On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals' online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an action plan to bring the TCF into compliance within two months. To reach this conclusion, the DPA concluded that:

1. The character strings used to express users' online ad preferences collected via the TCF (TC Strings) constitute personal data under the GDPR,
2. IAB Europe is a joint controller for the processing of the TC Strings with website publishers, consent management platforms (CMP), and ad tech vendors in the context of open real-time bidding (OpenRTB), and
3. IAB Europe does not comply with several GDPR provisions, including having a valid legal ground for processing the TC Strings.

This decision is critical as it represents the view of privacy regulators at a pan-European level. It will likely prompt increased scrutiny of website operators in the EU and affect the concepts of controllership, joint controllership, and what constitutes a valid legal basis for advertising purposes.

Background

The TCF is a framework composed of policies, technical specifications, and terms and conditions developed by the IAB, which companies can use to inform, and obtain consent from, users about their data processing operations. IAB Europe is the federation representing the digital advertising and marketing industry at the European level.¹ IAB has been developing tools to help stakeholders in the digital advertising industry comply with EU data protection rules.

In 2019, the DPA received four complaints regarding the conformity of the TCF with the GDPR. Other organizations and individuals filed five similar complaints in Ireland, Poland, and the Netherlands. Since IAB Europe has its main establishment in Belgium, the DPA acted as the lead supervisory authority. The complaints alleged that the TCF did not comply with the GDPR principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, and accountability. The DPA issued a draft decision in collaboration with the other concerned European authorities, which became final on January 27, 2022.²

Key Takeaways

1. Character Strings Used in the TCF to Express Users' Preferences Constitute Personal Data.

While IAB Europe argued that it does not process any personal data in the context of the TCF, the DPA finds that the TC Strings used to express users' preferences constitute personal data. To support this view, the DPA referred to the CJEU case law and noted that "as long as information can be linked to an identified or identifiable natural person using reasonable means, it should be considered personal data." It acknowledged that the TC string may not on its own allow for the direct identification of the user, due to the limited metadata and values it contains. However, it stated that the TC String can be combined with the user's IP address collected by the CMPs to "single out" an individual. The DPA held that it is irrelevant whether the information from which the data subject can be identified is held entirely by the same controller or partly by another entity (here the CMP), and that consequently this information should be considered personal data.

2. IAB Is a Joint Controller for the Processing of Users' Preferences with Website Publishers, IAB Europe, CMPs, and Adtech Vendors

The GDPR provides that a controller is the entity that defines the purposes and the means of the processing. The DPA held that while it is "generally considered that defining the purposes of processing outweighs defining the means when it comes to establishing the responsibility of an organization"³ an entity must define both to be a controller. According to the DPA:

• Purpose: IAB Europe has a decisive influence on the purpose of the processing activities operated in the context of the TCF as it sets out requirements for participation in the TCF (such as through TCF policy documents and technical specifications), and pre-determines the list of possible processing purposes that participating organizations may pursue in the context of the TCF.
• Means: IAB Europe defines the means of the processing when it defines the way in which participating organizations can generate, modify, and read the TC Strings, store the related data, and determine the potential recipients of this data.

As a result, the DPA finds that IAB Europe is the controller of the TC String. The fact that IAB Europe does not itself process the data is irrelevant according to the DPA.

In addition, the DPA found that IAB Europe is not the only data controller, but rather that it acts as a joint-controller together with other organizations participating in the TCF (i.e., website publishers, CMPs, and adtech vendors). The DPA reasoned that the decisions of the various participating organizations are complementary and all have a tangible influence on the determination of the purposes and means of the processing.

According to the DPA, the decisions made by IAB Europe when preparing the TCF policies and technical specifications, on the one hand, and the means and purposes determined by the participating organizations when processing users' personal data, on the other hand, must be regarded as convergent decisions. It noted that user's preferences are not solely collected and exchanged for IAB Europe own purposes, but also to allow further processing by third parties (i.e., publishers and adtech vendors). According to the DPA, this means that the processing activities carried out by each party in the TCF are inseparable and indivisible (i.e., they would not be possible without the participation of all parties).

3. Legitimate Interest Is Not a Valid Legal Basis for Advertising

The DPA concluded that IAB Europe failed to provide a legal basis for the processing of user preferences in the form of a TC String, and found such processing to be unlawful.⁴ To reach that conclusion, the DPA distinguished two processing activities: 1) the capture of the consent preferences of users in the TC String, and 2) the collection and dissemination of the users' personal data by the participating organizations.

1. With respect to the capture of user preferences. The DPA found that IAB Europe failed to provide a legal basis for the processing of user preferences in the form of a TC String since it did not collect valid consent and could not rely on contractual necessity or its legitimate interest for this processing activity (the user's interest and expectations have insufficiently been taken into consideration in the context of the TCF, and users are not provided with an option to completely oppose the processing of the TC String).
2. With respect to the collection and dissemination of the TC String in the context of the OpenRTB Protocol. The DPA found that none of the legal grounds implemented by the TCF could be lawfully used by TCF participants. In particular, it concluded that individuals' consent obtained through CMPs is not valid as it is not sufficiently informed, not granular enough, and cannot be withdrawn. Referring to EDPB guidelines, it concluded that the (pre)contractual necessity is not a valid legal ground applicable to behavioral advertising. It found that the legitimate interest of the organizations participating in the TCF is insufficient in this case as the TCF does not provide sufficient information about the purposes of the processing activities, and it does not allow participating organizations to explain the legitimate interests at stake in clear terms to the users. The DPA also found no safeguards to ensure that the personal data processed is limited to what is strictly necessary. Lastly, due to the large numbers of participating organizations receiving personal data, users cannot reasonably expect the extent of processing triggered by this disclosure.

According to the DPA, IAB Europe also fails to comply with several other GDPR obligations, such as appointing a data protection officer, ensuring the security of the data, and maintaining a record of processing activities.

Conclusion

Since its launch, a significant number of organizations have implemented the TCF and rely on it to demonstrate compliance with the GDPR and the e-Privacy Directive. Website operators and all parties involved in the adtech sphere should consider reviewing their practices, as a significant reform of the framework is likely to follow in the coming weeks. The DPA expects IAB Europe to submit an action plan within two months from the publication of the decision. Once the DPA validates the action plan, IAB Europe will have to implement the compliance measures within six months. IAB Europe has already indicated it is rejecting the DPA findings and is considering its legal options. IAB Europe also published a set of FAQs.⁵ The decision can be appealed until March 3, 2022, and we expect an appeal to be filed.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Laura De Boel, Lydia Parnes, Christopher Olsen, or another member of the firm's privacy and cybersecurity practice.

---

^[1]See https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf.

^[2]See https://www.dataprotectionauthority.be/belgian-dpa-sends-its-draft-decision-in-the-iab-europe-case-to-european-counterparts.

^[3]Paragraph 331 of the Decision.

^[4]With the meaning of Article 6 GDPR.

^[5]https://iabeurope.eu/wp-content/uploads/2022/02/APD-Decision-FAQ-v1.pdf.