AdTech and privacy compliance: mission impossible
Why would one need IAB Europe’s TCF 2.0?
Please click here to read the details.
Digital advertising agencies and their clients are among those actors most impacted by the data protection laws. GDPR is no exception. Consent, transparency, security and legality of profiling and data transfer between the advertising networks require a considerable amount of time and effort spent by compliance teams. IAB Europe and its partner IAB Tech Lab engaged a wide variety of bright minds to create a common solution called Transparency and Consent Framework, or TCF, – a common set of policies and protocols to create an easy and manageable tool to collect consents and manage data flows between the RTB platforms.
No wonder advertising agencies decided to cooperate and work towards an industrial standard that would assist the key stakeholders. Advertising giants such as Google adapted their networks to TCF 2.0 mechanisms (for example, adapted the OpenRTB protocol (and Google’s AdBuyers Protocol) and created a sophisticated Authorized Buyers programme to comply with the transparency requirements of the GDPR.
Despite these efforts, TCF 2.0 is now a disputable tool. Vendors that worked towards joining the TCF 2.0 are now rethinking their development goals, and legal teams are reassessing their consent strategies.
Why?
Brief history:
- in 2019, a series of complaints were filed against IAB Europe (International Advertising Bureau Europe), including the most known data protection NGOs;
- among issues, core principles were mentioned, especially transparency and legality;
- first hearing took place on 11 June 2021;
- on 2nd of February, 2022, the Belgian data protection authority adopted a decision on the TCF 2.0 inadequacy to the requirements of the GDPR;
- IAB Europe expressed its decision to appeal this decision.
What did the Belgian authority’s Litigation Chamber say?
AdTech is traditionally a tough challenge for data protection rules. The mechanisms and approaches of digital advertising are changing so rapidly that no regulatory body is able to encompass all possible scenarios and approaches to processing personal data.
However, some new insights can be extracted from the decision that can be of assistance to the compliance officers.
Categories of personal data that are processed by the SSPs, DSPs, DMPs and other agents. For example, Belgian authority names the TC String (Section 318 of the decision), the URL of the visited page, device OS, screen parameters, unique identifiers, metadata on consent and longitude and latitude as personal data. Given this, the decision says that “it is beyond doubt that the GDPR applies […] to the RTB system […]”. (Section 29 of the decision)
Moreover, the adtech companies may process sensitive data based on the browsing history: visited websites reveal sexual orientation, political or philosophical convictions, health information, trade union memberships, etc. Needless to say, this data is subject to an increased level of requirements for processing to be regarded as lawful (Section 51 and Section 312 of the decision).
Risks that must be addressed in privacy or data protection impact assessments (PIA and DPIA):
- profiling and automated decision-making;
- large scale processing (as a prerequisite for triggering the DPO appointment, mandatory DPIA and consultations with the supervisory authorities);
- matching/merging of datasets (especially where new DMPs are used or merger and acquisition processes are underway);
- predictive and probabilistic analysis of website visitor’s behaviour;
- new use cases for existing technologies and datasets (for example, whether the original purpose of their use is in fact compatible with the new one);
- invisible processing of personal data (triggers the core principle of legality of processing and transparency). (Section 32 of the decision)
IAB Europe acts as a data controller in respect of the TCF. IAB Europe (1) developed the TCF and (2) imposed binding rules as to the use of the TCF for particular data processing activities. In contrast, IAB Tech Lab is not a data controller in respect of OpenRTB protocol, as it is merely providing the tool and allows the organisations to determine means and purposes of processing (Sections 44-46 of the decision).
Authorised Buyers programme wasn’t investigated in this decision (Section 47 of the decision).
TCF allegedly violates nearly a dozen of the GDPR requirements (Section 48 and 49 of the decision):
- Principles of fairness, transparency and accountability (see below).
- Lawfulness of processing (legal basis): consent, legitimate interest or contractual necessity are not considered valid legal bases. The authority mentions that IAB Europe has failed to demonstrate the rights and freedoms of data subjects to have their data not processed for the purposes outlined by the IAB Europe in the TCF configurations (Section 50).
