Unfortunately, the complex issues and lengthy judgment may have left some companies wanting to do the right thing in terms of compliance but still unclear what is actually required of them. The Decision has also been misunderstood in some commentaries, so, in this article, we look in detail at and walk through what it does (and does not) say and mean.
So, what actually is the TCF?
The TCF, which launched in 2018 with a revised version in 2019 (TCF v2.0), facilitates the processing of personal data and management of users’ preferences for (among other things) online personalised advertising – including the collection of consent, legitimate interests opt outs and preferences for the sharing of personal data with adtech vendors. It is a voluntary framework which has created a standard that aims to achieve compliance with UK and EU privacy rules, primarily through the use of CMPs. Users visiting a website or using an app in the UK and EU (and sometimes elsewhere) regularly see a CMP appear upon their first visit, giving them the option to consent to or reject the collection and sharing of their personal data for (in the most part) targeted advertising purposes. Some CMPs have been approved by the IAB as being TCF compliant – this requires the CMP to employ certain standard language, overlays and processing purposes pre-determined by the IAB.
A TCF compliant CMP will capture user preferences, and tell visitors what personal data is being collected from them and how it will be used, with those preferences then being stored in a string of letters, numbers and other characters known as a ‘TC String’. The TC String is then shared with participating organisations, such as demand and sell/supply platforms, advertising networks and data management platforms, and those vendors in the adtech chain then read that user’s TC String to determine whether they have the necessary legal basis to process personal data for the specified purposes, such as retargeting or profiling.
The TCF also, crucially, aims to provide accountability and transparency to the OpenRTB protocol, which is a widely used but separate protocol to facilitate the real time bidding (RTB) process, an area of advertising which has been the subject of particular scrutiny by regulators in recent years.
What were the complaints behind the Decision?
A series of complaints were filed from commercial and civil society organisations across the UK and Europe in 2018 and 2019, most notably, that of Dr Johnny Ryan, formerly the chief policy and industry relations officer at Brave. These complaints targeted the TCF and challenged its conformity with the GDPR. In particular, the complainants argued that consent requests sought by publishers’ CMPs through the TCF were not compliant or transparent, and, focusing on RTB in general, that a system of high velocity personal data trading is inherently incompatible with the data security requirements imposed by EU law.
After various procedural issues, an investigation was carried out by the Inspection Service of the APD with a preliminary report issued in October 2020, which found that the TCF framework was not fit for purpose and failed GDPR standards. The Litigation Chamber (the administrative dispute resolution body of the APD) has now consolidated its findings and, in agreement with the 27 EU member states, has released the Decision.
What are the key takeaway points of the Decision?
The APD found that the TCF commits multiple violations of the GDPR, and also handed down comments on the RTB process to the extent the TCF is involved. Specifically:
- TC Strings do contain personal data, and the processing of the personal data within a TC String is unlawful
The Litigation Chamber found that the TC String itself constitutes personal data, and there is no lawful basis in place for processing such personal data. It also held that the GDPR principles of transparency and integrity and confidentiality of data were also breached by the TC String.
IAB Europe’s sensible argument in respect of the TC String was that it does not contain (and therefore does not process) personal data, so there was no need for a lawful basis or compliance with transparency and other requirements. The APD disagreed and said there should either be consent to the collection of personal data within the TC String or it may be possible to rely on legitimate interests, but this was not currently possible because there was no way for an individual to object and the balancing test component in a legitimate interests assessment would not be met. The APD stated that it was “remarkable that no option is offered to users to completely oppose the processing of their preferences in the context of the TCF”. In practice, this does at least present a possible fix for the TCF and no suggestion was made in the Decision that it was impossible to comply in this regard.
On the other hand, the Decision found that the TC String itself (carefully reserving judgment on the OpenRTB protocol, which the Litigation Chamber accepted was not the subject of its Decision, being linked but separate) does not violate the GDPR principles of purpose limitation and data minimisation or storage limitation, nor did it find any violation in respect of data subject rights. Also, significantly, it found no breach of article 9 GDPR – i.e., the need to identify a specific condition for the processing of special category data, which had been a key point of the complainants. It was the opinion of the Litigation Chamber that it was not possible to store special category data within a TC String, and therefore no article 9 condition for processing was required.
- There is no legal basis for or due transparency in the processing of personal data via a TCF approved CMP in the context of the OpenRTB protocol
The Decision held that the consent currently obtained through the TCF (to process personal data in the context of delivering targeted advertising via OpenRTB, rather than the personal data within the TC String, dealt with above) is not valid for further data processing operations within OpenRTB when facilitated by a TCF CMP. Rather unsurprisingly given other recent investigations and guidance, the Litigation Chamber also confirmed that contractual necessity and/or legitimate interests would not be appropriate as an alternative lawful basis to consent.
Consent failed on various grounds: there was a lack of clarity for users as to what personal data was actually used for; consent cannot easily be withdrawn and is never immediate, and there is no way of guaranteeing that a withdrawal of consent is effectively communicated to parties who are currently relying upon it; and given that a large number of adtech vendors receive and process personal data for the purposes of RTB, this was incompatible with the condition of informed consent, and with the broader transparency principles set out in the GDPR. This will be a hard part of the TCF to fix and rather begs the question as to how many adtech vendors are too many, and what a compliant CMP would actually look like. It is already incredibly challenging to build anything which gives plenty of information about uses and purpose but is still easy enough for a user to understand.
It is really important to note here that this part of the Decision is focused on the collection and dissemination of personal data in the context of RTB. It does not state, as some commentaries have implied, that any or all use of legitimate interests and consent in any CMP is unlawful. In particular, since the Decision is focused on targeted advertising and profiling, no comments were made with regard to other activities that can take place via the TCF, such as audience measurement and analytics. However, some of the comments about how balancing tests should be applied and the level of information that should be provided will be useful commentary to help improve compliance generally.
