The GBA attacks the IAB Europe TCF: a bomb under online marketing in Europe?

Earlier this week, a document (albeit internal and confidential) became public, in which the Belgian Data Protection Authority, in the context of an investigation following a complaint, is examining the Transparency and Consent Framework of iab Europe in a particularly critical way.

The GBA is of the opinion that TCF, which is the standard in the online marketing world for collecting and sharing online profile data with a view to offering personalized online advertisements, would be fundamentally contrary to GDPR on several points.

This is a first report, not a final decision, but it can have very far-reaching consequences for the entire online marketing world and the way personalized ads are displayed to website visitors.

A potential bomb under the online marketing world in other words …

GBA_IAB_Europe_TCF

What is the IAB TCF?

The so-called Transparency & Consent Framework of IAB Europe, or TCF for short, is a standard that is used within the online advertising sector to obtain permission for the placing of cookies and other trackers that should enable advertisers to show website visitors targeted, personalized advertisements across different websites based on their surfing behaviour or their online preferences and profile information.
TCF is also the engine behind Real Time Bidding or RTB, which allows advertisements in “real time”, through automated auction platforms to bid in a fraction of a few milliseconds on a particular ad space on a particular website that is just being visited by someone within the target audience of the advertiser.

Why is this a problem?

Personalized advertising in itself is a good thing without a doubt. After all, relevance is king in online marketing. As an advertiser, you want to be able to deliver the right message to the right person at the right time. Only then can you be sure that your message will get through. People are inundated with advertising messages and only record what really concerns them personally. That is better for the advertiser, who spends less money with unnecessary advertisements, and for the website visitor, who is not disturbed with irrelevant content.

However, there is a serious legal sting to that relevance. After all, creating relevance requires knowledge of your audience and you build that knowledge with as detailed profile information as possible.

That profile information does not fall out of the blue, of course. This is where GDPR and cookie regulations (ePrivacy) come into play. Both require absolute transparency and an appropriate legal basis that allows you to collect data and share it with third parties. In the case of cookies, this legal basis is always prior consent. In the case of GDPR, theoretically, this can also be done without permission, on the basis of the legitimate interest. However, the Belgian Data Protection Authority was very strict at the beginning of this year in its analysis of the legitimate interest in the context of direct marketing (which, according to its analysis, also includes online marketing). As a result, also under GDPR, a de facto free, prior and informed consent is required to collect personal data for online marketing purposes such as RTB …

The problem for a whole range of privacy activists (as many as 22 organizations from 16 countries) complaint to the GBA) lies in the determination (they believe) that this permission is absolutely not obtained correctly within the TCF framework. They have therefore collectively filed a complaint with the Belgian Data Protection Authority. The reason for filing the complaint in Belgium while it concerns a European platform is simple: iab Europe has its offices in Brussels.
What does the GBA say?

The GBA follows the complainants in a first – admittedly interim – report. She confirms that she also believes that the current way of data processing within the TCF framework is not in accordance with GDPR.

Perhaps the biggest objection of the GBA is that according to it, iab itself is responsible for the processing of data that is collected and processed through its TCF framework by advertising agencies and advertisers. After all, according to the GBA, iab Europe (co-) determines the purpose and means for the processing and that makes it a controller under GDPR. This also means that iab Europe has a whole series of obligations regarding transparency, obtaining consent, privacy by design, etc., which GDPR imposes on controllers of the processing.

We personally have questions about this approach because of the GBA. After all, iab only makes one tool available. It does not determine itself which data is collected, nor does it itself determine the purposes for which these data are processed by the recipients concerned. This seems at least open to criticism …

It is more difficult to refute the conclusion that when collecting profile data of website visitors via the TCF framework, “sensitive data” (or “particularly protected data”, as the GDPR actually calls them) may also be collect. this concerns, for example, medical data, data on sexual preference, political preference, etc ..; Under GDPR, this data may only be processed if you have received separate explicit consent from the data subject, which is usually not the case with online collection via cookies or trackers. All this, if the first conclusions of the DPA cannot be refuted by iab Europe, is a fundamental fault line between TCF and GDPR, one that is also very difficult to reconcile, taking into account the countless administrations and advertisers that now have such sensitive data. through TCF and which they also use daily in RTB campaigns.

Equally worrying for the future of TCF is the fact that TCF actively encourages the use of the legitimate interest as the legal basis for the processing of personal data in the context of online profiling and personalization. However, the Belgian Data Protection Authority already indicated last January in its Direct Marketing Recommendation that the legitimate interest can only serve as a legal basis for (direct) marketing purposes in very exceptional cases. However, consistently requesting separate consent for each collection and transfer of personal data is virtually impossible. The number of parties that intervene in particular in the Real Time Bidding process is so great that this seems difficult to achieve in practice.

In addition, the Belgian DPA has serious reservations about the security of the entire TCF system, in the sense that too few guarantees are built into the framework itself to guarantee the rights of the data subject. This too touches on one of the cornerstones of GDPR, making it a serious deception for the TCF.

Broader context: the end of third party cookies

All this did not come out of the blue. Anyone who has monitored our website, our publications and our presentations over the past year knows that a landslide is underway in the online marketing world and especially in the context of the use of cookies and other trackers to collect data from website visitors. .

This landslide received widespread attention last year when first the European Court of Justice and then the Belgian Data Protection Authority also took a hard look at websites that place cookies on the device of visitors without the prior free and informed consent of that same website visitor. But underlying things had been bubbling for a long time. Apple had previously announced that it would block all third party cookies (which mainly collect personal data for marketing purposes) via its ITP 2.1 protocol. Mozzila Firefox soon followed and went a step further by also blocking fingerprinting by third parties and when Google subsequently announced that third party cookies would also be blocked in Chrome from 2022, it was clear that the online marketing world was for one of the the greatest technical, practical and legal challenges of its existence and in which it will have to learn to survive in a context of cookieless advertizing …

We have already discussed this more dance once in the past year, including in Obsessed by Marc Bresseel and Renout Van Hove and in an extensive Cookie Cahier that will soon be published by Politeia Publishers. This week it is also exactly the subject of our legal webinar at BAM, the Belgian Association for Marketing.

What does this mean in practice?

In the longer term, the entire sector will have to shift to a different way of advertising, to more contextual campaigns, to using more of its own profile data (whereby the same questions about GDPR compliance and the use of analytics cookies in particular will continue to surface again and again).

Not much will change in the short term. The leaked report is just an interim report. iab Europe will still be able to defend itself (by 7 December 2020 at the latest) and there are certainly a whole series of useful arguments conceivable to water down the final position of the GBA. The final decision is not expected until the course of 2021.

However, all this is a sign on the wall for anyone who collects and processes personal data online, both within and outside TCF. More than 80% of websites in Belgium are still not cookie compliant and over 66% of Belgian companies are not yet GDPR compliant. In our practice, we see daily examples of marketing departments at large national and international companies in banking and insurance, industry, automotive, … that do not master the basics of a GDPR compliant marketing policy. The risks that this entails are magnified by the exponential growth of marketing automation tools, customer data platforms and other adtech toys that flood the market with promises of endless possibilities, but which very often do not comply with the basic rules of our privacy legislation.

So be careful. Have a GDPR compliance audit carried out on your marketing department in good time, think of Data Protection Impact Assessments before you get started with new tools and software and also consider an extensive cookie scan on your website (s) in time.

Questions about GDPR compliance for marketing departments?

Feel free to contact Bart Van den Brande without obligation. You can call or email us on 0486 901 931 or at bart@siriuslegal.be or you can also book a no-obligation introductory meeting via Google Meet directly.