Belgian DPA finds that IAB Europe’s Cookie Consent Framework violates GDPR

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (BFI) Transparency and Consent Framework (TCF), a tool used to record individuals’ online advertising preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. compliance within two months. In reaching this conclusion, the DPA found that:

  1. The character strings used to express users’ online advertising preferences collected via the TCF (TC Strings) constitute personal data within the meaning of the GDPR,
  2. IAB Europe is jointly responsible for the processing of TC strings with website publishers, consent management platforms (CMPs) and ad technology providers in the context of open real-time auctions (OpenRTB), and
  3. IAB Europe fails to comply with several provisions of the GDPR, including having a valid legal basis for processing TC strings.

This decision is essential because it represents the point of view of privacy regulators at pan-European level. This will likely lead to increased scrutiny of website operators in the EU and affect the concepts of control, joint control and what constitutes a valid legal basis for advertising purposes.

Fund

The TCF is a framework of policies, technical specifications, and terms and conditions developed by the IAB that companies can use to inform and obtain consent from users about their data processing operations. IAB Europe is the federation representing the digital advertising and marketing industry at European level.1 The IAB has developed tools to help players in the digital advertising industry comply with EU data protection rules.

In 2019, the DPA received four complaints regarding TCF’s GDPR compliance. Other organizations and individuals have filed five similar complaints in Ireland, Poland and the Netherlands. As the IAB Europe has its main office in Belgium, the APD acted as the lead supervisory authority. The complaints alleged that the TCF did not comply with the GDPR principles of legality, adequacy, transparency, purpose limitation, storage restriction and security, and accountability. The DPA issued a draft decision in collaboration with the other European authorities concerned, which became final on January 27, 2022.2

Key points to remember

1. The character strings used in the TCF to express user preferences constitute personal data.

While IAB Europe has argued that it does not process any personal data under the TCF, the DPA considers the TC strings used to express user preferences to constitute personal data. To support this view, the DPA referred to CJEU case law and noted that “as long as the information can be linked to an identified or reasonably identifiable natural person, it should be considered personal data. personal”. He acknowledged that the TC string alone may not allow direct user identification, due to the limited metadata and values ​​it contains. However, he said the TC string can be combined with the user’s IP address collected by CMPs to “isolate” an individual. The DPA considered that it is immaterial whether the information from which the data subject can be identified is held entirely by the same controller or partly by another entity (here the CMP), and that therefore this information should be considered personal data.

2. The IAB is co-responsible for handling user preferences with website publishers, IAB Europe, CMPs and Adtech vendors

The GDPR provides that a controller is the entity that defines the purposes and means of the processing. The DPA held that while it is “generally considered that the definition of the purposes of processing takes precedence over the definition of the means when it comes to establishing the responsibility of an organization”3 an entity must define both as a controller. According to the DPA:

  • Goal: IAB Europe has a decisive influence on the purpose of the processing activities carried out within the framework of the TCF because it defines the conditions of participation in the TCF (for example via the policy documents and the technical specifications of the TCF), and predetermines the list of the possible purposes of processing that the participating organizations could pursue within the framework of the TCF.
  • Means: IAB Europe defines the means of processing when it defines the way in which the participating organizations can generate, modify and read the TC Strings, store the associated data and determine the potential recipients of this data.

Accordingly, the DPA concludes that IAB Europe is the controller of the TC chain. The fact that IAB Europe does not itself process the data is irrelevant according to the DPA.

Furthermore, the DPA found that IAB Europe is not the sole data controller, but rather acts as a co-controller with other organizations participating in the TCF (i.e. i.e. website publishers, CMPs and ad technology providers). The DPA considered that the decisions of the various participating organizations are complementary and all have a tangible influence on the determination of the purposes and means of the processing.

According to the DPA, the decisions made by the IAB Europe when preparing the policies and technical specifications of the TCF, on the one hand, and the means and purposes determined by the participating organizations when processing the personal data of users, d on the other hand, should be considered as convergent decisions. He noted that user preferences are not only collected and exchanged for IAB Europe’s own purposes, but also to enable further processing by third parties (i.e. publishers and advertising technology). According to the DPA, this means that the processing activities carried out by each party in the TCF are inseparable and indivisible (i.e. they would not be possible without the participation of all parties).

3. Legitimate interest is not a valid legal basis for advertising

The DPA concluded that IAB Europe had failed to provide a legal basis for the processing of user preferences in the form of a TC string, and concluded that such processing was unlawful.4 In reaching this conclusion, the DPA distinguished between two processing activities: 1) the input of users’ consent preferences into the TC string, and 2) the collection and dissemination of users’ personal data by participating organizations.

  1. With respect to capturing user preferences. The DPA concluded that IAB Europe had failed to provide a legal basis for processing user preferences in the form of a TC string because it had not collected valid consent and could not rely on the contractual necessity or its legitimate interest for this processing activity (the user’s interest and expectations have not been sufficiently taken into account under the TCF, and users do not have the possibility to completely object to the processing of the TC String).
  2. Regarding the collection and dissemination of the TC string under the OpenRTB protocol. The DPA found that none of the legal grounds implemented by the TCF could be legally used by TCF participants. In particular, she concluded that the consent of individuals obtained through CMPs is not valid because it is not sufficiently informed, not detailed enough and cannot be withdrawn. Referring to the EDPB guidelines, he concluded that (pre)contractual necessity is not a valid legal ground applicable to behavioral advertising. It found that the legitimate interest of the organizations participating in the TCF is insufficient in this case, as the TCF does not provide sufficient information on the purposes of the processing activities and does not allow the participating organizations to clearly explain the legitimate interests in-game terms to users. The DPA has also found no guarantees to ensure that the personal data processed is limited to what is strictly necessary. Finally, due to the large number of participating organizations receiving personal data, users cannot reasonably expect the scale of processing triggered by this disclosure.

According to the DPA, IAB Europe also fails to comply with several other GDPR obligations, such as appointing a data protection officer, ensuring data security and maintaining a record of processing activities.

Conclusion

Since its launch, a significant number of organizations have implemented the TCF and rely on it to demonstrate compliance with GDPR and the e-Privacy Directive. Website operators and all parties involved in the adtech sphere should consider reviewing their practices as significant framework reform is expected to follow in the coming weeks. The DPA expects the IAB Europe to submit an action plan within two months of the publication of the decision. Once the DPA has validated the action plan, IAB Europe must implement the compliance measures within six months. IAB Europe has previously indicated that it rejects the DPA’s findings and is considering its legal options. IAB Europe has also published a set of FAQs.5 The decision can be appealed until March 3, 2022 and we expect an appeal to be filed.

Wilson Sonsini Goodrich & Rosati regularly advises clients on GDPR compliance issues and helps clients manage risks associated with the application of global and European data protection laws. For more information please contact Cedric Burton, Jan Dhont, Laura De Boel, Lydia Parnes, Christopher Olsen, or another cabinet member privacy and cybersecurity practice.


[1]See https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-francais.pdf.

[2]See https://www.dataprotectionauthority.be/belgian-dpa-sends-its-draft-decision-in-the-iab-europe-case-to-european-counterparts.

[3]Paragraph 331 of the decision.

[4]Within the meaning of Article 6 of the GDPR.

[5]https://iabeurope.eu/wp-content/uploads/2022/02/APD-Decision-FAQ-v1.pdf.

About Charles D. Goolsby

Check Also

Protecting the identity of minors in court records is key to rehabilitation

Many of the fundamental principles that we hold dear are in tension with each other. …