The Belgian authority finds that IAB Europe does not comply with the GDPR

PHOTO: Sergii Figurnyi

Publishers and brands must immediately start thinking seriously about how they manage customer data in light of the arrested this week by the Belgian authorities against IAB Europe for breach of the GDPR. According to the Belgian Data Protection Authority, the IAB Europe Transparency and Consent Framework (TCF) does not comply with a number of GDPR provisions.

Johnny Ryan, Principal Investigator at The Irish Civil Liberties Council, shared this advice for publishers with CMSWire in the wake of the IAB Europe being fined $284,000 and being required to come into compliance within two months. Publishers and brands should have thought seriously about their visitor data long before this week’s decision, Ryan added.

What’s at stake?

Here is how this GDPR ruling breaks down:

  • Who is the regulator? Belgian Data Protection Authority (DPA).
  • Who receives a fine? Interactive Advertising Bureau (IAB) Europea trade group that conducts research on interactive advertising and whose members include approximately 700 media companies, brands, agencies and technology companies.
  • What was investigated? The IAB’s Transparency & Consent Framework (TCF), which some organizations use to manage user preferences for personalized online advertising. This includes the IAB OpenRTB Protocol, or real-time bidding (RTB). With RTB, an individual ad impression is auctioned in real-time via programmatic in-place bidding.
  • What does a consumer see when visiting a digital property? When a user visits a website or app for the first time, an interface (a Consent Management Platform or CMP) will appear where they can consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad technology providers, according to Belgian DPA officials.
  • Where does consumer data go in OpenRTB? The IAB’s TCF via the CMP captures user preferences, encodes them, and stores them in a “TC chain”, which will be shared with organizations participating in the OpenRTB system. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the user’s IP address, thereby making the originator of the preferences identifiable.

“TCF plays a central role in the architecture of the OpenRTB system, as it is the expression of user preferences regarding potential sellers and various processing purposes, including offering tailored advertising,” the authorities said. Belgians.

Related Article: GDPR Compliance: What Marketers Can Expect in 2022

How did the IAB violate GDPR?

The Belgian DPA concluded that IAB Europe had not established a legal basis for the processing of the TC chain. He also found:

  • Weak legal basis. The legal grounds offered by the TCF for further processing by adtech vendors are insufficient.
  • Lack of transparency. The information provided to users via the CMP interface is too generic and vague to enable users to understand the nature and extent of the processing, especially given the complexity of the TCF. It is therefore difficult for users to maintain control over their personal data, according to the Belgian DPA.
  • Non-compliance with data protection by design and by default. The TCF lacks organizational and technical measures in line with the principle of data protection by design and by default, in particular to ensure the effective exercise of the rights of data subjects as well as to control the validity and integrity of users’ choices. Therefore, the compliance of the TCF with the GDPR is not sufficiently guaranteed or demonstrated.
  • No DPO, DPIA. IAB Europe failed to maintain a record of processing activities, appoint a DPO (Data Protection Officer) and conduct a DPIA (Data Protection Impact Assessment).

What should the IAB do?

The IAB must now establish a valid legal basis for processing and disseminating user preferences under the TCF. It must also prohibit the use of “legitimate interest” as a basis for the processing of personal data by organizations participating in the TCF. In addition, it must monitor participating organizations to ensure that they meet GDPR requirements.

BFI shared a statement on the decision of the Belgian DPA on February 2, saying: “Notwithstanding our serious reservations on the substance of the decision, we look forward to working with the DPA on an action plan to be executed within the prescribed six months which will ensure the continued usefulness of the TCF in the marketplace. As previously announced, we have always intended to submit the framework for approval as a cross-country GDPR code of conduct. Today’s decision appears to pave the way for the start of work on this.

Related Article: What You Should Know About China’s Personal Information Protection Law

Impact on marketers, brands

Alexander Hanff, CIPPE, CIPT, FIP, Managing Director of Uppsala, based in Sweden Hanff & Co ABhelped draft the project ePrivacy regulations being part of the drafting team of the European Parliament as an expert adviser. Asked by CMSWire how the Belgian DPA’s decision will impact publishers, Hanff called it “enormous”, adding that the overwhelming majority of publishers are currently breaking the law.

“The only way to stop this is to completely change the way they conduct marketing and deploy assets online,” Hanff said. “That means a real shift to consent – and not deploying technical assets that aren’t strictly technically necessary to display content to the end user. No more dark schemes, no more legitimate interest and no more transfer of data to US entities like Google, Facebook, Adobe, etc. That’s the absolute answer, and it’s not one the industry is going to like, but it’s the right answer. “

The Belgian DPA has just confirmed what I have been saying for a few years now. Legitimate interest is NOT a valid legal basis for the use of website trackers and fined IAB Europe EUR 250,000 and ordered it to prohibit the use of legitimate interest in the TCF.#privacy #gdpr

— Alexander Hanff (CIPPE, CIPT, FIP) (@alexanderhanff) February 2, 2022

Hanff expects to see more litigation as a result of this application both from independent affected persons and from law firms specializing in these types of claims, both class/class actions and individual.

Publishers should understand that the right to privacy and data protection under the ePrivacy Directive and GDPR stands above their desire to make money from processing personal data or tracking their behavior.

“They have no right to do this. They have to get consent,” Hanff said. “There is no legal vacuum.” The law at play here is primarily the ePrivacy Directive and EU case law. Simply approaching these issues as a GDPR compliance checkbox is entirely inappropriate, Hanff added, and will do nothing to meet compliance obligations.

Mary I. Bruner