The programmatic industry just took the toughest body blow it’s felt since the GDPR became law in 2018.
The Belgian Data Protection Authority (DPA) announced on Wednesday that IAB Europe’s Transparency and Consent Framework (TCF), the industry solution for conveying consent data in the programmatic auction, is illegal in its current form. The DPA also fined IAB Europe $280,000 and ordered the trade organization to appoint a data protection officer (which could end up costing more than the fine).
The decision wasn’t a surprise. IAB Europe notified members two months ago that it expected the Belgian regulator to decide against the TCF.
The crux of the case is that the TCF creates IDs tied to individuals as a string of numbers representing a user who either has or has not given consent to use data for advertising. The DPA alleges that the TCF relies on legitimate interest under GDPR to collect and pass consent-based IDs. This is a problem, because legitimate interest requires that companies processing data must do so in a way that a customer expects.
That could be collecting data for fraud and bot detection or web-hosting infrastructure that logs traffic – but not, according to the Belgians, for creating ad profiles or to attach data to an ad impression.
Purview problems
But there’s also the tricky question of auditing the TCF.
TCF data is collected by consent management platforms (CMPs), a category of vendors and open-source tech used by publishers to manage consent pop-up requests, store consent data and distribute it to ad tech or other vendors. CMPs pay $1,200 per year to certify themselves in the IAB Europe’s TCF framework and agree to potential auditing.
There are hundreds of CMPs, and TCF ID strings are shared very broadly, since not only is the ID passed to any SSP a publisher works with, but to any DSP that even evaluates the impression. (After all, whether or not there’s consent to use data for ad targeting determines how much they bid.)
If a rogue employee at a CMP or publisher chose to, it could falsify TCF IDs to allow targeted advertising – the incentive is there, after all – and IAB Europe or advertisers upstream have no way to identify the violation in retrospect, let alone during the milliseconds of real-time bidding.
The Belgian DPA declared that IAB Europe is a data controller for the TCF – a point the industry group has loudly fought against – and is responsible for conducting strict CMP audits and guaranteeing that consent strings can’t be used improperly in programmatic. IAB Europe earns a little more than a million dollars per year from CMP vendor fees, according to the DPA’s back-of-the-napkin math based on CMP membership numbers as of last July.
What’s next?
IAB Europe has six months to overhaul the TCF to meet the obligations determined by the Belgian DPA and must present an action plan for how it plans to do so within two months.
But the beleaguered trade org sees the silver lining, apparently. According to IAB Europe, presenting the TCF for approval as a transnational Code of Conduct – in other words, to get blessed as a single framework that can be used and interpreted cohesively across EU nations – was always in its plans.
“Today’s decision would appear to clear the way for work on that to begin,” according to a blog post.
IAB Europe said it is considering options to continue fighting the Belgian DPA’s conclusion that it is a data controller within the TCF, which makes it responsible for all the data processing, storage and usage when publishers use TCF consent strings for programmatic advertising.
But IAB Europe also noted that the TCF was not declared illegal, and that implicit in the DPA’s decision is that it considers six months adequate to remedy the issues.
If IAB Europe fails to satisfy the Belgian DPA’s judgment in the case, however, the TCF could be ruled illegal, which would require all openRTB consent data storage collected via the framework to be retroactively erased.
If that happens, it would be a potential knockout blow to open web programmatic in Europe.
And although Google isn’t the opponent in the ring this time, Google would still be the big winner. What’s new?
If the TCF doesn’t endure and the Belgian DPA’s decision is codified by other EU DPAs, it would leave Google’s AdBuyers protocol as the only RTB protocol collecting and using consent for online advertising.
