Consent strings at the end of their rope?

The Belgian data protection authority has found that IAB Europe's Transparency and Consent Framework (TCF) does not comply with the GDPR, in a decision which will have significant ramifications for the adtech industry.

Whilst the fine issued to IAB Europe (250,000 euros) is relatively modest in GDPR terms, the Belgian DPA's findings set a firm deadline for the IAB, and the wider adtech industry, to reform its practices. The decision also has implications more generally when it comes to issues of controllership, joint controllership and data identifiability.

The TCF, originally launched in 2018, allows for users' consent preferences to be collected and transmitted to participants in advertising transactions through the generation of a transparency and consent string (the "TC string"). The use of the TC string, and an organisation's participation in the framework, is also subject to a range of technical and policy requirements. Since its launch the TCF has been widely adopted, with many participants placing significant reliance on TCF as a means to demonstrate their own compliance with the GDPR.

At the heart of this case were two competing perceptions of the TCF.

From the IAB's perspective, the TCF is merely a technical and policy framework designed to allow organisations participating in RTB (e.g. publishers, advertisers, adtech vendors etc) to comply with the GDPR's strict consent and transparency requirements. On this view, the TCF provides these participants with the tools it needs to comply with the law, and it is ultimately up to each participant to take responsibility for how such tools are implemented.

From the perspective of the complainants (Johnny Ryan et al), the TCF is a system which enables the collection, storage and dissemination of personal data on a massive scale without users having a sufficient degree of knowledge or control. On this view, rather than being a framework designed to promote good practices, the TCF was merely a means of promoting the widespread use of the IAB's own "Open RTB" protocol for programmatic advertising.

The Belgian DPA (supported by other EU DPAs through the one stop shop consistency mechanism) has seemingly preferred the complainants' view. This represents a significant shift in regulatory approach to TCF, given the lack of any such previous finding, and the level of engagement and consultation between EU DPAs and IAB Europe in the development and evolution of TCF to date.

The DPAs key findings were:

1. The combination of the TC string with a user's IP address was sufficient to make the data subject indirectly identifiable, and therefore the collection and sharing of user preferences through the TC string did amount to the processing personal data. This position reaffirms the EDPB's position that the ability to "single out" an individual for the purpose of making decisions affecting them was sufficient to make them identifiable, even in the absence of a direct "real-world" identifier.

2. IAB Europe is a controller of personal data collected and distributed through TCF, even though it does not itself collect and store the personal data. By enabling the generation of the TC string, and by setting the policies for how consents could be obtained and disseminated, IAB Europe was exerting control over the purposes and essential means of the processing. This is likely to be a controversial view, as it relies on a very expansive view of controllership. Indeed, IAB Europe made the point in submissions that this view could result in any umbrella organisation producing a code of conduct being found to have had such a degree of influence on the implementation of that code as to render them a controller.

3. IAB Europe will be a joint controller with publishers, vendors and CMPs. This will necessitate additional contractual arrangements between these parties, and also undermines the view that any such participants are merely acting as processors in relation to the data shared through TCF.

4. There is no lawful basis for the processing undertaken through TCF, and therefore the legal grounds offered by the TCF for the subsequent processing by adtech vendors are inadequate. Users are not given any choice about the generation of the TC string itself, and therefore there is no valid consent for its generation. In addition, the DPA found that the balancing exercise for the use of legitimate interests does not lie in favour of this processing.

5. Users were also not given sufficient information about the operation of TCF to meet the GDPR's transparency requirements.

6. There were a range of other GDPR accountability failures (e.g. a failure to appoint a DPO or have a record of processing).

The Belgian DPA has given IAB Europe two months to produce an action plan for bringing TCF into compliance, and therefore significant reforms to the framework are likely to follow in the coming weeks. IAB Europe has indicated it is also considering its legal options, and so an appeal is certainly very possible.

In the meantime, the position for publishers and adtech vendors who place reliance on TCF to demonstrate their own compliance is now uncertain. However, initially it is likely most organisations will wait to see if IAB Europe can produce a revised framework which meets the regulators' concerns, before taking further action.