Knowledge Hub

3 months with TCF 2.0 – Criticism from the Belgian data protection authority and official statement of the IAB Europe

Knowledge Hub Knowledge 3 months with TCF 2.0 – Criticism from the Belgian data protection authority and official statement of the IAB Europe

The Transparency and Consent Framework (TCF) version 2.0 of the Interactive Advertising Bureau (IAB Europe) has been officially in force since 15 August. 

The TCF 2.0 was intended to finally introduce a technical market standard that defines the retrieval and transmission of a user’s consent signals between publishers and third parties who have joined the framework (such as Google, Criteo, or Taboola). 

While some players in the digital advertising industry are celebrating the framework as a long-awaited standard to harmonize a heterogeneous market, critical voices are gradually becoming louder. But what exactly has happened?

 

According to the Belgian data protection authority, TCF 2.0 violates the GDPR

Only recently, the Belgian data protection authority (APD-GBA) published the preliminary results of a study on TCF 2.0 with a knock-on effect. The central message  was that, in their opinion, TCF 2.0 violates several points of the General Data Protection Regulation (GDPR). The report states:

“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects”.

The accusation that the TCF 2.0 makes the processing of especially sensitive data such as health data, information regarding sexual orientation etc. technically possible for advertisers in Real Time Bidding (RTB), with or without the user’s permission, weighs particularly heavily.

“The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data”. 

What does the IAB Europe say?

In response to the report, IAB Europe has already published a statement challenging the Belgian data protection authority. IAB Europe points out that these are only preliminary findings without any legal effect.  

“The APD’s report represents the preliminary views of the APD’s investigations unit and has no binding effect with regard to any breach of the law by IAB Europe”.

IAB Europe also noted that although TCF 2.0 is a voluntary standard, it was developed in cooperation with European data protection authorities.

“The TCF is a voluntary standard whose purpose is precisely to assist companies from the digital advertising ecosystem in their compliance efforts with EU data protection law.” […]  “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with multiple DPA guidance materials across the EU (CNIL, DPC, ICO, etc.), should be the focus of an enforcement action, rather than an opportunity for a constructive, good-faith dialogue on how the TCF can be improved in ways that better align with the APD’s vision and with consumer and industry needs.” […] “We will also continue to work with regulators and seek their guidance on how the TCF can promote compliance with both the GDPR and the ePrivacy Directive.”

Source IAB: https://iabeurope.eu/all-news/iab-europe-comments-on-belgian-dpa-report/ 

 

To summarize, there is currently a lot of discussion on which TCF 2.0 CMP implementations are compliant and which aren’t. As the market is currently very dynamic, it remains to be seen what standards will prevail.