Iubenda logo
Start generating

Documentation

Table of Contents

FAQ on the Belgian DPA decision on IAB

In this FAQ

About the ruling

  • Main findings of the ruling
  • Remedies imposed by the ruling
  • Recent updates

Is the TCF now illegal?

  • Risk of non-compliance
  • Legitimate interest

What do I need to do?

  • Recommendations for our clients
  • What’s next?

About the ruling

On February 2nd, 2022, the Belgian Data Protection Authority (APD) issued a decision on IAB Europe and the Transparency and Consent Framework (TCF).

First, let’s have a quick recap; who is IAB, and what is the TCF

  • IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Its purpose is to lead political representation and encourage industry collaboration to establish frameworks, standards, and industry programs to help businesses succeed in the European market.
  • The TCF is an open-source voluntary standard launched in April 2018 by IAB Europe to assist enterprises in the digital advertising ecosystem in their attempts to comply with EU privacy and data protection regulations. In other words, the TCF provides a standard process for getting GDPR user consent and signaling those consent preferences across the advertising supply chain (You can read the framework policies here)

The APD considered some features in the TCF not to be compliant with the GDPR and ruled that:

1) The TC String is personal data
 
TC Strings are the digital signals created by Consent Management Platforms (CMPs). These signals allow Publishers (people who monetize the content on their site/app) to capture data subjects’ choices about the processing of their personal data for digital advertising, content, and measurement. Vendors can receive these signals directly from CMPs or from other TCF participants to verify that they have obtained consent or legitimate interest for a particular purpose.
 
2) IAB Europe is a data controller for the TC String and therefore
3) IAB has not established a legal basis for processing the TC String

As a result of the findings, several remedies have been imposed.
 
Impacting the TCF

  • Prohibit the use of legitimate interests as a legal basis for processing.
  • Require CMPs to take an even more harmonized and GDPR-compliant approach on information disclosures to users.
  • Ensure “compliance of the TCF with obligations of integrity and security“.
Impacting IAB
  • A fine of EUR 250.000,00
  • Establish a legal basis for processing the TC String
  • Delete personal data collected in its capacity as a controller of the TC String established in the global-scope context
     
    What is the global-scope?
     
    The TCF Policy previously allowed legal bases in the Framework to be established with “global scope”, which meant that a legal basis, for example, consent, could be applicable to not only the website where it was obtained but to all other websites that also implement global scope preferences. Even if the consent, in this example, was not obtained directly on the other websites.
     
    Deprecation of global scope support was announced on June 22nd, 2021, due to the overall negligible use of global scope by publishers, and indication by several Data Protection Authorities that users should be clearly informed of the digital properties where their choices apply, for example by being provided with a list of domains.
     
  • IAB must maintain a record of processing activities, carry out a data protection impact assessment and designate a DPO.

UPDATE: Court of Justice of the European Union Ruling on IAB Europe’s Transparency and Consent Framework

In a significant development, the Court of Justice of the European Union (CJEU) has issued a ruling regarding IAB Europe’s “Transparency and Consent String” (TC String), a mechanism designed to align the online advertising auction system with the General Data Protection Regulation (GDPR) requirements. This ruling follows a previous decision by the Belgian Data Protection Authority in 2022, which had unfavorable implications for IAB Europe.

The CJEU determined that the TC String involves the handling of information relating to an identifiable user, thereby classifying it as personal data under the GDPR. Consequently, IAB Europe is recognized as a “joint controller” of this data. This designation stems from the role IAB Europe plays in influencing data processing operations, particularly when recording the consent preferences of users.

IAB Europe has expressed appreciation for the clarity provided by this ruling. The case is now set to return to the Belgian Market Court for further proceedings. This decision marks a pivotal moment in the ongoing discourse around data protection and privacy in the context of digital advertising and consent management.

For more detailed information and updates on this case, click here.

Has the Belgian DPA declared the TCF illegal?

