Last week, the Belgian Data Protection Authority ruled that the IAB’s cookie consent framework violated the GDPR. This decision has tremendous potential implications on the ad tech industry, as both publishers and advertisers must reevaluate their legal bases for targeted advertising.
On February 2, 2022, the Belgian Data Protection Authority (the “Belgian DPA”) ruled that Interactive Advertising Bureau Europe’s1 (“IAB Europe”) Transparency and Consent Framework (“TCF”) violates multiple provisions of the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). The TCF is a cross-industry standard that facilitates the management of users’ preferences for online personalized advertising. The TCF consists of a registry of vendors (which digital property operators can use to see whether the vendors they work with participate in the TCF), a list of consent management providers, policies and terms & conditions (underlying, for example, vendor registration, use of technical standards, how to handle user data etc.), and certain technical standards (e.g., capturing, storing and retrieving a user’s choice about each vendor and purpose). In practice, when a user first visits a website or app, a consent pop-up is presented to users allowing them to express their processing preferences. The TCF then registers those preferences by creating a coded character string, which functions as a digital signal. The consent string is sent alongside all other user data that is shared with an ad tech vendor ahead of running an ad.
The practical implications of this decision are significant for website pop-ups asking for consent for advertisers to gather data for third-party advertising, as well as for Consent Management Platforms (“CMPs”) (which are platforms used by publishers2 for requesting, receiving, and storing consents). The majority of websites and apps in Europe use these consent pop-ups. The decision has potentially broad consequences for the ad tech industry overall, as both website publishers and advertisers will need to reevaluate their legal bases for targeted advertisements. Additionally, companies that had previously viewed themselves as sole processors under the law will need to reassess whether they have their own controller obligations in light of this decision. The decision did not discuss details of international data flows; its potential impact on this evolving issue is unclear.
Summary of the Ruling
The ruling is the culmination of several complaints filed against IAB Europe in 2019 for breaching provisions of the GDPR related to large-scale processing of personal data, which were ultimately merged into one case file.
The Belgian DPA made several key findings:
- Legitimate interest is not an appropriate legal basis for processing data under the TCF;
- IAB Europe does not sufficiently monitor compliance with the TCF policy rules, breaching Articles 24.1, 32.1 and 32.2 of GDPR;
- IAB Europe failed to keep a register of processing operations, thereby breaching Article 30.5 of GDPR;
- IAB Europe did not cooperate sufficiently with the investigation by the Inspection Service, breaching Article 31 of GDPR; and
- IAB Europe failed to appoint a data protection officer (“DPO”), breaching Article 37.1.b of GDPR.
As part of its decision, the Belgian DPA fined IAB Europe €250,000 (the maximum allowed under the GDPR is the higher of €20 million or 4% of a company’s global turnover) and ruled that certain personal data collected through consent pop-ups must be deleted. Notably, fines were not aggregated per violation. IAB Europe was given two months to present an action plan to bring its activities into compliance and 6 months to implement the plan, after validation of the plan by the Belgian DPA.
Compliance measures that IAB Europe must take include: designating a DPO; carrying out a data protection impact assessment; establishing a valid legal basis for processing and disseminating users’ preferences within the context of the TCF; prohibiting organizations participating in the TCF in its current format from using “legitimate interest” as a basis for processing; auditing organizations participating in the TCF for GDPR compliance; and implementing monitoring measures to facilitate the exercise of data subject rights.
Some particularly notable takeaways from the decision include:
- IAB Europe is a joint controller. The Belgian DPA concluded that IAB Europe as well as CMPs, publishers and participating ad tech vendors are joint controllers for the collection and dissemination of users’ preferences, objections, and consent and for the processing of their personal data. In so concluding, the Belgian DPA applied a broad interpretation of the role of a data controller, noting that if it appears an organization plays a decisive role in disseminating personal data or that the processing carried out under the influence of the organization may substantially affect the fundamental rights to privacy and to the protection of personal data, the organization it question should be considered a data controller.
- Legitimate Interest is not a sufficient legal basis for processing in this case. Legitimate Interest is prohibited as a legal basis for participating in TCF in its current format. The Belgian DPA noted that for legitimate interest to be lawful the controller must show: (1) that the interest it pursues can be recognized as legitimate; (2) the processing is necessary to achieve those interests; and (3) these interests balanced against the interests, fundamental freedoms and rights of data subjects weigh in favor of the data controller or a third party. The Belgian DPA found the legitimate interest of the organizations participating in the TCF is outweighed by the interests of the data subjects and that it is “remarkable” that users are not granted an option to completely object to processing their preferences. Particularly salient from the Belgian DPA’s perspective was the fact that users are not informed of the installation of an euroconsent-v2 cookie on their terminal device regardless of their agreement with the purposes and adtech vendors offered by the CMP and are also not informed of their right to object to the processing. In other words, the decision appears to be situating valid consent as the only functional legal basis for processing in the context of direct marketing involving behavioral advertising.
- The consent of the data subjects obtained through CMPs in the current version of the TCP is not legally valid. The Belgian DPA noted that the consent currently collected is invalid because it is insufficiently free, specific, informed, and unambiguous. In so reasoning, the Belgian DPA noted that the TCF makes it difficult for users to obtain more information about the identity of all data controllers to whom they give consent before that consent has been obtained. Notably, the Belgian DPA reasoned that since there are numerous recipients of consent, such that users would need a disproportionate amount of time to read any disclosures, consent can rarely be sufficiently informed. Furthermore, consent, once obtained, cannot be withdrawn as easily as it was given and since the withdrawal of consent via a CMP is never immediate, it cannot be considered effective.
IAB Europe’s Response
IAB Europe responded to the decision on February 2, 2022. In its statement, IAB Europe rejected the finding that it is a data controller, noting that the decision “will have major unintended negative consequences going well beyond the digital advertising industry.” IAB Europe also expressed its intention to create an action plan that will ensure TCF’s continuing utility.
Notably, in FAQs posted in response to the decision, IAB Europe stated that legitimate interest might be used as a legal basis for processing. IAB Europe noted that the Belgian DPA considers capturing users’ approval and preferences to ensure and demonstrate valid consent to advertising may be considered a legitimate interest, and that the information processed is limited to data that is strictly necessary. That being said, users must be informed about their preferences being stored and provided with a way to exercise the right to object to such storage or processing.
IAB Europe noted that it may appeal the decision before the Belgian Market Court before March 4, 2022 and can also ask the Market Court for the suspension of enforcement until the end of the appeals process. It has publicly stated that it is still assessing options with respect to a legal challenge.
This ruling has complex implications for companies engaging in online advertising. Though the opinion suggests that consent is the way to make the system compliant, in practice, it seems difficult to meet the parameters for valid consent described by the Belgian DPA.
Additionally, the conclusion that IAB Europe is a joint controller heightens the risk that organizations that oversee and manage industry codes of conducts and rules also constitute joint controllers, potentially disincentivizing the promulgation of such codes of conduct.
1 IAB Europe is a federation comprised of corporate members and national associations that represents the digital advertisement and marketing industry on the European level.
2 A publisher (according to the IAB) is an operator of a website, app or other content where digital advertisements are displayed or user information is collected and used for digital advertising, measurement and analytics, or content personalization.