IAB’s Ad-Tracking Doesn’t Meet GDPR Standards

What’s Going On?

IAB Europe, an association for online advertising companies, launched its Transparency and Consent Framework (TCF), on the 25th April 2018, to help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive. The Belgian Data Protection Authority (DPA) launched an investigation that found the framework for targeting with behavioral ads violated multiple GDPR rules and failed to meet data protection standards. 

The IAB Europe’s TCF works by asking users to accept (or reject) ad trackers, with the stated aim of helping publishers comply with the EU’s data protection rules. The Belgian DPA states the IAB Framework allows companies to swap sensitive information about people even when this has not been authorized and provides inadequate controls for the processing of intimate personal data that occurs in the real-time-bidding (RTB) system.

What spurred the creation of the TCF?

IAB Europe’s TCF was introduced in response to Europe’s tightening of data privacy with the General Data Protection Regulation (GDPR). The GDPR created standards around consent to process personal data and introduced major financial penalties for companies found non-compliant, thereby severely upping the risk for the ad tracking industry. According to TechCrunch, the framework has been widely adopted, including by one of the data processing monopolies, Google. So although the TCF is popular, the Belgian DPA says the framework fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.

In TechCrunch’s review of the report, the DPA also finds that the TCF does not have appropriate guidelines for the collection of highly sensitive personal data from particular groups like health records, political preference, sexual identity, but still all of that information is being processed regardless. IAB Europe said in response it “respectfully disagree[s] with the [Belgian DPA]’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF.”

The report is not a final ruling, and the DPA has not technically found the TCF to breach the GDPR. It is an interim document representing conclusions of the DPA’s “Inspection Service” following an investigation of the TCF conducted during 2019 and 2020. The Belgian DPA forwarded its findings to its Litigation Chamber, who will issue a ruling sometime next year.