No. The APD ruling did not prohibit the TCF, nor does it suggest that the digital advertising ecosystem should not employ consent prompts to comply with legal requirements under the EU’s data protection framework.

Instead, the APD has asked IAB Europe to propose corrective measures, including delivering additional compliance functionality. 

Is my risk of non-compliance higher using the TCF? 

In principle no, taking into consideration the following: 

  • The decision itself does not conclude that the use of TC Strings or the TCF more broadly is illegal;
  • The decision did not conclude that vendors, publishers, or CMPs adhering to the TCF automatically collect personal data in breach of the GDPR. In other words, any finding of infringement by a publisher, vendor, or CMP will need to arise from a dedicated investigation taking into account its specificity and all relevant facts;
  • The decision is administrative and is subject to appeal

Is it no longer possible to rely on legitimate interest? 

While it may still seem unclear, IAB considers that the prohibition of the APD on legitimate interest only applies to those linked to tailored advertising and profiling purposes and not a general ban on legitimate interest for all purposes supported by TCF. 

Keep in mind that other national DPAs, like the Italian Garante, have already excluded the use of legitimate interest as a valid legal basis (You can read more on this topic here).

What do I need to do until a final decision is reached? 

At the moment, there seems to be little that can be done other than waiting to see how the appeal process may play out, together with any future TCF requirements. 

Note

As this is an ongoing legal matter, the choice of what to do is one that each business will have to decide for themselves.

This FAQ cannot be considered legal advice and is only meant to be a convenient summary of the ruling. Therefore, if you feel you may be at risk, please consider seeking assistance from your legal adviser.

However, in light of the ruling, companies who utilize TCF should be prepared for substantial changes (improvements) due to the judgment and may want to create mitigation plans and strategies in the case of various situations that may arise.

Recommended actions for our clients 

While we wait on a final decision, we recommend that iubenda clients do the following.

How to do it using the iubenda Cookie Solution

1) Under the IAB TCF section of the iubenda Cookie Solution configurator, click on “Edit”

2) After that, select the “Restrict Purposes” option
3) Then, select “Consent Only” for active purposes.

It is recommended to only display the TCF vendors you actually work with rather than the full list of TCF vendors. Vendors will soon be required to provide additional information inside the Global Vendor List (GVL), making it easier for publishers to decide which vendors to work with.

How to do it using the iubenda Cookie Solution

1) Under the IAB TCF section of the iubenda Cookie Solution configurator, click on “Edit”
2) Select the “Only allow the vendors disclosed in your privacy and cookie policy”

How to do it using the iubenda Cookie Solution

  • We are taking care of this point for you. We are currently adding the relevant disclosure to the TCF-related preferences panel.

How to do it using the iubenda Cookie Solution

1) In the iubenda Cookie Solution configurator, select the GDPR compliance section and click on “Edit”

2) Click on Manual configuration
3) Then select “Explicitly mention the right to withdraw consent”
4) Under “Style and Text” in the iubenda Cookie Solution configurator you can add/edit the privacy widget. The privacy widget will allow your users to access and edit their privacy preferences easily, either via a persistent button on each page or a link of your choice. We will also provide you with additional custom text that can be added to your banner copy to mention the consequences of denying consent.

Once all the above is done, you might consider recollecting consent from your users. 

What’s next? 

Regarding timing and procedure, The APD expects IAB Europe to submit an Action Plan within two months from the publication of the decision. Once the Belgian Data Protection Authority validates the action plan, the compliance measures should be completed within a maximum period of six months

IAB is confident that the Action Plan and coming dialogue with the APD is an opportunity. It’s possible that implementing the APD’s recommendations in this situation might result in a new version of the TCF that is more aligned with the APD’s expectations, qualifying it as a potential candidate for a Code of Conduct, with the APD as the primary supervisory authority.

IAB Europe has announced that it will appeal some part of the decision to the Belgian Market Court