On 2 February 2022, the Belgian Data Protection Authority (APD) published its final decision on a long running complaint against IAB Europe’s Transparency and Consent Framework (TCF).
The IAB (or Internet Advertising Bureau) is the trade body for the online advertising industry. It has developed a tool called the Transparency and Consent Framework with the aim of enabling its members to publish ad-supported online content in accordance with the GDPR.
The APD has found that the tool and its use are unlawful.
One of the original complainants, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties told TechCrunch: “Today’s decision frees millions of Europeans from nuisance and misleading consent requests. It should also protect them from illicit surveillance by tech firms”.
What was happening?
The TCF is deployed on websites to justify user data being passed onto third parties for real-time-bidding (RTB) programmatic ad auctions. It was developed with the aim of providing web publishers with the necessary legal basis under the GDPR for data processing as part of RTB.
Real-time bidding is a system where predetermined advertising space on web pages is auctioned in real time, typically by profiling the user to whom the advert will be shown.
The IAB coordinates various efforts concerning RTB, and operates in several jurisdictions, including Europe. In the proceedings (among its many arguments) it denied being a data controller in respect of TCF and, as such, claimed that it didn’t have legal responsibility for data processing operations.
What does the APD decision mean?
This decision is a big win for privacy campaigners who have spent years trying to get EU regulators to enforce the law against RTB and its participants.
The APD found breaches of 12 articles of the GDPR, including breaches of the principles of lawfulness of processing, fairness and transparency and security of processing as well as the failure to appoint a data protection officer.
IAB has been given a hard deadline of six months for bringing the TCF into compliance with the GDPR, after which it will be fined €5,000 a day. That’s on top of a €250,000 fine it already needs to pay. IAB has also been ordered to delete any illegally gathered data.
The company has 30 days to file an appeal.
Vive la révolution?
It’s definitely big news for the ad tech industry but it remains to be seen what impact this will have on a broader level.
Regulators have made previous decisions on RTB actors but this one is different. Other rulings typically focus on organisations holding personal data. This one strikes at the heart of the RTB system and makes IAB Europe a data controller (something the organisation continues to deny).
While the decision appears to give IAB Europe a chance to fix the TCF, the chance of it being able to do so is slim.
There have already been repercussions across Europe – the Dutch data protection regulator for example, recommended that web publishers in the Netherlands should look for alternatives to behavioural advertising. Other regulators may shortly follow suit.
What are the alternatives?
The internet has largely been funded by the advertising industry – not only does the supply of advertising appear limitless, but users can be targeted in more granular ways to maximise the possibility of a click (and subsequent purchase). RTB came into the market in 2014 as a more efficient way to purchase advertising, bypassing traditional media buyers and publishers. It’s now worth billions of dollars and is expected to reach a height of $27.2 billion by 2024.
Contextual advertising is often cited as the main alternative – placing ads on web pages, based on the content of those pages (rather than a profile of the user visiting the page). It’s less intrusive and still serves relevant advertising to users, but it predates RTB so many in the industry may see it as a step backwards. Another alternative would be for web publishers to exercise more control by placing all their content behind a login, but this would be a huge change from the internet we see today.
Google has also been working on plans to replace third-party cookies for advertising. It had planned to phase out support for cookies in the Chrome browser by January 2022 but announced it was delaying the move until 2023. Safari and Firefox have already blocked some third-party tracking cookies, but experts predict a “cookiepocalypse” once Chrome completes the move.
Really, this is about much more than just seeing a pair of shoes that you might like following you around the internet. The profiles that exist about internet users are startling in their detail. Privacy is a basic human right and targeted advertisements can spread misinformation, increase surveillance and reinforce societal bias. And, as the APD has ruled, the basis upon which that data has been collected and processed may be unlawful under the GDPR.