What you need to know:

• The IAB Europe’s Transparency & Consent Framework has been found to have operated illegally, after a major decision by Belgium’s GDPR regulator.
• The Belgian Data Protection Authority ruled IAB Europe must pay a fine and has two months to substantially overhaul the TCF, which underpins consent and data management for Europe and more than 1,000 adtech companies and publishers.
• The IAB has a two month deadline to submit an “action plan” – a timeline it believes it can meet, while campaigners say this spells the end to online behavioural targeting.
• With Australia considering its own GDPR-like privacy laws, these decisions could have profound impacts on the local adtech ecosystem.

Behavioural targeting targeted

Pop up consent banners that have allowed advertisers to track and target European internet users without materially changing the way they operate have been found to be illegal under EU privacy laws.

In a decision that has profound implications for the behavioural advertising industry, including publishers, ad tech players and tech giants like Amazon, Google and Microsoft, the Belgian Data Protection Authority found IAB Europe had violated the region’s General Data Protection Regulation (GDPR) in processing personal data through its “Transparency and Consent Framework” (TCF).

With Australia looking to introduce its own wide-ranging privacy legislation – which IAB Australia warns could go further than GDPR, these decisions are likely to be closely watched by the Australian digital ad industry.

The TCF is used by publishers, adtech vendors and Consent Management Platforms, ostensibly to tell online visitors how their data is being collected and therefore comply with GDPR, allowing them to access real-time bidding (RTB) programmatic ad auctions. It uses “TC Strings” to capture a user’s preferences.

But a group of privacy campaigners coordinated by the Irish Council of Civil Liberties’ Dr Johnny Ryan filed a series of complaints against IAB Europe, alleging its TCF was “consent spam” that resulted in large-scale breaches of EU privacy laws. It did not keep data secure, didn’t get adequate consent and wasn’t transparent about how data was used.

IAB Europe, meanwhile, says on its website its TCF is “the only GDPR consent solution built by the industry for the industry”, and submitted to the Belgian regulator the framework was a “cross-industry best practice standard”.

In a decision released on Wednesday, the Belgian DPA found 15 separate infringements of the articles of GDPR – including four that the campaigners themselves had not identified.

It fined IAB Europe €250,000 (A$396,000), ordered it overhaul its entire TCF, appoint a Data Protection Officer, and, crucially, submit an action plan within two months detailing what it proposed to change. All changes must be made within six moths. The fine sounds small, but IAB Europe’s revenue in 2020 was less than €2.5m. Every day it delays in overhauling the system will cost an extra €5,000.

Another important sanction: IAB Europe must delete any illegally gathered data.

“Any personal data collected so far by the means of a TC String in the context of the globally scoped consents, which is no longer supported by IAB Europe, shall be deleted without undue delay by the defendant,” it wrote.

The Belgian DPA said IAB Europe had been “aware of risks linked to non-compliance” and “was negligent”. The TCF supports “a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, their profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects.”

Reaction to the decision

IAB Europe released a statement shortly after the decision was announced. It acknowledged the decision and noted “that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.

“We reject the finding that we are a data controller in the context of the TCF,” IAB Europe’s statement continues.

“We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”

The organisation goes on to say they believe this decision paves the way for TCF to be submitted as a “formal GDPR transnational Code of Conduct”.

The Irish Council for Civil Liberties had, understandably, a different reaction to the decision.

“Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal,” it wrote.

“All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF.”

The ICCL’s Dr Johnny Ryan said: “This has been a long battle. Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.”

Ryan, meanwhile, has an ongoing court case against the IAB Tech Lab and Xandr over their involvement in RTB.