• IAB Europe says coverage of a recent investigation by Belgium’s Data Protection Authority (DPA) misses the key issues.

    That investigation resulted in an internal report citing ways in which the IAB Europe’s Transparency and Consent Framework (TCF) violates the European Union’s General Data Protection Regulation (GDPR), the landmark data privacy law that went into effect in May 2018. This preliminary and internal report has now been sent to an independent body of experts inside Belgium’s DPA for a final and public decision, possibly by mid-2021, which could be followed by legal scrutiny in the courts.

    Although the preliminary report has not been released publicly, news reports, privacy groups, and IAB Europe indicate it says the TCF violates GDPR on several grounds. 

    “Special category information”

    A key issue, says Belgium’s investigative unit, is that TCF does not provide adequate safeguards for handling what GDPR calls “special category information,” such as health data, sexual orientation, or political affiliation.  

    The TCF, according to the unit and several privacy groups who have filed complaints, lets publishers and ad vendors exchange this special information through the IAB’s OpenRTB standard, which is supported by the TCF. 

    RTB stands for “real-time bidding,” widely used to deliver online ads for a given user based on targeting data within microseconds. That targeting data commonly includes what the user is reading or watching online as well as their location, device description, cookie matching, and/or an IP address. The TCF provides standards for how publishers obtain consent for use of that data. “Special category information” like health data or sexual orientation is considered personal, and is more protected than common targeting data.

    Is RTB itself a GDPR violation?

    A misuse of special category data might just be the most egregious example, but some privacy advocates also object to the RTB system itself and recommend alternatives like context-based ads. Their objection is centered around the availability of such targeting data throughout the enormous digital ad ecosystem, which they say goes beyond its GDPR-restricted uses. To date, IAB Europe’s legal director for privacy, Filip Sedefov, pointed out to RampUp that no DPA has determined that RTB violates GDPR.

    As examples of the misuse of targeting data based on special category information, the complaints say that RTB-derived information was employed to direct ads at LGBTQ+ voters during Poland’s 2019 national election, that users in Ireland were targeted within an RTB-derived AIDS/HIV category, and that RTB data was used to track movements of users in Italy to see if they observed the COVID-19 lockdown. None of these actions, the complainants say, were consented by the users.

    In light of these charges, Sedefov said, the Belgium DPA’s investigative report and the resulting press coverage missed several key points.

    First of all, he said, Belgium’s DPA has not yet made an official finding. Its investigative unit has issued an internal report, which now goes to a body of independent experts within the DPA for a final assessment.

    Additionally, Sedefov noted, “special categories of data [like health and sexual orientation] are explicitly excluded from the scope of the TCF.” He added that none of the “names which TCF participants can choose from allow collection or processing of special categories of data.” Any use of these special data categories, he added, are the responsibility of individual organizations.

    Most importantly, he said, IAB Europe is not a “data controller” as indicated by the Belgium DPA, and therefore is not liable for misuse of data by publishers, vendors, and others. None of the other EU DPAs—each EU country has its own GDPR authority—has designated IAB Europe as a data controller, he added.

    Controller vs. standards

    Under GDPR, publishers and similar entities are generally considered the data controllers, in that they control which data is requested and used and how consent is managed. Vendors that handle and utilize data under the direction of controllers have subordinated responsibilities as “data processors.”

    Sedefov said that IAB Europe is a standards-setting body, and the TCF is a voluntary set of protocols providing “minimal requirements” for the digital ad ecosystem to meet GDPR requirements for user consent and management of personal data. Intended to help bring targeted advertising into compliance, TCF provides the basic protocols behind consent management platforms, and informs the practices of ad bidding platforms, ad servers, and others in the digital ad ecosystem.

    “If upheld,” IAB Europe said in a statement, the [Belgium DPA’s] “interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers.”

    “We’re not the entity in charge of the website, collecting the data, [or] processing the data,” Sedefov added. “The [GDPR] violations are on the individual companies that use and collect data.”

    Developed with DPAs

    In fact, Sedefov said, DPAs have a mandate under GDPR to support the development of standards. Version 2 of the TCF, made available to the market this past August, implements several changes suggested by feedback from various DPAs in the European Union, although not Belgium’s, he pointed out. 

    Some examples include presentation of data processing purposes for user consent in a first user interface layer, followed by more detail in other layers; separate bundling of privacy policy and consent; and a prohibition of dark-on-dark patterns when presenting important text.

    At this point, the question for marketers is: what could the Belgium DPA’s final decision mean for the digital ad industry?

    Sedefov noted that the operation of the standard itself “is not impacted by the preliminary report.”

    But, if IAB Europe is found to be a data controller for TCF, “it is likely that IAB Europe would no longer be in a position to manage the Framework, and TCF could be reduced to a mere technical tool to record and transmit user choice, deprived from its accountability framework and at the expense of transparency and user privacy protections.”

    In that case, he said, while the process for “how controllers gather consent will likely remain the same, the ecosystem will no longer be able to benefit from a common standard, which would likely significantly affect operations.”

    This “would not just severely damage the online advertising and publishing industries,” Sedefov said, but “it would be shocking for standard-setting organizations to be held responsible for the actions of individual legal entities that implement its standards.”  

    Subscribe to RampUp

    Subscribe