will be able to show the visitor their ad, depending on whether their profile matches the organization’s target customer’s.
To do this, a profile of your visitor is created based on their personal data . Said data includes, among other things:
– Data collected via cookies placed by your website (in connection with their browsing history, behavior on your site, location, etc.).
– Data that the organization wishing to display advertising already possesses (data that it has collected via other means or that it has generated directly).
In short, the personal data involved goes far beyond what personal data was collected by your website.
This data will also be made accessible to many actors other than you and the organization that won the auction.
The promise of the Transparency and Consent Framework (TCF) created by IAB Europe
When the GDPR arrived, the Interactive Advertising Bureau Europe (IAB Europe) sought a solution to allow the marketing industry to continue using the openRTB protocol (one of the existing RTB systems).
It therefore developed TCF, a set of technical and organizational rules and guidelines standardizing the collection of consent and the use of legitimate interest to justify the use (the “processing”) of personal data.
One of TCF’s specificities is that it integrates a Consent Management Platform (CMP) provider into the process.
To collect the visitor’s preferences regarding the use of their personal data within the same file:
– Choice of legal basis (consent or legitimate interest).
– Selection of organizations that may receive the visitor’s personal data.
– Purposes validated by the visitor (including receiving targeted advertising via openRTB).
This preference file (called Transparency and Consent String or TC String) is then communicated to other actors.
Privacy and Consumer Rights organizations against IAB Europe
Data protection authorities (DPAs) in various EU member states (bodies in charge of monitoring the GDPR) began receiving complaints about TCF and openRTB.
The NGO Ligue des Droits Humains (Belgium), the NGO Panoptykon (Poland), and the NGO Bits of Freedom (The Netherlands) were among the complainants.
All of the DPAs involved mandated the Belgian DPA to investigate and decide on the validity of the TCF. The Belgian DPA issued its decision in February 2022.
Main breaches noted by the Belgian DPA
– Lack of a valid legal basis justifying the processing of personal data ( quality of consent and appropriateness of using legitimate interest issues).
– Visitors to websites whose personal data is collected are not given enough information about how their data is used.
-No audit of organizations wishing to join the TCF (either for their compliance with the GDPR or to control the implementation of the measures imposed by the TCF protocol).
– Lack of Data Protection Impact Analysis despite the high risks for data subjects (DPIA).
Sanctions imposed by the Belgian DPA
IAB Europe was therefore condemned to an administrative fine of €250,000 as well as to comply with the Belgian DPA’s remediation plan for the various breaches found.
IAB Europe will also have to delete all personal data that has been collected without a valid legal basis since May 25, 2018 (entry into force of the GDPR).
The aftermath of the Belgian DPA decision
Appeal of IAB Europe before the Market Court…
Following the decision of the Belgian DPA, IAB Europe decided to appeal. The result of this appeal was initially expected in September 2022.
If the decision of the DPA is confirmed by the Market Court (a section of the Brussels Court of Appeal), IAB Europe will have 6 months to implement its action plan (with €5,000 to be paid for each day of implementation delay).
…which asked the Court of Justice of the European Union (CJEU) for a preliminary ruling.
In order to be able to rule on the DPA’s decision, the Market Court decided on 19/09/2022 to ask the CJEU some preliminary questions.
These questions aim to clarify the following points :
– What is the status of IAB Europe (controller, joint controller)?
– Can the “TC String” be considered personal data?
To date, the CJEU has not yet answered these preliminary questions.
Impact of this decision for you as a website publisher if you participate in TCF
The decision of the Belgian DPA concerns IAB Europe but, if confirmed, it will have repercussions on the various players involved with TCF.
From controller to joint controller
As the publisher of your website, you are responsible for the processing of personal data that takes place on your website.
If the DPA finds that the legal bases implemented by the TCF are not valid, you will have to check the implementation of these legal bases for your own site. Some cleanup (deletion) of personal data may also be necessary on your end.
But more specifically, as part of its analysis, the DPA considers (to be determined on a case-by-case basis, see point B.3.1 of its decision) that you could be considered a joint data controller for TCF and OpenRTB-related data processing alongside IAB Europe and the CMP provider.
This could be the case:
– If you do not adapt the list of organizations that may receive your visitors’ personal data as proposed by IAB Europe or
– if you agree to all the purposes of use requested by IAB Europe under the TCF (paragraph 396).
Consequences of joint controllership
What does it mean for you to be a joint controller ?
When you are a joint controller for data processing, you must agree (in a contract) on who does what regarding your obligations under the GDPR (Article 26 of the GDPR).
This means deciding:
– How data subjects (visitors to your website) can exercise their rights.
– Which organization (between the joint controllers) will be responsible for providing the mandatory information in connection with the processing of personal data under joint controllership.
– Who is the contact point for data subjects (visitors to your website).
A visitor to your website could also ask to receive the outline of this contract.
Be aware that even if another joint controller is designated as the point of contact organization, a visitor to your site can still request to exercise theirrights with you.
Moreover, if a visitor to your website believes that the processing of their personal data in the context of the TCF has caused them material or moral damage, they can claim the entire compensation from the joint controller of their choice (article 82 of the RGPD): possibly you, as the case may be.
The joint controller who paid the compensation can then obtain reimbursement of part of the sum from the other joint controllers.
And as a bonus
Besides these specific obligations, your image could suffer if your website’s visitor data collection uses a tool condemned by the DPA.
Want to save yourself the hassle without waiting for the final verdict?
Contact ADMEET to discuss its 100% TCF-free consent management system!