- Processing of special categories of personal data and transparency of information, communications and modalities for exercising data subjects’ rights: IAB Europe’s Privacy Policy does not comply with the GDPR’s requirements for transparency (Articles 12, 13 and 14):
- “is not always transparent or understandable” (Section 53 of the decision);
- “available only in English” and contains ambiguous terms (“services”, “other means”, “partners”, “third parties” are not understandable without prior explanation), “the information provided is incomplete and inadequate” (Sections 54 and 55 of the decision);
- it does not specify which security measures are used to safeguard the international transfer of data;
- it does not enlist TCF as a source of personal data;
- contains no mentions of the obligation to provide personal data and possible consequences for not providing personal data (Section 55).
- Responsibility of the data controller: IAB Europe is a data controller and thus cannot waive its data controller obligations or pass them through to the adtech vendors (Sections 329 and 361 of the decision). This is supported by the notion that it is IAB Europe that plays a decisive role in the dissemination of data (Section 330 of the decision).
IAB Europe’s allegedly not able to monitor the compliance with its data protection rules (Finding #3): CMP developed as a part of TCF can continue exchanging data with a publisher even if it reasonably considers the website owner as of the one who does not comply with the rules imposed by IAB Europe (Section 57).
Interesting, however, that IAB Europe provides a long list of evidence that its controllership hasn’t been established by other supervisory authorities (such as Belgian, German, French and the UK) (Section 74).
IAB Europe and the participants of the TCF program are considered joint controllers (Section 371 of the decision). - Security of processing: IAB Europe, at the opinion of the authority, did not take necessary technical and organisational measures. For example, because of the absence of validation by IAB Europe, CMPs are theoretically able to falsify or modify the consent signal (Section 484 of the decision).
- Register of processing activities: IAB Europe has not provided ROPA until the second reply to the authority. As the Belgian regulator outlines, IAB Europe “does not consider itself obliged” to keep the record of processing activities as a small organisation (exception provided in Article 30.5) (Sections 59-60).
- Cooperation with the supervisory authority: IAB Europe responded to the requests for additional information “with a delay” (and did not provide ROPA until the second request) (Section 61 of the decision).
- Appointment of a data protection officer: IAB Europe reserved the right to access the data that organisations participating in the TCF collect and process while asserting that it is “a professional association whose main activities are to provide information and tools”. It aligns with IAB Europe’s position that the organisation is not a data controller with respect to the TCF. Given that the authority has found a controllership in the actions of IAB Europe (“IAB Europe developed and manages the TCF […] and as such […] has a right to access and to store and process all information provided by participating organisations” (Sections 62 and 63 of the decision), this finding triggers the IAB Europe’s obligation to appoint a data protection officer under Article 37 of the GDPR.
Some of them are subject to a higher threshold of fines.
What’s next?
Key points:
- TC String can be considered personal data;
- IAB Europe is to be considered as a data controller with respect to the TCF;
- Ad vendors, publishers, CMPs, and IAB Europe are considered joint controllers;
- CMPs can be regarded as data processors if they comply with the IAB Europe’s guidelines;
- Consent cannot be used as a legal basis of processing due to lack of necessary granularity and transparency;
- Legitimate interest as a legal basis of processing fails the balancing test: the legitimate interest of the participating organisations does not outweigh the protection of the fundamental rights and freedoms of the data subjects;
- Current TCF users cannot rely on contractual necessity as a legal basis;
- IAB Europe hasn’t adopted necessary technical and organisational measures to protect the data;
- Articles 44 to 49 of the GDPR (international transfer) are considered violated, too (but without a sanction, as the authority wasn’t able to investigate the violations);
to name a few.
Considering this, the decision closes the discussion of whether one can rely on the offered privacy product and indemnify the compliance cost (no, you can’t). Regardless of the type of your organisation, you must separately assess the risks and compliance gap to ensure that nothing was left unattended.
The cost of the IAB Europe’s TCF compliance gap is a remediation deadline (6 months after the remediation plan provided by the Belgian DPA; in other words, extra compliance costs) and 250.000 EUR administrative fine.
However, sad news for the digital advertising: in Section 495, the authority says that the processing operations carried out on the basis of the OpenRTB protocol are not in accordance with the basic principles of purpose limitation and data minimisation because of the lack of safeguards provided for in the GDPR. However, it seems the regulator calls for improvement of the protocol instead of closing it, and it can give a promising boost to the protocol developers’ work.
Reminder: to make a donation please click here.