The fate of consent strings hangs in the balance – but don’t expect a quick resolution.
IAB Europe’s litigation with Belgium’s data protection authority (DPA), which began in February with a ruling over the legality of IAB Europe’s Transparency & Consent Framework (TCF), will drag on for another year at least.
This week the Belgian appeals court deferred specific questions in the case to the Court of Justice of the European Union.
The appeals court will not deliberate until these questions are answered.
Some background: Earlier this year, the Belgian DPA ruled that the TCF, which is an IAB Europe-backed solution used by the programmatic ad industry to convey consent signals in an effort to comply with GDPR, is illegal in its current form.
The DPA gave IAB Europe a six-month deadline to submit a plan for a new framework. IAB Europe met that deadline and submitted an action plan.
But before the higher Belgian court makes its decision on the appeal, it wants the EU’s high court to rule on two items: One, is IAB Europe a data controller for the TCF and, two, can TC Strings (the term for TCF data signals packaged with an RTB bid) be considered personal data?
“If we’re not a data controller in the context of the TCF then there’s no case really,” IAB Europe CEO Townsend Feehan told AdExchanger. “They’re foundational issues.”
Under (or out of) control?
It was practically inevitable that the issues raised by the Belgian data watchdog would end up before the top EU court.
If IAB Europe loses its appeal – meaning that the ruling classifying it is a data controller for the TCF is upheld – then the trade org would be financially liable for any GDPR claim brought against the programmatic supply chain.
But the wheels of justice grind very slowly. The EU court is unlikely to rule for a year and potentially not until 2024, Feehan said. Whenever that finally happens, the Belgian court will resume its deliberation based on the answers that come from on high.
If TC Strings are considered personal data, it would strengthen any case brought against a bad actor in the programmatic supply chain, because misusing the TC String would be reason enough for a suit.
The regulator or aggrieved party wouldn’t need to prove that the string could be connected to an email, another identifier or the device. Because third-party cookies are already considered personal data under GDPR, it’s feasible the Court of Justice could rule that TC Strings constitute personal data as well.
The TCF’s fate primarily depends on whether the EU court considers IAB Europe to be a data controller for the framework. If that happens, the wheels might come off the TCF project.
That’s because GDPR calls for joint and several liability. To cut through the legal jargon, it would mean that IAB Europe could be held entirely responsible for any claim brought against an online publisher, ad tech company or data supplier that’s plugged into the TCF. IAB Europe would be responsible for identifying the bad actor to recover some of those damages.
“Financially, it’s not obvious how to make that work,” Feehan said. “The implications are staggering for any standards organization.”
The Belgian POV
Hielke Hijmans, leader of the Belgian DPA litigation group that brought the case against IAB Europe, said in a statement that the case “has an impact that goes far beyond Belgium.”
It also goes beyond IAB Europe, depending on whether standards organizations are deemed financially liable for systems they oversee – even open-source tech.
“That’s why we think it is a good thing that it is being discussed at the European level, at the Court of Justice of the EU,” Hijmans said.
But while the EU Court of Justice focuses on IAB Europe’s status and whether consent strings are personal data, there remains another critical issue for the Belgian court to clarify.
While the Court of Justice deliberates, which could drag on for some time, can the TCF continue to operate? The answer has big implications for targeted advertising on the web.
The Belgian DPA hasn’t quashed use of the TCF since February.
“It’s kind of self-evident that the decision is in effect suspended,” Feehan said. “But there is no formal suspension, so we’ll have to see in the coming days what the Belgian authority communicates with respect to its intentions, in connection with the action plan.”
In other words, the Belgian DPA might continue to grant a reprieve so that publishers and ad tech can use consent strings in accordance with the six-month action plan presented by IAB Europe in the interim while the EU court slowly does its thing.
But if the TCF is suspended, even just for a few months, that would create a serious problem for an entire category of programmatic vendor: consent management platforms.
CMPs are publisher tech solutions that collect privacy and consent data and manage that data for use in advertising. They rely heavily on the TCF.
For now, though, it’s a matter of waiting and seeing what happens.
“The TCF is like a shark,” Feehan said. “It has to keep moving and evolving all the time.”