- IAB Europe itself is responsible for complying with GDPR
As a consequence of the Decision handing down that a TC String contains personal data, IAB Europe was held to be a data controller. Accordingly, it is responsible for complying with the GDPR, including obligations relating to transparency, privacy by design and default, data protection impact assessments, records of processing, the appointment of a data protection officer, international transfers and technical and organisational measures, which, the Litigation Chamber held, meant IAB Europe was required to ensure that vendors making use of the TCF comply with IAB Europe’s policies, and to actively monitor such compliance. The issue around the potential for ‘false consents’ was also raised, as was the lack of process in place to monitor the integrity of TC Strings (i.e., whether publishers were fraudulently altering their contents to indicate that consent had been given). Rather starkly, the Litigation Chamber “note[d] for the records, that it is uncertain whether, in view of its current architecture and support of the OpenRTB protocol, the TCF can be reconciled with the GDPR”.
- Where the TCF is involved, some of the parties in the RTB chain are joint controllers
Joint data controllership can arise in situations where two or more controllers do not make a common decision as to the purpose and means of data processing, but take different yet converging decisions regarding the same. The Litigation Chamber found that IAB Europe, together with other participating organisations relying on the preferences within a TC String, should be considered as the joint controller of the personal data within that TC String. This means IAB approved CMPs, the publisher of the website or app, and IAB Europe are all considered to jointly control the personal data within the TC String. This applies to the extent that such parties comply with TCF policies – otherwise there is an argument they are acting more independently and unlikely to meet the threshold for joint controllership.
We have begun to see joint controllership increasingly found in adtech processing scenarios in the last year so this may come as little surprise to many. Again, however, it raises real practical questions since publishers in particular may find that in practice they have little control over the contracts, information and options available for deployment of a CMP on their website or app.
- IAB Europe has been fined and must make fundamental changes to TCF
IAB Europe has been issued with a fine of €250,000 and is required to present an action plan within two months of the date of the Decision (2 February 2022) to fix the above-mentioned issues. It then has a further six months to deliver on the action plan approved by the APD, failure in relation to which will result in daily fines of €5,000. This is obviously a big challenge in terms of budget, resource and time constraints.
What should publishers and adtech vendors do now?
It is important to remember three key factors which limit the scope of this Decision:
- It relates to compliance with the EU GDPR. This decision does not specifically cover the UK GDPR (although in practice, of course, the principles are the same). A U.S. website or vendor will only be impacted legally by this decision where it is already subject to GDPR by nature of the extra-territorial provisions of GDPR although we may see that changes made to the TCF in Europe translate through to CMP changes elsewhere.
- It is a decision on specific complaints raised by the complainants against IAB Europe. This is the decision of the litigation chamber of a data protection regulator looking at specific points presented to make a decision on those specific points. It is a legal decision rather than a code of practice or guidance document, which we are more accustomed to seeing from regulators on this topic. In particular, repeatedly the Decision notes that it is focused on the TCF only and its facilitation of OpenRTB but that OpenRTB itself is a separate and distinct protocol. The Decision and the fine imposed are directed at IAB Europe, not at publishers or adtech vendors in general, although of course they will be caught in the cross-fire as we discuss in more detail below.
- It doesn’t automatically grind the TCF to a halt (yet!). The Decision clearly held in no uncertain terms that there are inherent problems with the consents collected within TCF approved CMPs for RTB and with the transparency information provided within those CMPs. It also states that certain data processing is therefore unlawful and that it expects such data to be deleted. However, it does not order all parties to do this immediately. Remember, the Decision is focused on IAB Europe itself and gives a period of time for it to fix the issues. As regards publishers and others being joint controllers, the Decision implies, rather than directly stating, that other stakeholders will also need to go on the journey of re-working the TCF.
For publishers and adtech vendors therefore, this is likely to be a case of an uncomfortable wait and see. The Decision does not immediately prohibit the TCF or state that it must be immediately withdrawn, and with IAB Europe being given a clear remediation period, it would be perhaps unreasonable for further regulatory action to be taken in the meantime (although we may see an increase in consumer complaints) and there is still the chance of an appeal. A further issue is that, whilst this Decision relates to the TCF, many of the issues raised apply in a similar vein to other CMPs and TCF equivalents. Pending the required action plan, particularly for publishers, some suggested potential steps for consideration as follows:
- Review where legitimate interests are relied on in your CMP. The Decision confirms it can’t be relied on for RTB but any other areas should be assessed clearly and a proper legitimate interests impact assessment completed for accountability purposes.
- Consider reducing the number of vendors listed in the CMP to increase the likelihood that a valid consent can be collected for processing. Also consider whether supplemental information can be provided to users about the purposes of processing, such as within your privacy notice.
- Speak to your CMP provider, who will be digesting this Decision, to assess the changes required to the CMP as a result. CMPs should be considering the removal of legitimate interests as a lawful basis for processing data for the purposes of targeted advertising and putting in place measures to allow for consent in order to meet GDPR standards. It may be the case that CMPs and other parties will wait for the publication of IAB Europe’s action plan prior to taking immediate action.
- Keep strategising for advertising revenues beyond RTB. RTB has been under attack ever since GDPR came into force over three years ago so in many ways it may not be a surprise that the blows keep coming. It simply may not be possible for the TCF (or indeed any CMP or alternative framework) to reconcile compliance in this area quickly. Regulators and privacy practitioners have been warning for some time that alternative adtech solutions need to be considered. Now is definitely the time.
We expect to see much more on this in the coming months, from IAB Europe, CMPs and regulators alike so will be sending further updates in due course.
In-depth 2022-035