IAB Europe to appeal Belgian DPA decision; ICCL calls on deletion of TCF data

Julie Rubash, Chief Privacy Counsel
February 15, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Four states introduce, and four states advance, privacy legislation

Arizona, Connecticut, Iowa, and Wisconsin all introduced new comprehensive privacy bills, and Florida, New York, Ohio and Virginia advanced privacy bills out of committee.

Virginia’s House also passed two bills (HB381 and SB393) by a 99-0 block vote that would amend the State’s Virginia Consumer Data Protection Act (VCDPA), referring the bills to the State Senate.


Although much of the pending legislation closely resembles the California, Virginia and Colorado laws that have previously been enacted, the three bills in Florida, New York and Ohio that recently advanced out of committee all contain some unique elements.

The New York bill would require opt-in consent before processing personal data of consumers and would establish controller obligations of loyalty and care.

The Ohio bill would create a safe harbor from its requirements for companies that comply with the NIST privacy framework.

The Florida bill would require opt-in consent for the sale of data of minors under 18.


The BBB National Programs’ Digital Advertising Accountability Program (DAAP) issued a compliance warning, highlighting that any combined information used to uniquely identify a device or user for purposes of interest-based advertising would be treated by the DAAP as equivalent to an Advertising ID, requiring compliance with the DAAP’s Self-Regulatory Principles for Online Interest-Based Advertising.

The warning noted that such data could include a combination of IP address, platform, brand, model, carrier, OS version, screen resolution, processor, or language settings, whether collected at once or over multiple settings, when used to tailor ads to a user/device.

The Principles, if applicable, would require notice, enhanced notice or consent, depending on the entity’s relationship to the user and the details of collection.


The DAAP is a privacy watchdog that monitors the advertising industry for compliance with its published principles.

Although the DAAP cannot itself bring formal regulatory enforcement action, it brings publicly published inquiries to resolve non-compliance and/or refers non-compliant companies to the appropriate state or federal regulatory agency. 



IAB Europe announced its plans to appeal the Belgium Data Protection Authority’s (APD) ruling holding IAB Europe’s Transparency and Consent Framework (TCF) to be in violation of certain aspects of the GDPR. In particular, the IAB Europe announced its disagreement with the APD’s holding that IAB Europe constitutes a joint controller under GDPR of data processed by participants using the TCF Framework in the context of OpenRTB.


It is unclear at this stage what impact (if any) the appeal may have on the timeline for IAB Europe’s action plan or implementation of subsequent changes to bring the TCF into compliance with the APD’s requirements.

IAB Europe said in its announcement that it “looks forward to working with the APD and other data protection authorities to ensure the TCF’s continuing utility in the market, and with the ultimate aim of having the TCF approved as a transnational GDPR Code of Conduct.” 

Read our FAQ on the Belgium DPA decision (continuously updated).

Advocates Demand Deletion of Digital Advertising Data

The Irish Council for Civil Liberties (ICCL) and Electronic Privacy Information Center (EPIC) sent letters to the CEOs of P&G, Unilever, Bank of America, Ford, GM, IBM and Mastercard demanding that they delete all data collected through use of IAB Europe’s Transparency and Consent Framework (TCF) in response to the Belgium Data Protection Authority’s (APD) recent decision against IAB Europe (see above). 

The letters claim that the APD’s decision required that data collected through the TCF be no longer processed and removed accordingly. 

The letters also claim that frameworks based on the TCF, such as the IAB’s CCPA Framework and the Partnership for Responsible Addressable Media’s (PRAM’s) Global Privacy Platform, are unlawful in any jurisdiction with laws analogous to the GDPR.


In response to news of the letters, IAB Europe stated that the advocates claims are unfounded, pointing out that the APD’s decision was against IAB Europe, not any of these advertisers (or any other participants in the TCF) and that the APD in its decision did not even order IAB Europe to discontinue use of the TCF, but rather gave IAB Europe two months to put together an action plan to fix the alleged GDPR violations, which plan could be implemented over the following six months. 

CMA Accepts Google Privacy Sandbox Commitments

The UK’s Competition and Markets Authority (CMA) announced that it has accepted Google’s commitments addressing the CMA’s previously stated concerns regarding Google’s Privacy Sandbox. 

This round of comments, submitted in November 2021, was the second round of comments submitted by Google to the CMA. 

In this latest round, Google agreed, among other commitments, to clarify internal limits on data Google can use, provide greater certainty to third parties developing alternative technologies, report regularly to the CMA on how Google has taken account of third party views, and maintain its commitments for 6 years from acceptance by the CMA. 


The CMA’s acceptance of Google’s commitments will mark the close of the CMA’s investigation of Google on this matter. The commitments will become legally binding on Google, forcing Google to maintain an ongoing 6-year relationship with the CMA. 


Australia Court Rejects Facebook’s Appeal re Cambridge Analytica

In a case brought by the Australian Information Commissioner against Facebook Inc. arising out of the Cambridge Analytica scandal, an Australian Court rejected Facebook’s application to dismiss orders against it served overseas. 

The Court held that the Information Commissioner established a prima facie case that Australia’s Privacy Act applied to extra-territorial conduct by Facebook, because Facebook collected in Australia the personal information that was the subject of the Commissioner’s case. Specifically, the Court held it to be sufficient to be within the Act’s jurisdiction for Facebook to collect personal information by means of cookies installed on Australian devices. 


This is an important case demonstrating the application of Australia’s Privacy Act in the digital advertising context to companies outside Australia targeting Australian consumers. 

Among other requirements, the Privacy Act prohibits organizations that have collected personal information for a particular purpose to use if for another purpose, except in limited circumstances. 

It also requires organizations to take reasonable steps to protect personal information from unauthorized disclosure. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]