IAB Europe is making progress in its effort to prove the validity of the Transparency & Consent Framework (TCF), the trade group’s mechanism for conveying consent data under GDPR.
Belgium’s data protection authority (DPA) announced on Thursday that it has approved IAB Europe’s action plan, a six-month overhaul of the TCF, which was deemed illegal by the Belgian agency in February.
But, a bit like in a triple-jump competition, this first hop only gets IAB Europe a small part of the distance it needs to travel.
Although the Belgian DPA’s approval of the action plan is a critical first step, IAB Europe must still defend itself on two points the Belgians raised to the EU’s Court of Justice. First, the court must decide whether IAB Europe is a joint data controller for the TCF and, second, whether the TCF string – the RTB data packet that signals whether someone has given consent for targeting or analytics – counts as personal information.
Let’s break it down.
The controller conundrum
The main issue at hand is whether IAB Europe should be considered a joint data controller.
“If we’re not a controller, the whole enforcement action should never have happened,” IAB Europe CEO Townsend Feehan told AdExchanger.
For reference, GDPR imposes obligations on data controllers and DPAs have enforcement mandates over controllers. If the EU court says IAB Europe isn’t a joint controller for the TCF, it’s a strong sign of the program’s sustainability.
On the other hand, it could be disastrous for the TCF if the EU court determines IAB Europe is a controller.
In that case, IAB Europe, not just the publisher and any ad tech vendors that use the data, would have to gain consent from users. The trade body would also be legally responsible for any GDPR violation raised by a European citizen or organization against a publisher or tech company that misused TCF data in any way.
As a joint controller, IAB Europe could be sued for the full GDPR penalty and then it would be up to the trade org to track down the vendors or publishers that misused the data and bring legal action against them to recoup their share of the fine.
“I think it would be a perversion of the role of a trade association or standard setting organization,” Feehan said, “and, ultimately, financially unsustainable for us.”
Nothing personal?
Also still up in the air is whether TCF data should be considered personal data.
IAB Europe doesn’t think so. “TCF strings are not unique,” Feehan said.
There haven’t been enough cases yet to settle all the question of exactly what’s personal or not, but “unique” has not been the standard. Third-party cookies fall into the personal data bucket, for example, even though they connect to a device and not an individual. (A household might share a laptop, for instance.)
IAB Europe is also waiting for clarity on whether legitimate interest is a viable mechanism for collecting data for advertising purposes, or whether publishers must have explicit consent.
Legitimate interest is a valid lawful basis to collect user data as long as it’s necessary for site or business operations. Think fraud detection services, crime prevention or website security.
Publishers hope that maintaining their ad business and/or analytics might qualify.
According to Feehan, the text of the GDPR does support this claim, but she also noted that DPAs across Europe appear to be settling on the idea that consent must be earned for any data-driven advertising use case. It’s not clear that legitimate interest is going to fly.
IAB Europe’s outlook
So, what does the Belgian DPA’s approval of IAB Europe’s TCF action plan really mean?
Not much, actually.
It’s a necessary first step in a process that moves slow as molasses. The Belgian DPA made its original pronouncement almost a year ago, and, although IAB Europe submitted its action plan on time, the review has been delayed because the EU court must clarify its questions before the Belgian DPA makes a ruling.
IAB Europe is now in an awkward position.
By validating IAB Europe’s action plan, the Belgian DPA set the clock running. IAB Europe now has six months to implement those changes.
But, and this is a big but, the whole overhaul effort might be made moot by the EU high court’s eventual ruling. If the court determines that IAB Europe is a joint controller or decides that the TCF does indeed carry personal data, the action plan might need to be updated or even thrown out entirely – potentially along with the TCF itself.
Talk about tossing the baby with the bathwater.
But Feehan is encouraged by the Belgian DPA’s approval of the action plan in full and by the stress it put on making prompt changes.
Without the TCF, Google’s first-party consent program and publisher network would be the only show in town for ad targeting.
But IAB Europe is facing a group of very motivated opponents.
In December, the same law firm and complainants that first raised questions about the legality of the TCF to Belgian authorities won a case in a regional court in Munich, Germany against Focus, a magazine owned by a major German publisher, which was collecting data on the basis of legitimate interest and using the TCF to target audiences. The Munich court – which, it’s important to note, is not a data regulator – ruled that TCF strings are personal information.
A DPA will have to substantiate the Munich case in order for that ruling to be a serious threat to the TCF’s legitimacy. But it’s an ominous sign that demonstrates how drawn-out cases can complicate privacy compliance.
The Belgian DPA’s case against the TCF remains up in the air while the EU court mulls the issue. Yet the Belgian DPA’s ruling that the TCF is illegal was explicitly cited by the Munich court as grounds for its decision, which, of course, is also now being appealed.
And even while that case makes its way through the German court system, the Munich judge’s decision will be cited as precedent before the EU high court in order to establish TCF data as personal information and potentially outlaw the program.
It’s a long and frustrating process, Feehan said, “especially since these are probably all things that reasonable people could have just sat down and had a policy conversation about three years ago.”
