In February of this year, the Belgian Data Protection Authority (DPA) dropped a bombshell on the ad industry when they ruled that the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) violated the General Data Protection Regulation (GDPR) in several critical ways. Admittedly, that alphabet soup doesn’t exactly sound like a bombshell.
So, let’s go beyond the acronyms and break down what this means for publishers going forward.
The ruling
First, the basics. The GDPR requires companies to have a valid legal basis tied to a specific purpose before processing any personal data from consumers. The two most popular bases are consent (affirmative and freely given) and legitimate interest (essentially, the benefit to the consumer from the use of their data outweighs the risk). Although it should be noted that Facebook decided to take its own direction by using a contract as its basis, a strategy that is quickly unraveling.
To maintain the free flow of data that currently fuels a wide swath of digital advertising, the IAB created the TCF which allows companies to transfer their legal basis for the data used in the buying and selling of advertising inventory in a real-time bidding format. Under the TCF, a publisher can note whether or not they have a legal basis to process a consumer’s personal data. Then, advertisers and ad tech companies can decide whether to bid on the ability to show an ad to that person.
The Belgian DPA received several complaints, including one from Johnny Ryan at the Irish Council for Civil Liberties, that the IAB’s TCF violated the GDPR. In short, the TCF was criticized for facilitating the widespread dissemination of personal data to the entire industry without any real controls on the access, use or auditing of that data. Specifically, the DPA found that:
1. The TCF and the ad tech companies using the TCF were processing a ton of personal data without any legal basis and certainly beyond any legal basis claimed by the publisher.
2. The IAB failed to properly educate consumers given the complexity of the data processing.
3. The IAB deployed no technical measures to limit unauthorized access to personal data.
4. The IAB was operating as a controller of data and, thus, should have kept a register of activities, appointed a data protection officer and conducted a data protection impact assessment.
The DPA ruled the TCF invalid and fined the IAB 250,000 Euro per day. The IAB is currently appealing in the hopes of making small changes to satisfy regulators. However, many insiders are skeptical that the IAB’s proposals will suffice. The fundamental problem is that the current ad industry is built on the ability to collect and share consumer data at will and at scale. And GDPR enforcers want meaningful change with meaningful protections for consumers. This approach to maintain status quo simply does not satisfy that requirement.
