IAB Europe’s Transparency and Consent Framework Breaches GDPR
February 3, 2022
The Belgian Data Protection Authority’s decision this week found that IAB (the Interactive Advertising Bureau) Europe’s Transparency and Consent Framework (TCF) and OpenRTB real time bidding system violate the GDPR. This finding is based on several key determinations: (i) IAB Europe is a data controller under the GDPR, (ii) the consent strings (TC Strings) generated in the TCF constitute personal data, and (iii) browsing history may include special categories of personal data. Since the TCF is widely used in behavioral advertising, this ruling calls the entire structure of the surveillance advertising system into question.
One of the key problems with the TCF was the identified basis for processing personal data. IAB Europe took the position that the legitimate interest of a participating organization constituted legal basis for processing. However, the decision found that fundamental rights and freedoms of data subjects outweighed those interests. Further, because the processing could include special categories of personal data, legitimate interest was not an acceptable processing basis for those practices.
The ruling, €250,000 fine, and subsequent order that IAB Europe delete all data collected through TCF are a massive blow to the surveillance advertising industry and will certainly face strong pushback. However, in the wake of increased challenges to surveillance advertising – including ongoing debate in the Digital Services Act and the FTC’s recent call for comments regarding surveillance advertising, to which EPIC submitted feedback – this decision is a decisive step away from invasive ad models.