It’s not exactly a surprise, but it’s certainly not trivial. The Belgian data protection authority issued its decision on the IAB Europe Transparency and Consent Framework (TCF) yesterday: it considers that it does not comply with the GDPR.
The Belgian authority, in agreement with the other European data protection authorities, therefore asks the IAB to comply with the GDPR and to review its copy within six months in order to propose a new compliant version. of its framework.
In its judgment, the Belgian authority asks IAB Europe to take a series of specific measures aimed at bringing the device into compliance, and attaches a fine of 250,000 euros.
Harmonize the rules
The Transparency and Consent Framework is a series of guidelines issued by IAB Europe, an organization that brings together the main online advertisers, aimed at harmonizing the collection and information of Internet users’ consent for online advertising.
This standard is used in particular by many publishers and advertisers in order to offer so-called “Real Time Bidding” (RTB) advertising mechanisms. This technology allows a publisher to offer targeted advertising placements at auction to different advertisers, based on data collected on Internet users during their visit.
OpenRTB is one of the most used protocols by the advertising industry to perform this type of operation. TCF proposes to harmonize the way in which the data collected by the publishers are formatted in order to be able to offer them within the framework of the OpenRTB protocol, in particular through a character string called “TC String”.
A prepared defeat
For the Belgian authority, TCF suffers from several shortcomings with regard to the GDPR: the authority thus indicates that the IAB Europe was unable to “determine a legal basis for the processing of the TC String”.
The authority also considers that the mechanism does not provide sufficient information to users about the nature and scope of the processing of their personal data, that the device lacks technical and organizational measures aimed at guaranteeing the security and protection of data and finally that the IAB Europe has not complied with the obligations imposed on it by the GDPR on this type of device as data controller, namely to appoint a data protection officer and carry out an impact analysis relating to the protection of data.
This is not exactly a surprise for IAB Europe: as noted by L’Usine Digitale, the organization had already taken the lead in 2021 by announcing in a press release that it expected an unfavorable decision from the Belgian authority in this file, and that its teams were working to prepare a new framework for the TCF guidelines and to comply with the requirements of the authority.
In a new press release, published following the final decision, the IAB Europe takes due note of the decision and announces that the work aimed at bringing the device into compliance will be put in place. The organization is considering the possibility of possibly appealing the decision of the Belgian authority.