Home Ad Exchange News The TCF – IAB Europe’s GDPR Workaround – Got Shot Down By Belgium’s DPA, With Six Months To Fix It

The TCF – IAB Europe’s GDPR Workaround – Got Shot Down By Belgium’s DPA, With Six Months To Fix It

SHARE:

The programmatic industry just took the toughest body blow it’s felt since the GDPR became law in 2018.

The Belgian Data Protection Authority (DPA) announced on Wednesday that IAB Europe’s Transparency and Consent Framework (TCF), the industry solution for conveying consent data in the programmatic auction, is illegal in its current form. The DPA also fined IAB Europe $280,000 and ordered the trade organization to appoint a data protection officer (which could end up costing more than the fine).

The decision wasn’t a surprise. IAB Europe notified members two months ago that it expected the Belgian regulator to decide against the TCF.

The crux of the case is that the TCF creates IDs tied to individuals as a string of numbers representing a user who either has or has not given consent to use data for advertising. The DPA alleges that the TCF relies on legitimate interest under GDPR to collect and pass consent-based IDs. This is a problem, because legitimate interest requires that companies processing data must do so in a way that a customer expects.

That could be collecting data for fraud and bot detection or web-hosting infrastructure that logs traffic – but not, according to the Belgians, for creating ad profiles or to attach data to an ad impression.

Purview problems

But there’s also the tricky question of auditing the TCF.

TCF data is collected by consent management platforms (CMPs), a category of vendors and open-source tech used by publishers to manage consent pop-up requests, store consent data and distribute it to ad tech or other vendors. CMPs pay $1,200 per year to certify themselves in the IAB Europe’s TCF framework and agree to potential auditing.

There are hundreds of CMPs, and TCF ID strings are shared very broadly, since not only is the ID passed to any SSP a publisher works with, but to any DSP that even evaluates the impression. (After all, whether or not there’s consent to use data for ad targeting determines how much they bid.)

If a rogue employee at a CMP or publisher chose to, it could falsify TCF IDs to allow targeted advertising – the incentive is there, after all –  and IAB Europe or advertisers upstream have no way to identify the violation in retrospect, let alone during the milliseconds of real-time bidding.

The Belgian DPA declared that IAB Europe is a data controller for the TCF – a point the industry group has loudly fought against – and is responsible for conducting strict CMP audits and guaranteeing that consent strings can’t be used improperly in programmatic. IAB Europe earns a little more than a million dollars per year from CMP vendor fees, according to the DPA’s back-of-the-napkin math based on CMP membership numbers as of last July.

What’s next?

IAB Europe has six months to overhaul the TCF to meet the obligations determined by the Belgian DPA and must present an action plan for how it plans to do so within two months.

But the beleaguered trade org sees the silver lining, apparently. According to IAB Europe, presenting the TCF for approval as a transnational Code of Conduct  – in other words, to get blessed as a single framework that can be used and interpreted cohesively across EU nations – was always in its plans.

“Today’s decision would appear to clear the way for work on that to begin,” according to a blog post.

IAB Europe said it is considering options to continue fighting the Belgian DPA’s conclusion that it is a data controller within the TCF, which makes it responsible for all the data processing, storage and usage when publishers use TCF consent strings for programmatic advertising.

But IAB Europe also noted that the TCF was not declared illegal, and that implicit in the DPA’s decision is that it considers six months adequate to remedy the issues.

If IAB Europe fails to satisfy the Belgian DPA’s judgment in the case, however, the TCF could be ruled illegal, which would require all openRTB consent data storage collected via the framework to be retroactively erased.

If that happens, it would be a potential knockout blow to open web programmatic in Europe.

And although Google isn’t the opponent in the ring this time, Google would still be the big winner. What’s new?

If the TCF doesn’t endure and the Belgian DPA’s decision is codified by other EU DPAs, it would leave Google’s AdBuyers protocol as the only RTB protocol collecting and using consent for online advertising.

Must Read

Google’s Meridian And Meta’s Robyn: A Gift To Measurement Or Trojan Horses?

Google and Meta are quietly rewriting the rules of ad measurement, and they’re doing it with open-source marketing mix modeling tools that many marketers don’t even realize they’re using.

This New Training Framework Gives Publishers A Say In How AI Uses Their Work

A new initiative called SAIL compensates publishers when AI scrapes their content and guarantees the outputs adhere to the same cultural standards they apply to their own coverage.

AI Is Spreading Inaccurate Information About Brands. This Tool Can Help Fix That

Brands can’t just focus on how often they show up in AI search. They also need to pay attention to accuracy – and know what to do when AI gets it wrong.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

This K-Beauty Brand Is Collapsing The Marketing Funnel To Grow Its US Customer Base

The “K” in “K-beauty” stands for “Korean.” But it should also stand for “kaboom” because Korean beauty product sales are exploding internationally, especially in the US market.

LinkNYC Kiosks Have Started Airing World Cup Games – TV Ads And All

The cinematic trope of people stopping to watch the news on a storefront TV display feels pretty out of date today. But sometimes, life can still imitate art.

How TIME’s CMS Transition Laid The Foundation For Its AI-Driven Content Overhaul

The CMS migration helped unify TIME’s fragmented content data after years of platform transitions under multiple owners. This enabled TIME to launch its own AI search product and convert archival content into AI-friendly “markdown” pages.