At long last the most prominent GDPR case targeting the legal standing of the IAB Europe’s Transparency & Consent Framework (TCF) has been settled. A Belgian appeals court has ruled on how ad tech vendors, publishers and advertisers can continue to use programmatic advertising in Europe.
“Well, here we are,” IAB Europe CEO Towney Feehan told AdExchanger, with a long sigh that conveyed both exasperation and relief. “This is really it.”
The new ruling as of Wednesday affirmed that the IAB Europe is indeed a joint data controller for the TCF standards. The ruling also confirms that TC Strings, the IDs used to convey permission to use data for ad targeting (i.e. all those pop-up consent notifications Europe is notorious for), constitute personal data. And the court affirmed a prior fine of 250,000 euros to be paid by IAB Europe.
The background
To give some context to all that hardcore jargon: In 2022, the Belgian data protection authority (DPA) ruled that the IAB Europe is a joint data controller for the TCF, and that the framework was illegal. This was a far-reaching thunderbolt. Never in years of discussions with regulators regarding the TCF had the notion of the IAB Europe as a data controller ever come up, Feehan said.
But the IAB Europe appealed the Belgian DPA’s decision, and that appeal was punted up to the EU high court to determine the definitions for the case.
In its decision last year, The EU Court of Justice, as it’s known, gave a far more limited interpretation of the IAB Europe’s controllership. And the Belgian court this week reaffirmed that decision, annulling the previous broader definition of joint data controllership set by the Belgian DPA
In essence, under the narrower ruling adopted by the Belgian court this week, the IAB Europe must itself gain consent in order to host the TCF on behalf of a programmatic impression. Typically, a number of vendors – any ad tech vendor or data supplier in the chain – are required to gain consent in order to run targeted ads.
Google benefitted by this arrangement, because under GDPR its ad tech often requires consent only for Google to use data. For European ad impressions served and bid on by open programmatic companies, a dozen or more vendors might all require permission, and people are more reticent to share data with companies they’ve never heard of.
Now, to run ad targeting in Europe through the IAB OpenRTB protocols, Feehan said that the IAB Europe itself must be among those vendors granted permission for collecting or using data. “Which is manageable from a liability perspective,” she said.
“For us the scary thing was, against all common sense, that we’d be found to be a joint controller for all the processing purposes,” she said.
What’s next?
Should publishers or ad tech companies using the current TCF feel any qualms about the decision?
No, according to Feehan.
The IAB Europe has a few months to update members and include itself as one of the vendors required to gain consent when a pop-up notification requests permission to use data for ad purposes.
She also said that the ruling pertained only to a prior version of the TCF, which has been updated as of 2023.
The TC Strings are ruled as personal data under GDPR. “We’d contest that point but we’ve argued our socks off for years,” Feehan added.
That means the data can’t be incorporated into data profiles for cross-web tracking, for instance. But some of the updates to the TCF, which were accepted by the Belgian DPA back in 2022, included more forceful and explicit terms and conditions for vendors that participate. They’re required to provide access to their consent logs for audits at any point without “undue delay,” for instance.
Otherwise, “the impact on the market is negligible,” Feehan said. Vendors or publishers using the TCF version need change nothing, she said. The claimants in the case and other EU advocates crowing that the TCF is now a potential risk for anyone that runs data-driven advertising in Europe notwithstanding. The original ruling by the Belgian DPA, which declared the TCF illegal and determined the IAB Europe a joint data controller for all activity using the TC Strings, was nullified.
“It is not illegal,” she said. “It’s legal.”
