Digital Law Up(to)date: The cookie consent framework of IAB Europe violates the GDPR

Article
EU Law

On 2 February 2022, the Belgian Data Protection Authority considered that the Transparency and Consent Framework (TCF) developed by Interactive Advertising Bureau Europe (IAB) violates the GDPR.

Other concerned supervisory authorities (from 19 countries) have previously approved the long Belgian decision (in its English version that is available here, 127 pages). The DPA has declared itself the lead supervisory authority since the IAB is registered in Belgium only (article 60 GDPR).

What is the TCF?

The TCF facilitates the communication of the choices of an end-user on internet. These choices concerns the preferences, the consent and the way in which the personal data of the end-user may be used and processed. Concretely, when a user accesses a website or application for the first time, a pop-up appears to consent or not to the collection and sharing of personal data. This type of pop-up (called consent management platforms (CMP)) practically allows the TCF to function.

The TCF also plays a central role in the Real Time Bidding (RTB) system that supports an instantaneous automated online auction for the sale and purchase of online advertising space. It means that when a user accesses a website or application that contains an advertising space, behind the scenes through an automated online auction system and algorithms, technology companies representing thousands of advertisers can instantly (in real time) bid for that advertising space to display targeted advertising specifically tailored to that individual's profile.

Finally, an essential part of the intervention of a CMP is the generation of a character string consisting of a combination of letters, numbers and other characters (the “Transparency and Consent String” or “TC String”). TC String captures in a structured and automated way the preferences of a user and can be decipher by companies that receive personal data in order to fill advertising spaces on website from other companies. The CMP also places a cookie on the user’s device.

What is the decision of the DPA?

Before analysing potential violations of the GDPR, the DPA checks whether there was well processing of personal data in this complex system:

  • Is there any personal data? The DPA finds that the TC String does not allow for direct identification of persons. However, the CMP does make use of the IP address of the user, which is a personal data. The possibility of combining the TC String and the IP address means that this becomes information about an identifiable user. The data are therefore personal. 
  • Is there a processing of personal data? The DPA concludes positively on this question: the TCF inherently entails the collection, processing, storage and subsequent sharing of the preferences of the user with other parties.
  • Is IAB Europe the data controller? Yes. The DPA concludes that IAB Europe is the data controller for the personal data processing with respect to the registration of the consent signal, objections and users' preferences by means of the TC String. However, IAB shares its responsibility with the other actors in the system (joint controllers).

Subsequently, the DPA analyses the potential violation of the GDPR provisions:

  • Article 6 GDPR: there is no valid legal basis. The DPA considers that IAB Europe, as Managing Organisation for the TCF, has failed to provide a legal basis for the processing of user preferences in the form of a TC String and has therefore breached article 6 GDPR. The same conclusion applies for the processing of personal data in the RTB system based on preferences captured in accordance with the TCF.
  • Articles 12, 13 and 14 GDPR: the obligations of transparency are not respected. Not all the necessary information is given to the user and when it is given, it does not meet the requirements of clarity, transparency and accessibility.
  • Articles 5(1)(f), 24, 25 and 32 GDPR: obligations of security, integrity and confidentiality. These obligations are not met. IAB Europe has not taken organisational and technically effective measures to ensure and demonstrate the integrity of the preferential signal transmitted by CMPs to companies that receive personal data in order to fill advertising spaces. 
  • Article 30 GDPR: records of processing activities. IAB Europe does not keep records of its processing activities. However, according to the DPA, the company is subject to this obligation.
  • Article 35 GDPR: data protection impact assessment. IAB Europe is subject to the obligation to conduct a data protection impact assessment considering among others the large number of data subjects who come into contact with websites and applications implementing the TCF.
  • Article 37 GDPR: designation of a DPO. The APD considers that IAB Europe should have designated a DPO, as required by Article 37.

What is the sanction?

The Belgian DPA pronounces an administrative fine of 250.000 euros and orders a number of other compliance measures to provide a solution for each GDPR violation. These compliance measures should be completed within a maximum period of six months following the validation of an action plan by the DPA, which shall be submitted to the Litigation Chamber within two months after this decision.

The APD decision seems to be in line with existing expert views on the question of the validity of the TCF with regard to the protection of personal data. It strengthens the privacy protection of the users in the online environment. At the time of writing this blog, however, the decision is not yet final as IAB Europe may still appeal it before the Market Court.

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.