Recently, the Belgian Data Protection Authority ruled that IAB Europe’s Transparency and Consent Framework (TCF) is not compliant with GDPR. So does this mean the end of the TCF? In this blog post, we will discuss what may happen to IAB Europe’s framework for consent management and how publishers can remain compliant with GDPR.
- What is the TCF?
- The charges against the TCF
- What will happen now?
- Is this the end of the TCF? What does it mean for publishers?
- What do publishers have to do now?
What is the TCF?
After the implementation of GDPR – a set of rules that harmonize data protection for individuals across Europe – in 2018, IAB Europe created a framework that could be used as a standard to easily collect consent from users and share it with the rest of the supply chain. This tool is the “Transparency and Consent Framework”, and it allows publishers to inform their users of what data is being collected, what vendors are going to use it and why. The tool has since been modified and enriched, with a new version called TCF v2.0, as we have seen in this dedicated blog post.
The charges against the TCF
Although it was created with good intentions, the TCF and its actual compliance with GDPR have been under observation by many European national authorities, who have increasingly been strengthening their guidelines on consent collection. For example, in Italy in July 2021, the local authority announced new guidelines for cookies and other tracking technologies. Publishers were given six months to adapt their cookie banners to these new regulations, providing users with more obvious options for not giving consent to data usage (more info in this blog post). In the same period, the French authority for data protection fined Google and Facebook 210 million euros, and forced them to change their consent policy to make refusing cookies as easy and immediate as it is to accept them.
Amid this general attention of European countries to data privacy, at the beginning of February 2022 the Belgian data protection authority (DPA), together with 27 other European authorities, alleged that the TCF as it is now is not compliant with GDPR. In particular, the DPA said that “the approach taken so far does not meet the conditions of transparency and fairness required by the GDPR. Indeed, some of the stated processing purposes are expressed in too generic a manner for data subjects to be adequately informed about the exact scope and nature of the processing of their personal data.” In other words, the TCF doesn’t express with an appropriate level of clarity and simplicity why data is being used, so users are not perfectly informed about what they are giving consent to.
Another issue is the one of legitimate interest. According to the Belgian authority, the TCF exploits GDPR’s “legitimate interest” option to collect and share consent-based IDs also for purposes that do not actually fall under the “legitimate interest” category, such as serving personalized ads.
Last but not least, there is the issue of controls. The Belgian authority declared that IAB Europe has the role of data controller for the TCF. As such, it is responsible for conducting strict controls on the multiple consent management platforms (CMP) that use its framework, to ensure data is not collected and used improperly. This is a role that IAB has always denied having.
What will happen now?
On account of these accusations (you can read the full document by the Belgian DPA here), IAB Europe has been ordered to pay a fine of 250.000 euros, appoint a Data Protection Officer and delete all the personal data collected using the framework. Moreover, it has to make changes to the TCF to make it compliant with GDPR. IAB Europe has six months (from the judgement on 2 February) to meet these obligations and must present an action plan in two months. Meanwhile, however, IAB Europe has decided to appeal against the Belgian DPA’s decisions, leading to a temporary suspension of these requests until the end of the appeal process.
Is this the end of the TCF? What does it mean for publishers?
The fact that the TCF is the most used tool for consent management (it is used by 80% of Europe’s internet) makes what happened to IAB Europe, and its potential consequences, very important.
Without the TCF, CMPs would indeed lose a useful common framework to request consents, a framework currently employed by most of the internet, including big platforms like Google and Amazon.
Is this going to be the end of the TCF? It’s difficult to say. Certainly, the adjustments required to IAB would lead to big changes in the way publishers and their CMPs obtain user consents for data usage. But these changes could actually lead to an evolution of the current standard, rather than leading to the end of it. Once modified, and accepted by the Belgian and other European countries’ authorities, the TCF could become a standard approved by all the accountable bodies in Europe – a tool to collect and use data across the whole Continent, balanced between monetization needs and users’ privacy.
In any case, these changes won’t happen immediately. Currently, the process is suspended until the end of the appeal process, and if the sentence is confirmed, there are still around five months before the TCF as it is now would be officially considered illegal.
What do publishers have to do now?
What do publishers have to do in the meantime? It is important they monitor how the situation evolves, and check whether their consent tools are compliant with the new system.
Furthermore, it is critical to ensure their current CMPs are adaptable to changes that may be required, and to start testing different formats – clearer and more transparent – for consent requests.
To this end, working with a partner that is on top of things is very important. Clickio was one of the first companies to develop a TCF-compliant consent tool, and we continue to adapt this according to the latest regulations. For example, we recently added several new “close button” options to help publishers in Italy comply with new guidelines there. We also constantly test different formats to ensure compliance with GDPR, while also maintaining high consent rates and a good user experience.