IAB Europe's Cookie Consent Framework Breaches GDPR Rules

In a move which has huge potential implications for the online ad industry, the Belgian Data Protection Authority (DPA) has ruled that IAB Europe's cookie consent framework violates GDPR. 

The ruling by the Belgian DPA found that the 'Transparency and Consent Framework (TCF), developed by IAB Europe, fails to comply with a number of provisions of the GDPR'. 

It essentially calls into question the legality of pop ups like the one below, which ask for users' consent for the purpose of third party advertising. 

The ruling may mean that the consent data collected from users under the current framework will need to be deleted, which constitutes a massive logistical challenge, to say the least. 

consent popup

What is the TCF? 

IAB Europe represents the digital advertising and marketing industry in Europe, and its framework (TCF) helps ad firms to collect and manage customer consent for advertising. 

The TCF helps the capture of the users’ preferences through a Consent Management Platform, usually a pop up.

These preferences are then coded and stored in a 'TC string' which shares user preference with advertisers and ad tech vendors so companies know whether or not they can use this data for retargeting and other forms of advertising. 

As IAB Europe explains

"The TCF’s simple objective is to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other tracking technologies."

"The TCF creates an environment where website publishers can tell visitors what data is being collected and how their website and the companies they partner with intend to use it. The TCF gives the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content. "

What does the Belgian DPA ruling say? 

Essentially, the Belgian ruling finds that IAB Europe, through the TCF, is acting as a data controller, as are the publishers, tech vendors and other organisations using the scheme. 

As such, they are legally responsible for the use of this data, and possible violations. 

The DPA also rules that IAB Europe has failed to carry out the tasks required of a data controller, including keeping a register of processing activities, appointing a data protection officer, and conducting a data protection impact assessment.

The ruling also finds that the consent pop ups fail to adequately inform users of the way their data is processed, meaning they're unable to control their personal data. 

IAB Europe was also fined 250.000 EUR. 

What happens next? 

IAB Europe takes issue with the ruling, as you might expect, rejecting the finding that it is a data controller. There's also the potential prospect of a legal challenge to the ruling.

It has been given two months to present a plan (and six months to carry it out) outlining corrective measures which bring the TCF into compliance with GDPR rules, and to ensure vetting of participating organisations. 

The ruling has the potential to throw the online ad industry into chaos, as the TCF was the key framework through which GDPR compliance was maintained. 

The hope will be that IAB Europe finds a solution which enables the continuation of the current system, but it's uncertain whether it will be possible to meet the parameters for consent laid out by the Belgian DPA.

Rulings like this one, along with greater consumer awareness of data privacy, and moves like Google's phasing out of third party cookies, make a zero party data future ever more likely.