Home Ad Exchange News The TCF – IAB Europe’s GDPR Workaround – Got Shot Down By Belgium’s DPA, With Six Months To Fix It
Ad Exchange News

The TCF – IAB Europe’s GDPR Workaround – Got Shot Down By Belgium’s DPA, With Six Months To Fix It

By

SHARE:

The programmatic industry just took the toughest body blow it’s felt since the GDPR became law in 2018.

The Belgian Data Protection Authority (DPA) announced on Wednesday that IAB Europe’s Transparency and Consent Framework (TCF), the industry solution for conveying consent data in the programmatic auction, is illegal in its current form. The DPA also fined IAB Europe $280,000 and ordered the trade organization to appoint a data protection officer (which could end up costing more than the fine).

The decision wasn’t a surprise. IAB Europe notified members two months ago that it expected the Belgian regulator to decide against the TCF.

The crux of the case is that the TCF creates IDs tied to individuals as a string of numbers representing a user who either has or has not given consent to use data for advertising. The DPA alleges that the TCF relies on legitimate interest under GDPR to collect and pass consent-based IDs. This is a problem, because legitimate interest requires that companies processing data must do so in a way that a customer expects.

That could be collecting data for fraud and bot detection or web-hosting infrastructure that logs traffic – but not, according to the Belgians, for creating ad profiles or to attach data to an ad impression.

Purview problems

But there’s also the tricky question of auditing the TCF.

TCF data is collected by consent management platforms (CMPs), a category of vendors and open-source tech used by publishers to manage consent pop-up requests, store consent data and distribute it to ad tech or other vendors. CMPs pay $1,200 per year to certify themselves in the IAB Europe’s TCF framework and agree to potential auditing.

There are hundreds of CMPs, and TCF ID strings are shared very broadly, since not only is the ID passed to any SSP a publisher works with, but to any DSP that even evaluates the impression. (After all, whether or not there’s consent to use data for ad targeting determines how much they bid.)

If a rogue employee at a CMP or publisher chose to, it could falsify TCF IDs to allow targeted advertising – the incentive is there, after all –  and IAB Europe or advertisers upstream have no way to identify the violation in retrospect, let alone during the milliseconds of real-time bidding.

The Belgian DPA declared that IAB Europe is a data controller for the TCF – a point the industry group has loudly fought against – and is responsible for conducting strict CMP audits and guaranteeing that consent strings can’t be used improperly in programmatic. IAB Europe earns a little more than a million dollars per year from CMP vendor fees, according to the DPA’s back-of-the-napkin math based on CMP membership numbers as of last July.

What’s next?

IAB Europe has six months to overhaul the TCF to meet the obligations determined by the Belgian DPA and must present an action plan for how it plans to do so within two months.

But the beleaguered trade org sees the silver lining, apparently. According to IAB Europe, presenting the TCF for approval as a transnational Code of Conduct  – in other words, to get blessed as a single framework that can be used and interpreted cohesively across EU nations – was always in its plans.

“Today’s decision would appear to clear the way for work on that to begin,” according to a blog post.

IAB Europe said it is considering options to continue fighting the Belgian DPA’s conclusion that it is a data controller within the TCF, which makes it responsible for all the data processing, storage and usage when publishers use TCF consent strings for programmatic advertising.

But IAB Europe also noted that the TCF was not declared illegal, and that implicit in the DPA’s decision is that it considers six months adequate to remedy the issues.

If IAB Europe fails to satisfy the Belgian DPA’s judgment in the case, however, the TCF could be ruled illegal, which would require all openRTB consent data storage collected via the framework to be retroactively erased.

If that happens, it would be a potential knockout blow to open web programmatic in Europe.

And although Google isn’t the opponent in the ring this time, Google would still be the big winner. What’s new?

If the TCF doesn’t endure and the Belgian DPA’s decision is codified by other EU DPAs, it would leave Google’s AdBuyers protocol as the only RTB protocol collecting and using consent for online advertising.

Tagged in:

Must Read

AI

Can An AI Solution Fix Misaligned Marketing Orgs?

Opal launched Gem, a new AI solution, to help large brands unify the layers of media and tech within their organizations.

Publishers

Sports Publisher On3 Tries AI Recommendations To Keep Engagement In Its Home Court

Mula’s AI native content feed helps On3 keep its engagement and RPS consistent amid traffic drop-offs to publisher sites and the growing scarcity of online attention.

Comic: Race To The Bottom
Publishers

Hearst Built A Unified Ad Marketplace To Simplify Omnichannel News Buys

Hearst is stitching together its far‑flung news properties into a single programmatic marketplace to simplify buying local news and shore up its business as the ad market shifts.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Measurement

Northbeam Adds The Third Leg Of The Attribution Stool With Incrementality Testing

There’s MMM and MTA, but no single ad measurement works for brands with multiple points of sale. On Tuesday, Northbeam launched an incrementality tool to complete what it calls “the trifecta of digital attribution.”

Comic: The Great Online Privacy Battle
Data Privacy

What Regulators Talk About When They Talk About Ad Tech

If you want to know what privacy regulators think about online advertising, it’s not a mystery. Just listen to what they’re saying.

Publishers

Keyword Blocking Demonetized More Than Half Of Reuters’ Brand-Safe Stories

The effect wasn’t just limited to news content. The Reuters.com/lifestyle vertical also had some of its brand-suitable pages blocked.

Popular

  1. Seattle, WA USA - circa February 2023: Close up view of Liquid Death sparkling water for sale inside a grocery store
    Measurement

    Liquid Death Lets Incrementality Decide What Tactics To Kill And What To Keep

    Behind its edgy marketing, Liquid Death faces a familiar CPG problem: Most sales happen at the register, where media measurement goes to die.

  2. Comic: Race To The Bottom
    Publishers

    Hearst Built A Unified Ad Marketplace To Simplify Omnichannel News Buys

    Hearst is stitching together its far‑flung news properties into a single programmatic marketplace to simplify buying local news and shore up its business as the ad market shifts.

  3. Frans Vermeulen, Co-Founder & President, Swivel
    OPINION: On TV & Video

    Why CTV Is Becoming The First Real Test Of Agentic Advertising

    CTV never fit cleanly into campaign execution models built for RTB-based trading. Whether agentic AI solutions can simplify the complicated CTV landscape for publishers will be their first real test case.

  4. Marketers

    Linkby Raises $15 Million For its Hybrid PR And Affiliate Marketing Network

    Linkby, which connects brands with publisher content that advertisers pay for based on reader engagement, announced its $15 million Series B on Tuesday.

  5. AdExchanger's Big Story podcast with journalistic insights on advertising, marketing and ad tech
    PODCAST: The Big Story

    What Is AI Automating In Ad Tech?

    Every company wants an AI-powered product. So what do they all look like? From A/B testing and media optimization to agentic interfaces for customers, we give a rundown on AI’s most popular applications in ad tech.