IAB Europe is Expecting to be Present in Breach of GDPR

What is the TCF?

Before we get into the details of the GDPR breach and what this ruling could mean for advertisers everywhere, it is essential to review the basics of the TCF.

The Transparency and Consent Framework, or the TCF, is the technical standard for encoding user preferences regarding personal data. It also provides a set of best practices and guidelines for companies to collect and process data that will ultimately be used to develop targeted ads.

According to the IAB Europe, the TCF is designed to meet GDPR guidelines and serve as the only consent solution that will meet all the requirements. Their objective was to help all the various parties involved in the digital advertising chain to ensure that they comply with privacy directives and similar regulations. Of course, this includes storing and accessing user data like cookies, advertising identifiers, and other technology used to track behavior.

The TCF works by creating an environment that allows website publishers to tell their users what data they are collecting and what the company intends to do with it. This system will also show consumers what the businesses they partner with will do with their data.

By providing marketers with a common language to communicate user consent and deliver relevant disclosures, the TCF would simplify compliance with the GDPR. However, new reports issued by the Belgian information safety authority indicate that the TCF did not comply with privacy regulations.

The Breach of GDPR

So, how did the IAB Europe breach the GDPR?

Per the draft ruling, the TCF failed to meet the equity and accountability, transparency, and lawfulness of processing requirements set forth by the GDPR. As you can imagine, an organization that aims to help businesses comply with GDPR laws finding itself in a breach is problematic!

Consent Pop-Ups

Have you ever gotten one of those annoying tracking cookie consent pop-ups? Most advertisers like Google use them to obtain consent for the collection of ad targeting data – and these do not comply with privacy laws.

In fact, Europeans have been plagued by continuous consent spam that was inherently incompatible with the GDPR. This has been going on for over four years – and evidence indicates that the IAB Europe knew there were issues before they launched the TCF.

Since the IAB Europe manages the digital signals created on websites through the TCF, they themselves become a data controller. During this process, they got access to users’ choices regarding data collection and processing. This includes an identification code that applies the rules to the apps and websites they visit.

A parallel case can be made for the tracking-based ad system known as RTB or Real-Time Bidding. This system shares user behavior with thousands of companies, including location data and browsing history. It’s a free-for-all, and there is no way to keep such a massive amount of data secured.

Think of it as the largest data breach ever recorded – and the IAB Europe is a joint controller for this data. Not only will this impose new responsibilities for data processing and privacy, but it will also create a huge legal liability that comes with the risk of large fines if they do not meet all the requirements.

Additional Insight About the GDPR Breach

The official statement has not been released, but it is expected to identify specific infringements of privacy regulations by IAB Europe. While the advertiser is trying to get ahead of the news and correct some of the issues, they have not stated how they will do that – or if it is even possible.

They are attempting to calm the market and avoid panic by describing the situation as one that can optimistically be corrected. The IAB Europe should be apologizing rather than suggesting that the problem has an easy fix moving forward!

Likewise, the other EU DPAs must comment on the decision since it is a requirement under the GDPR’s procedure for standard cooperation to address cross-border complaints. The IAB was found to be in a breach about a year ago, but the decision has yet to be issued thanks to the slow pace that has become standard for privacy enforcement.

What is the Final Verdict?

You may be wondering, when will the final verdict be decided? Does this mean that Europeans will no longer have to deal with those obnoxious cookie consent pop-ups that seem to be everywhere?

The short answer is that the final verdict is still months away. We may not have a decision until the middle of 2022, and the IAB Europe will inevitably opt for an appeal. Regardless, this is just the beginning of the problems that the data tracking industry will face.

We can expect to see the draft ruling in a few weeks, and the report that Belgium shares with the other DPAs will begin the 30-day review period. During this time, the other regulatory authorities can comment on the draft ruling and file objections if necessary.

If they can’t agree, it will be up to the European Data Protection Board to step in and set a binding decision. The complainants seem confident that the IAB Europe has violated Europeans’ fundamental rights under the GDPR, though, so it may not come to that.