Privacy Framework Revoked! TCF v2.0 Upended in DPA Ruling

Following a lengthy investigation, the Belgium Data Protection Authority (DPA) has found Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF v2.0) unlawful under Europe’s General Data Protection Regulation (GDPR).

This decision will impact many major companies who rely on digital advertising as well as the marketing industry across Europe, especially in the real-time bidding space, which has seen widespread adoption in recent years.

Some Background on the Case

The IAB Europe Transparency and Consent Framework (TCF) v1.1 was launched in April 2018 around the same time GDPR became enforced. IAB Europe touted the framework as “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach.” In essence, the IAB Europe members—marketers and publishers in the digital advertising industry—established the TCF to “help all parties in the digital advertising chain ensure that they comply with EU’s GDPR an ePrivacy Directive” and also continue to do personalized advertising.

Organizations could join the TCF (for an annual fee) as a vendor, a CMP, or a publisher and be included in a registered list of GDPR-compliant operators. IAB Europe launched TCF v2.0 in August of 2019.

The Irish Council of Civil Liberties and others filed the initial complaint against TCF v2.0, for which case reads began in 2019, because they believed the framework was not compliant with GDPR provisions related to large-scale processing of personal data.

Specifically, the filers questioned the principles of “legality, appropriateness, transparency, purpose limitation, storage restriction and security” of the framework. TCF did not require users’ explicit consent; however, the signals TCF employed were classified as “personal data,” argued the complaint filers, so the framework should require users’ explicit consent.

The Belgium DPA’s Ruling

Now, the Belgium DPA has ultimately agreed. In the 127 page English translation of their findings, the DPA found IAB Europe in non-compliance with 15 articles of European law. They also found that IAB Europe, which had been operating as a “controller” under GDPR, did not meet any of the requirements for being a controller. IAB Europe contests this point in their reply to the findings; nevertheless, the Belgium DPA has issued a number of sanctions as a result.

IAB Europe is ordered to:

• Provide a legal basis for processing and dissemination of personal data within the context of the TCF.
• Modify Terms of Use of TCF to prohibit the reliance of legitimate interests of a legal ground for processing of personal data.
• Ensure Technical and Organizational monitoring measures to guarantee the integrity and confidentiality of the TC string.
• Maintain a strict audit of organizations that join the TCF to ensure they meet requirements of GDPR.
• Deploy Technical and Organizational measures to prohibit consent being pre-selected in various CMPs.
• Force all CMPs to adopt uniform and GDPR-Compliant methods to information they submit to users.
• Update the current records of processing activities, by including the processing of personal data, in accordance with Article 30 of the GDPR.
• Carry out a data protection impact assessment (DPIA) with regard to processing activities under the TCF and their impact on processing activities carried out under the Open Real Time Bidding (OpenRTB) system.
• Appoint a Data Protection Officer.

IAB Europe must submit an action plan within 2 months, and after approval execute that plan with-in six months or face a 5000 Euro per day fine will be charged for failure to meet that timeline.

IAB Europe is also subject to a 250,000 Euro administrative fine.

IAB Europe has 30 days to appeal, and has issued a formal public response on their website.

What does the ruling on this case mean for marketers?

The news is grim for those who have been reliant on the TCF for advertising in Europe. This involves many of the big service players in European digital marketing, including Google Advertising, Amazon Advertising, Yahoo EMEA Limited, Adobe Advertising Cloud, Adobe Audience Manager, and Adobe Experience Platform, to name a few. If a company has been using these services, they’re likely going to be affected. In the short-term, this will mean that data is required to be deleted, which will affect targeting and reach.

IAB Europe has been ordered to delete without delay any data collected so far by means of a TC String in the context of globally scoped consents. So, any of the affected data, upon compliance with this order, will be removed from various systems and unavailable for further processing and targeting. Since data has been collected since May 2018, this could ultimately affect data collected and processed over the past four years.

IAB Europe must make changes to their Terms of Use that will prevent members of the TCF framework from claiming a basis of legitimate interest in serving advertisements. In other words, sites that previously used TCF believed they didn’t have to prompt for consent before they used personal data for advertising. The DPA ruled this isn’t the case: TCF isn’t enough to protect users, and TCF-reliant brands will now have to prompt for consent prior to serving programmatic ads.

Further more, for sites that have been reliant on having consent automatically enabled on the grounds of legitimate interest, that can no longer continue. Users must now have a choice to explicitly opt into the TCF identification system. This means that by denying consent, advertisements will become contextual, as cross-domain identification and targeting will be negatively impacted.  

What Should You Do?

Based on the impacts of this case, we make the following recommendations for advertisers leveraging the TCF for targeting and delivery of advertisements in the EMEA:

1. Brands advertising in Europe should prepare for a reduction in targeting data and reach as a result of the decision.
2. Depending on a company’s planned investment in the OpenRTB programmatic ad-buying system, you may need to reevaluate and restate your yearly goals. You should reevaluate your marketing tactics in light of the impact to the OpenRTB platform.
3. If your brand operates sites targeting EU residents for sales or service (defined via GDPR Article 3), we recommend that you conduct a legal review of site privacy policies.  Brands will want to ensure they are not claiming legitimate interest for ad delivery, as you will be forbidden from doing so by the changing of TCF Terms of Use.
4. We recommend that a review of Consent Management platform settings and Tag Manager settings take place in light of this decision.   Brands will want to ensure that consent settings and tags are defaulted to off, as by not being allowed to claim legitimate interest the user must explicitly opt-in to sharing data for advertising based around the TCF system.

How Further can help

We are following US and global privacy matters to a degree that makes most people just want to cozy down with a cat and take a snooze. Here’s how we can help your company:

• Continue to follow our blog to stay up to date
• Get a review of your consent management platform settings and tag manager settings
• Reach out in the form to talk to our experts
• Get an assessment of your site to see how privacy changes are affecting your compliance and performance