The Belgian data watchdog has found that the industry standard for managing user preferences in Europe violates several provisions of the General Data Protection Regulation (GDPR) and has asked advertisers to delete the data collected .
The Belgian data protection authority issued a long-awaited decision on Wednesday (February 2) based on a series of complaints filed in 2019 against the Interactive Advertising Bureau Europe (IAB), the trade association for digital advertising.
The complaints concerned the IAB Europe’s Transparency & Consent Framework (TCF), which advertisers use to capture user preferences. These preferences are shared in real-time auctions that take place in fractions of a second to allocate advertising space.
“The processing of personal data (e.g. capturing user preferences) in the current version of the TCF is inconsistent with the GDPR, due to an inherent violation of the principle of fairness and legality,” said Hielke Hijmans, president of the litigation chamber of the authority. .
Thanks to the framework, users are prompted to express their preferences via a pop-up banner when visiting a website. The TCF stores this preference and makes it available to organizations participating in the online auction.
“People are asked to give their consent, while most of them are unaware that their profiles are sold a large number of times a day to expose them to personalized ads,” Hijmans added.
User preferences are also stored on the device via a cookie which, combined with data stored by the TCF, links back to the IP address, a unique code to identify the user.
The Belgian authority considered IAB Europe to be a data controller liable for GDPR breaches, a point the association disputes saying it merely supported the industry in developing a common standard.
“The control seems to have been extended to the IAB exactly because they designed the system, not because they process the data,” said Otto Lindholm, data and privacy manager at Dottir Attorneys.
“Now vendors will be scratching their heads wondering how far they can extend their expertise in recommending systems and solutions to their customers, without stepping over the fuzzy line of scrutiny,” Lindholm noted.
For Charles-Albert Helleputte, Head of Privacy Practice at Steptoe, the decision “confirms a trend; supervisory authorities strive to explore a wide extension of the fundamental concepts of the GDPR. »
Helleputte argues that the reason, in this case, was opportunistic, because targeting the standards organization is likely more practical than going against the entire ecosystem.
The Belgian authority found that IAB Europe had no legal basis for processing personal data and that the legal bases for sharing this data with sellers were “inadequate”.
“The DPA has made explicit what many observers have been saying for some time: that ‘legitimate interests’ do not constitute a valid legal basis for the processing of personal data obtained through non-essential cookies”, Robert Bateman, research director at the GRC World Forums, told EURACTIV.
Bateman noted that since users shouldn’t be prompted to disable non-essential cookies, “this could be the end of those long drop-down vendor lists that are automatically enabled by default on many websites.”
The professional association also did not respect the obligations of a subcontractor, such as keeping a register or carrying out impact analyses.
Furthermore, the authority considered that users were not sufficiently informed of the functioning of the TCF. They noted that the system failed to keep data secure and confidential, violating the “data protection by design” requirement.
“Today’s decision frees hundreds of millions of Europeans from untimely and misleading consent requests. It should also protect them from unlawful surveillance by tech companies,” said Johnny Ryan, senior researcher at the Irish Council for Civil Liberties (ICCL) and one of the architects behind the complaints.
ICCL estimates that the TCF represents 80% of the European internet, including over 1,000 companies and major advertisers such as Google, Amazon and Microsoft. As a result of the decision, all data collected through the TCF will be deleted.
Belgium’s data watchdog imposed a €250,000 penalty on IAB Europe and several corrective measures to ensure TCF’s GDPR compliance.
These remedies include establishing a legal basis and vetting participating organizations to ensure that they also comply with EU privacy rules.
“This could have a significant impact on the digital advertising landscape, but it remains to be seen how well the IAB can ensure TCF participants are GDPR compliant,” Bateman added.
IAB Europe now has two months to present an action plan demonstrating how it will comply with the authority’s decision and six months to implement it.
In a statement, IAB Europe pledged to work with the Belgian authority in the coming months and welcomed that the decision does not completely ban TCF, as requested by the complainants.
“We are considering all options with respect to a legal challenge,” the statement added.
[Edited by Alice Taylor]