FAQ: Belgian DPA’s decision regarding the IAB’s TCF
May 5, 2023
On 11th January 2023, the Belgian DPA approved the IAB Europe’s action plan to align the TCF with their requirements. The IAB Europe challenged this with an appeal in February 2023. On 15th March 2023, the IAB Europe announced that the Belgian DPA had agreed to suspend the six-month implementation period of the action plan until decisions have been rendered regarding the IAB Europe’s two legal challenges, currently with the Market Court and the Court of European Justice.
The IAB Europe’s Transparency & Consent framework (TCF) is the most widely-used advertising industry framework for GDPR compliance. Launched in 2018, it is used by Consent Management Platforms (CMPs) who have been validated by the IAB Europe, across the biggest media companies in Europe and the US.
In 2020, a series of GDPR complaints were filed against the IAB Europe by a pan-European consortium of privacy activists, including Johnny Ryan of the Irish Council for Civil Liberties and previously Chief Privacy Officer at privacy-first browser Brave. These complaints were focused on the IAB Europe’s Transparency & Consent Framework; in parallel, there were complaints about Real Time Bidding (RTB).
In November 2021, the investigation by the inspection service of the Belgian Data Protection Authority (DPA), known as the APD, issued a preliminary report with findings that the TCF fails to comply with the GDPR principles of transparency, fairness and accountability, and the lawfulness of processing. Subsequently, this moved to the litigation chamber of the APD. The draft decision was released and sent to the other European DPAs for feedback.
On 2nd February 2022, the APD issued their final decision.
On 7th September 2022, the Belgian Market Court referred legal questions regarding the fundamental legality of the TCF to the Court of Justice of the European Union (CJEU).
On 11th January 2023, the APD announced the IAB Europe’s action plan had been approved.
On 10th February 2023, the IAB Europe announced it had filed a challenge to the APD’s decision to validate the action plan.
On 20th April 2023, the IAB Europe held a webinar providing an overview of the main differences between the current TCF v2.1 and TCF v2.2
IS MY TCF CMP NON-COMPLIANT WITH GDPR?
Despite some misleading headlines, the TCF itself has not been found illegal.
The Belgian DPA has approved the IAB Europe’s action plan, but then subsequently opted to suspend the six-month period for implementation until higher courts resolve open questions impacting the action plan. Meanwhile, lots of progress has been made with the action plan, and we are hopeful that this collaborative work will help the industry harmonize their approach to data privacy in Europe.
In the short-term, until the action plan is implemented, publishers who are concerned about whether TCF can still be used to collect valid consent can supplement the information disclosures they make about data processing purposes with simpler, clearer language.
WHAT WAS THE BELGIAN DPA’S (APD) RULING?
On 2nd February 2022, the APD announced that they had decided to give the IAB Europe two months to create and submit an action plan to implement corrective measures, including (among others):
- the establishment of a valid legal basis for the processing and dissemination of users’ preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF;
- the strict vetting of participating organisations in order to ensure that they meet the requirements of the GDPR.
The main takeaways are, according to the decision:
- IAB Europe is a data controller
- The TCF string is personal data
- There are some incorrect designations of legitimate interest
- The IAB has two months to present an action plan, after which the issues will be remedied within 6 months
This ruling from the APD follows their announcement on 25th November 2021, that it had finalized and sent to its European counterparts a draft decision regarding compliance by IAB Europe’s TCF with GDPR. 27 supervisory authorities indicated their willingness to be involved in that procedure.
The DPAs had a period of four weeks to provide feedback, after which the decision was finalized. You can read the APD’s full decision here.
The IAB submitted an action plan to the APD for approval on the 2nd April 2022.
The IAB subsequently appealed the decision to the Belgian Market Court. On 7th September 2022, in response to the appeal, the Market Court issued a judgment that referred several legal questions to the CJEU. The IAB Europe says they expect that the CJEU will not render a decision until 2023 or 2024.
WHAT DOES THIS MEAN FOR THE FUTURE OF THE TCF?
We believe this is an opportunity to improve the standard.
We’ll continue to be your partner, and help you adapt to the ever-changing regulatory landscape.
Standards are a very good thing for compliance, and this is something we know that many DPAs agree on.
The IAB Europe has announced the changes coming to TCF v2.2.
WHEN WILL I HAVE TO MAKE CHANGES TO MY CMP IMPLEMENTATION?
One of the definitive findings from the APD was that legitimate interest is not an acceptable legal basis. Customers should consult their own legal teams, as always, but we do recommend that you take the opportunity to change the legal basis to consent for any vendor or purpose with flexible legal bases.
Furthermore, we recommend taking this opportunity to audit your vendor list and CMP implementation with your legal team to ensure you’re fully compliant with the current TCF policies.
To ensure you can still benefit from the TCF, you should make sure your house is in order. If you are looking for help surfacing triggered vendors on your website, reach out for a demo of our Diagnose compliance monitoring platform.
The IAB Europe submitted the action plan to the Belgian DPA on 1st April 2022. You can read the IAB’s previous press release about the action plan here and the IAB Europe’s reaction to the APD’s validation of the action plan here.
In the meantime, the IAB has announced that TCF v2.2 will be released on 15th May 2023. The switchover from TCF v2.1 to TCF v2.2 should be completed by 30 September 2023.
WHAT IS THE IAB’S APPEAL?
The IAB Europe filed an appeal to the Market Court (Court of Appeal of Brussels) on 4th March against the administrative ruling by the Belgian Data Protection Authority (APD). They dispute that they are a controller for the recording of the TC Strings, and a joint controller for the dissemination of TC Strings and other data processing done by other TCF participants under OpenRTB. As mentioned above, on 8th September 2022, the Market Court issued a preliminary judgement, which referred legal questions about the appeal to the CJEU.
In their 12th January 2023 press release about the APD’s validation of the action plan, the IAB Europe expressed concerns about implementing changes to the TCF while the CJEU’s responses are still pending.
Subsequently, on 10th February 2023, the IAB Europe announced their challenge to the APD’s validation of the action plan. According to the IAB, the action plan validated by the APD is premised on the assumptions that a) the TC string should be considered personal data and b) the the IAB Europe acts as a joint controller for dissemination of TC Strings and other data processing done by TCF CMPs, publishers, and vendors. The IAB has argued that since both a) and b) are questions still under consideration by the CJEU, there should be interim measures to avoid having to roll back TCF implementation changes once the CJEU eventually renders their ruling.
IAB Europe FAQ
Read the IAB’s FAQ (updated March 2023).
Read the IAB’s blog post about the changes coming to TCF (24 April 2023)
Sourcepoint’s Guide to TCF v2.2
Read our blog post about everything you need to know about TCF v2.2
Watch our webinar about the APD’s decision
Sign-up to view our on-demand webinar about the decision. We give an overview of the APD’s decision, talk through different actions publishers and advertisers should consider right now, and do a Q&A. Register here.
An essential part of our business model is anticipating changes in the data privacy landscape and adapting our product and services to help you navigate those changes. We’re prepared to support you in making any changes needed. This is why Europe’s largest publishers choose to partner with Sourcepoint for GDPR compliance.
“It’s not about the TCF, it’s about the future of advertising”
Read Sourcepoint’s co-founder and CEO’s statement on the Belgian DPA’s ruling here.
The Sourcepoint blog is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The Federal Trade Commission sent warning letters to five...
Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...
How do different U.S. state laws define and protect...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.