IAB Europe’s Transparency and Consent Framework Breaches GDPR

The Belgian Data Protection Authority’s decision this week found that IAB (the Interactive Advertising Bureau) Europe’s Transparency and Consent Framework (TCF) and OpenRTB real time bidding system violate the GDPR. This finding is based on several key determinations: (i) IAB Europe is a data controller under the GDPR, (ii) the consent strings (TC Strings) generated in the TCF constitute personal data, and (iii) browsing history may include special categories of personal data. Since the TCF is widely used in behavioral advertising, this ruling calls the entire structure of the surveillance advertising system into question.

One of the key problems with the TCF was the identified basis for processing personal data. IAB Europe took the position that the legitimate interest of a participating organization constituted legal basis for processing. However, the decision found that fundamental rights and freedoms of data subjects outweighed those interests. Further, because the processing could include special categories of personal data, legitimate interest was not an acceptable processing basis for those practices.

Another issue is lack of transparency. The IAB Europe Privacy Policy is available only in English, rather than the languages of the many data subjects based in Europe. The Policy also failed to name the specific legitimate interests serving as the processing basis, did not make clear who would be receiving personal data, did not provide information on data protections in international data transfers, and failed to clarify when and where data subjects must provide their personal data.

The ruling, €250,000 fine, and subsequent order that IAB Europe delete all data collected through TCF are a massive blow to the surveillance advertising industry and will certainly face strong pushback. However, in the wake of increased challenges to surveillance advertising – including ongoing debate in the Digital Services Act and the FTC’s recent call for comments regarding surveillance advertising, to which EPIC submitted feedback – this decision is a decisive step away from invasive ad models.