Publishers and brands must immediately start to give serious thought to how they manage customer data in light of the ruling this week by Belgian authorities against IAB Europe for GDPR violations. According to the Belgian Data Protection Authority, the IAB Europe's Transparency and Consent Framework (TCF) fails to comply with a number of provisions of the GDPR.
Johnny Ryan, senior fellow at The Irish Council for Civil Liberties, shared that advice for publishers with CMSWire on the heels of the $284,000 fine levied on IAB Europe and the mandate to come into compliance within two months. Publishers and brands should have been giving serious consideration on their visitors' data long before this week's ruling, Ryan added.
What's at Stake?
Here's how this GDPR ruling breaks down:
- Who is the regulator? Belgian Data Protection Authority (DPA).
- Who is being fined? Interactive Advertising Bureau (IAB) Europe, a trade group that fields research on interactive advertising and whose members include about 700 media companies, brands, agencies and technology firms.
- What was investigated? The IAB's Transparency & Consent Framework (TCF), which some organizations use for management of users’ preferences for online personalized advertising. This includes the IAB's OpenRTB protocol, or Real-time Bidding (RTB). With RTB, an individual ad impression is put up for bid in real-time through a programmatic on-the-spot auction.
- What does a consumer see visiting a digital property? When a user visits a website or application for the first time, an interface (a Consent Management Platform, or CMP) will pop up where they may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors, according to Belgian DPA officials.
- Where does consumer data go in OpenRTB? The IAB's TCF through the CMP captures users’ preferences, codes it and stores in a “TC String," which will be shared with the organizations participating in the OpenRTB system. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC String and the euconsent-v2 cookie can be linked to the IP address of the user, therefore making the author of the preferences identifiable.
"The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement," Belgian authorities said.
Related Article: GDPR Compliance: What Marketers Can Expect in 2022
How Did IAB Violate GDPR?
The Belgian DPA found IAB Europe failed to establish a legal basis for the processing of the TC String. It also found:
- Weak legal basis. The legal grounds offered by the TCF for the subsequent processing by adtech vendors are inadequate.
- Lack of transparency. The information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data, according to the Belgian DPA.
- Non-conformity with data protection by design and by default. The TCF lacks organizational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices. Therefore, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated.
- No DPO, DPIA. IAB Europe has failed to keep a register of processing activities, to appoint a DPO (data protection officer) and to conduct a DPIA (data protection impact assessment).
What Must the IAB Do?
The IAB must now establish a valid legal basis for the processing and dissemination of users' preferences within the context of the TCF. It must also prohibit the use of "legitimate interest" as a basis for the processing of personal data by organizations participating in the TCF. And, it must vet participating organizations to ensure they meet the requirements of the GDPR.
The IAB shared a statement on the Belgian DPA's decision Feb. 2, saying, "Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin."
Impact on Marketers, Brands
Alexander Hanff, CIPPE, CIPT, FIP, managing director of Uppsala, Sweden-based Hanff & Co AB, helped write the proposed ePrivacy Regulation by serving on the drafting team for the European Parliament as an expert advisor. Asked by CMSWire what the impact of the Belgian DPA's decision on publishers would be, Hanff called it "huge," adding the overwhelming majority of publishers are currently breaking the law.
"The only way to stop this is to completely change the way they conduct marketing and deploy online assets," Hanff said. "That means a genuine shift towards consent — and not deploying any technical assets which are not strictly required from a technical perspective, to display the content to the end user. No more dark patterns, no more legitimate interest and no more transferring of data to US entities like Google, Facebook, Adobe, etc. That is the absolute answer, and it is not one the industry is going to like but it is the correct answer."
Belgian DPA just confirmed what I have been saying for a couple of years now. Legitimate Interest is NOT a valid legal basis for the use of website trackers & have fined IAB Europe 250k Euros and ordered them to prohibit the use of Legitimate Interest in the TCF.#privacy #gdpr
— Alexander Hanff (CIPPE, CIPT, FIP) (@alexanderhanff) February 2, 2022
Hanff expects to see more litigation off the back of this enforcement both from independent data subjects and law firms specializing in these types of claims, both class/group action as well as individual actions.
Publishers need to understand that the right to privacy and data protection under the ePrivacy Directive and GDPR sits above their desire to make money through the processing of personal data or from tracking their behavior.
"They have no right to do this. They must obtain consent," Hanff said. "There is no legal loophole." The law at play here is primarily the ePrivacy Directive and EU case law. Simply approaching these issues as a GDPR compliance checkbox is wholly inappropriate, Hanff added, and will not do anything to meet compliance obligations.