“IAB Europe-TCF= Fine by Belgian DPA”​

EU Laws Privacy

“IAB Europe-TCF= Fine by Belgian DPA”​

by Priyanka FormentinLeave a Comment on “IAB Europe-TCF= Fine by Belgian DPA”​

The Belgian DPA found that the Transparency and Consent Framework (TCF) developed by IAB Europe, fails to comply with a number of provisions of the GDPR.

Background

The Belgian DPA received complaints in 2019 about its reliance on the OpenRTB Protocol which focuses on real-time bidding and the automated use of user profiles within online auctions to display personalized relevant ads when buying and selling inventory online. The preferences are collected from the user and then coded and stored in a “TC string”, which is shared with partner organizations in the OpenRTB system by placing a cookie on the user’s device linked to their IP address.

Decision

The DPA ruled that IAB Europe had

  • Failed to establish a legal basis for the processing of the TC String
  • The legal grounds offered by the TCF for the subsequent processing by ad tech vendors are inadequate.
  • Lack of transparency in the information provided to users
  • Failed to meet data protection principles “by default”
  • A failure to keep a register of processing activities.

The BE DPA imposed a €250.000 fine on the company and gave IAB Europe two months to present an action plan to bring its activities into compliance.

What is TCF?

The TCF is an industry mechanism that conveys consent in the open ad exchange bitstream through using pop-up ads on sites. It is a widespread mechanism that facilitates the management of users’ preferences for online personalized advertising, and that plays a pivotal role in the so-called Real-Time Bidding (RTB). The BE DPA imposed a €250.000 fine on the company and gave IAB Europe two months to present an action plan to bring its activities into compliance.

The DPA’s findings

The BE DPA identified a series of GDPR infringements by IAB Europe

Lawfulness: IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by ad tech vendors are inadequate;

Transparency and information of the users: the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;

Accountability, security, and data protection by design/by default: In the absence of organizational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated;

A controller’s obligations on processing personal data on a large scale: IAB Europe has failed to keep a register of processing activities, to appoint a DPO, and to conduct a “DPIA” (data protection impact assessment).

Loved this interpretation by @Peter Mc Laughlin: The IAB EU reaction is like that of VW: there is no prohibition against driving a VW, but if you do you may not legally meet emission standards.

Full decision link: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf

Website https://privacypriyanka.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top