Reed Smith In-depth

The start of February brought with it the publication of a potentially explosive decision (Decision) from the Belgian data protection authority (APD) concerning the Interactive Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF). The Decision is significant because of its implications for a wide range of entities, from websites and publishers, to adtech vendors and the IAB itself, and also for users who interact with consent management platforms (CMPs) in their daily lives.

Autores: Elle Todd Tom Gates

power of big data. binary code information bit on computer monitor screen display

Unfortunately, the complex issues and lengthy judgment may have left some companies wanting to do the right thing in terms of compliance but still unclear what is actually required of them. The Decision has also been misunderstood in some commentaries, so, in this article, we look in detail at and walk through what it does (and does not) say and mean.

So, what actually is the TCF?

The TCF, which launched in 2018 with a revised version in 2019 (TCF v2.0), facilitates the processing of personal data and management of users’ preferences for (among other things) online personalised advertising – including the collection of consent, legitimate interests opt outs and preferences for the sharing of personal data with adtech vendors. It is a voluntary framework which has created a standard that aims to achieve compliance with UK and EU privacy rules, primarily through the use of CMPs. Users visiting a website or using an app in the UK and EU (and sometimes elsewhere) regularly see a CMP appear upon their first visit, giving them the option to consent to or reject the collection and sharing of their personal data for (in the most part) targeted advertising purposes. Some CMPs have been approved by the IAB as being TCF compliant – this requires the CMP to employ certain standard language, overlays and processing purposes pre-determined by the IAB.

A TCF compliant CMP will capture user preferences, and tell visitors what personal data is being collected from them and how it will be used, with those preferences then being stored in a string of letters, numbers and other characters known as a ‘TC String’. The TC String is then shared with participating organisations, such as demand and sell/supply platforms, advertising networks and data management platforms, and those vendors in the adtech chain then read that user’s TC String to determine whether they have the necessary legal basis to process personal data for the specified purposes, such as retargeting or profiling.

The TCF also, crucially, aims to provide accountability and transparency to the OpenRTB protocol, which is a widely used but separate protocol to facilitate the real time bidding (RTB) process, an area of advertising which has been the subject of particular scrutiny by regulators in recent years.

What were the complaints behind the Decision?

A series of complaints were filed from commercial and civil society organisations across the UK and Europe in 2018 and 2019, most notably, that of Dr Johnny Ryan, formerly the chief policy and industry relations officer at Brave. These complaints targeted the TCF and challenged its conformity with the GDPR. In particular, the complainants argued that consent requests sought by publishers’ CMPs through the TCF were not compliant or transparent, and, focusing on RTB in general, that a system of high velocity personal data trading is inherently incompatible with the data security requirements imposed by EU law.

After various procedural issues, an investigation was carried out by the Inspection Service of the APD with a preliminary report issued in October 2020, which found that the TCF framework was not fit for purpose and failed GDPR standards. The Litigation Chamber (the administrative dispute resolution body of the APD) has now consolidated its findings and, in agreement with the 27 EU member states, has released the Decision.