Skip to content

IAB standard TCF not compliant with GDPR

In this article

The GDPR came into effect in 2018 and regulates the processing of personal data within the European Union. It imposes obligations on organisations, wherever they are, as long as they target and/or collect data from people residing in the European Union. This initiative aims in particular to respond to users’ demands for greater protection of their privacy and more transparency in the use of their data.

On February 2nd, 2022, the Belgian Data Protection Authority (DPA) fined the Interactive Advertising Bureau (IAB) of Europe 250,000 euros, judging that the Transparency & Consent Framework (TCF) was contrary to several clauses of the GDPR. 

While the TCF is used by the majority of players in the advertising chain, could this European sanction questions the way consent is collected for targeted advertising?

Update 16/02/2023: After IAB’s up-to-date TCF proposal on April 2022, DPA finally approved it and gave them 6 months to implement it starting from January 11th 2023.

1 – What is the TCF?

The Transparency & Consent Framework (TCF) is a consent standard developed by the IAB Europe (the organisation that brings together the main players in online advertising) to help the various players in the advertising chain to comply with the requirements of the GDPR and the ePrivacy Directive.

When an Internet user visits a website, a Consent Management Platform (CMP) banner appears, allowing them to consent or not to the collection and sharing of their data. It is at the moment of this choice that the TCF comes into play, recording the preferences collected in the form of a file called “TC String”.

The IAB France defines the “TC String” as: “a chain of digital signals allowing the memorization and propagation of users’ choices concerning the use of their personal data for purposes related to advertising, content and audience measurement”. 

This file is shared with all the players involved in the OpenRTB (Real Time Bidding) system, a method of selling and buying advertising inventory in real time based on auctions. RTB is one of the main tools of programmatic advertising.

2 – What does DPA blame the IAB for ?

The Belgian CNIL considers IAB Europe to be responsible for the processing of “TC Strings”, and accuses it in particular of :

  • The absence of a legal basis for the use of the data collected through this file;
  • A lack of transparency, with information that is too generic, not allowing Internet users to understand what the collection of their data involves;
  • A lack of rigor regarding the means put in place to ensure data protection: absence of a register of processing activities, absence of a data protection officer (DPO), etc.

3- What future for advertising? And what consequences for publishers?

The DPA gives the IAB Europe two months to submit an action plan to bring its advertising standard into compliance within the next six months. It also orders the permanent removal of all TC Strings and other personal data already processed under TCF from all IT systems, files and databases.

In a press release, published on February 2nd, 2022, the IAB Europe states that it takes note of the Belgian Authority’s decision, but that it has not observed any prohibition of their TCF standard. While the organisation says it is willing to work with the DPA to ensure that TCF is maintained and used in the market, it rejects its role as “data manager”. On February 11th, 2022, IAB Europe announced that it would appeal the DPA’s decision before the Belgian courts.

As a reminder, there are currently 3 contexts for media advertising monetisation: with consent, without consent or in the absence of choice, in which case the website publisher can rely on its legitimate interest to display ads without cookies. At Opti Digital, we offer cross-consent monetisation, which respects users’ choice, and allows publishers to monetise their website with and without user consent to targeted advertising.

For our CEO and co-founder Magali Quentel-Reme: “It’s still too early to tell, but if publishers were to reintroduce the CMP during TCF compliance, we might see a drop in the consent rate because the internet user, out of weariness, might decide to object to everything.”

As the announcement is still recent, the consequences for the sector are still difficult to foresee. At Opti Digital, we will therefore be following this subject closely over the coming weeks, in close contact with our CMP partners (read Sirdata’s article following the DPA announcement). We shall keep you informed of the situation by updating our article on a regular basis.

The IAB Europe will host a live chat on Wednesday February 16th to answer questions raised by the DPA decision. Further information on the next steps will be provided at this event. In the meantime, an FAQ is available on the organisation’s website.

If you would like to discuss this further, please contact one of our publishers managers.

In this article
Share