The framework put in place by European advertisers to comply with the provisions of the GDPR is ultimately not compliant. This is what the Belgian “Cnil” has just decided, supported by European regulators.
IAB Europe is a highly influential group of players in the online advertising and marketing market. He has just been fined by the Belgian Data Protection Authority (DPA) with the support of the other European CNILs, ordered to pay €250,000 for non-compliance with the General Data Protection Regulation ( GDPR). It’s funny, insofar as the component judged to be non-compliant, namely the Transparency and Consent Framework of IAB Europe, shortened to TCF, was designed to offer a transparent and fixed framework for the processing of personal data in connection with advertising tracking, in strict compliance with the terms of the GDPR. However, according to data regulators in Europe, this GDPR compliance tool actually violates its foundations.
Many Violations
The violations in question are manifold. First, the APD finds that user information is not sufficient. They are asked to give their consent for the processing of their data and the use of tracking cookies, but “the vast majority do not know that profiles are sold and circulate every day on advertising marketplaces to display targeted ads to them”. Also, even if the TCF is supposed to preserve the legitimate interest of Internet users, nothing proves that the rights and freedoms of the latter are really preserved. The example of browsing tracking is cited by the APD, which explains that tracking an Internet user can reveal sensitive and personal information about each of us. Knowing which site a visitor is coming from or which URL they are going to can be enough to deduce their gender, sexual orientation, religious beliefs, political opinions or state of health, among other things.
That’s not all. The authority believes that Internet users lack the tools to control the processing of their data, which should be much more transparent, including over time (as long as it can legally be kept). Also, technically, to date there is no device guaranteeing inviolably that the consents given by Internet users are indeed valid. In other words, that it is the visitors who have clicked in a free and informed way to accept the processing of their data. This is an important point which undermines the overall system devised by the industry to adapt to the provisions of the GDPR. Finally, the ADP regrets that no study of the impact of the mass exploitation of data has been carried out and that IAB Europe does not even have a referent delegate for all questions related to data protection.
A compliance action plan
Of course, the sum of €250,000 demanded by the Belgian Cnil may seem insignificant compared to the immense financial windfall of the targeted advertising market in Europe. Fortunately, this fine is accompanied by compliance measures: an action plan must be validated by the ADP and be implemented within six months. A fine of 5,000 euros per day of delay is provided for. In particular, this provides for the erasure of all data improperly collected by IAB Europe member companies (Google, Facebook, Microsoft and many others) and the prohibition for them to activate a “default” consent system. , in addition to the creation of a register, the designation of a delegate and the holding of an impact study (which are three measures yet imposed by the GDPR).
IAB France reacts to this decision and adopts a reassuring attitude towards its members. “We are pleased to see that the latter does not include any prohibition of the TCF and considers that the infringements alleged against IAB Europe can be corrected quickly”says the organization.
“The decision published this morning does not call into question the validity of the TCF, but sanctions the IAB Europe in particular for not having been able to establish a legal basis for the processing of “TC Strings” (digital signals allowing the storage and the propagation of user choices concerning the use of their personal data for purposes related to advertising, content and audience measurement). (…) If we do not share the analysis made by the APD in this area, we will continue to work together with the IAB Europe in order to come up with an action plan to respond to the violations raised. in the decision. We would also like to resume discussions with the Cnil, interrupted due to the procedure, regarding the approval of the TCF as a transnational code of conduct”adds the organization.