Understanding the Belgian APD decision on the IAB TCF (Feb 2022)

Context and decision

Recommended immediate actions

FAQ

Context and decision

The Belgian Data Protection Authority (the “APD”) fined IAB Europe 250,000 euros on Wednesday February 2nd, 2022, ruling IAB Europe is a data controller of the consent information (also called the TC String) stored by CMPs and shared with adtech vendors through the Transparency and Consent Framework (the “TCF).

As IAB Europe did not consider itself a data controller in the context of the TCF, the APD found that they did not comply with all the obligations that apply to data controllers (such as appointing a DPO, maintaining a data processing register, etc.). It should be noted that IAB Europe still rejects the finding that it is a data controller and can still appeal from the decision.

IAB Europe now has a month to challenge the decision, two months to provide its action plan to the APD to fix the issues raised by the authority, and six months to deliver against such an action plan from the date the APD agrees on the content of such action plan.

Does this decision mean publishers and vendors should stop relying on the TCF? We believe that this would constitute a terrible outcome for everybody, but more importantly for users. And it is certainly not the intention of the APD. This is why the APD gave the IAB Europe six months to come up with an action plan to fix the issues pointed out in the decision. We will work hand in hand with the IAB Europe and the APD to resolve the issues pointed out by the APD. 

In the meantime, we have put together a list of concrete recommendations that our customers can immediately implement to meet some of the challenges raised by this decision.

Recommended immediate actions

This section presents our best recommendations to adapt your consent notices and your usage of the TCF to the APD decision at the moment. The situation will evolve over time and we will adapt our recommendations as we gather more information.

Recommendation 1 - Require consent for all TCF vendors and purposes via publisher restrictions

The APD indicates that legitimate interest is not an acceptable legal basis for the purposes of the TCF:

"the Litigation Chamber finds that the legitimate interest of participating organizations cannot be deemed an adequate legal ground for the processing activities occurring under the OpenRTB, based on users’ preferences and choices captured under the TCF." (paragraph 461)

We recommend adding publisher restrictions to only require consent as a legal basis for all vendors and all purposes of the TCF. See our guide to configure publisher restrictions in your consent notices.

Recommendation 2 - Evaluate and limit the number of vendors for which you are collecting consent

The APD indicates that a high number of vendors in a consent notice and in the adtech ecosystem prevents informed consent from users:

"the Litigation Chamber emphasises that the large number of third parties, i.e. the adtech vendors that will potentially receive and process the personal data of the users contained in the bid request, based on the preferences they have submitted, is not compatible with the condition of a sufficiently informed consent, nor with the broader transparency duty set out in the GDPR" (paragraph 472)

We recommend limiting the number of vendors added to your consent notices and that operate on your websites and mobile applications. Your list of vendors should be exhaustive (i.e. all the vendors that ever process personal data from your users should be listed) and should reflect a high level of control of your supply chain and of how personal data is collected and processed. In particular, we recommend to clearly identify international data transfers which are also under the focus of European Data Protection Authorities (and are mentioned by the APD in their decision, though identified as out of the scope of this decision).

The number of vendors that is acceptable has not been explicitly indicated by the APD and likely depends on your business, your monetization constraints, and how you operate so we cannot make a one-size-fit-all recommendation.

If you need help establishing your list of vendors and evaluating what vendors are the most important for your business, our friends at Agnostik can evaluate your current setup and the contribution of each vendor to your revenue so that you can make informed decisions. Over the years, Agnostik has developed a unique expertise in assessing vendor identity and behavior.
You can also reach out to your Customer Success Manager for help on the topic.

Recommendation 3 - Present the categories of data collected in the text of your consent notice or the preferences

The APD also states that categories of data should be disclosed to users on the CMP notice:

the Litigation Chamber understands that the user interface of the CMPs does not provide an overview of the categories of data collected, which makes it impossible for users to give their informed consent.

Only an overview of the categories of data collected is required by the APD, which means that it won’t be necessary to disclose the full list of data that can fit into a bid request. The APD probably refers to behavioral data, contextual data, and so on.

We recommend our publishers and advertisers use our free-form field in the Console to add the relevant categories of data. This text will sit below the list of purposes that will be displayed in the consent notice. Furthermore, categories can also be displayed on the first layer of the consent notice through CSS injection to make the experience clearer and more consistent. 

Here is a suggested text: In the context of your access to our website, we and our partners may store and access non-sensitive information from your device, like cookies or a unique device identifier, and process personal data like online identifiers (such as IP addresses or advertising ID), behavioral data (such as your browsing history) or your geolocation data.

Recommendation 4 - Nest IAB purposes into categories

In its decision, the APD clearly points out that the TCF, in its current form, does not provide for appropriate purposes:

The Litigation Chamber finds that the proposed processing purposes are not sufficiently clearly described, and in some cases are even misleading”. 

From today on, we will offer our customers the ability to use their own language to describe the TCF purposes they (or their partners) rely on. This will constitute a temporary measure until IAB Europe provides us with more information as to what they will do to adjust the TCF purposes to better address the need to balance clarity and granularity.

Recommendation 5 - Make consent withdrawal easy & accessible

In its decision, the APD clearly points out that ineffective consent withdrawal endangers the validity of the consent. While the TCF can not currently ensure the real time propagation of a consent withdrawal, we suggest (i) to ensure an easy and straightforward consent withdrawal by adding a link to reopen the CMP on every page of you website or mobile app and (ii) to ensure your CMP configuration is adequate in particular if you are using a Tag Management System to trigger tags.

Recommendation 6 - Resurface the CMP notice to your users

While asking IAB Europe to delete all the consent information collected in the context of the global scope, the APD states: 

“It is the responsibility of the CMPs and the publishers who implement the TCF, to take the appropriate measures, in line with Articles 24 and 25 GDPR, ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly.” (para. 535)

This suggests that all the consent signals (i.e. TC String) collected prior to the decision, may be in breach of key provisions of the GDPR. This is why we recommend our publisher clients to resurface the notice to their users once the above-mentioned recommendations have been implemented. This will erase the previous consent signals collected through the TCF.

FAQ

Are there concrete legal risks for me to continue to use a CMP integrated with the TCF?

In principle, no - first for timing and procedural reasons, second for technical and legal reasons. 

On timing and procedure, the APD decision (i) can be appealed and (ii) includes a grace period, in the form of first a period of two months to present a plan to the APD to take into account the APD’s conclusions and in total six months to implement them. Any investigation or complaint before the end of these follow-up procedures (appeal if relevant, and APD collaboration) could be challenged as preventing the proper course of the justice system. This notably stems from the fact that many other local Data Protection Authorities have given input to the APD before it handed down its decision, as well as general principles regarding the rights of defense. 

Next, from a more technical and legal perspective, the APD decision itself does not conclude that the use of TC Strings or the TCF more broadly is illegal. While it does hint in its decision that an order for a given publisher or CMP to delete TC Strings if they contain “personal data that has been collected in breach of Articles 5 and 6 GDPR”, it never concludes that vendors publishers or CMPs automatically collect personal data in breach of the GDPR. In other words, the APD decision does not make it much easier for local Data Protection Authorities to attack specific vendors, publishers or CMPs.

Should I disable the TCF on my website?

We would not recommend this. There is nothing in the APD’s decision that even remotely suggests that consent prompts are, as such, illegal or that they should not be employed by the digital advertising ecosystem to comply with legal requirements under the EU’s data protection framework. If anything, the APD appears to require the disclosure of additional information in consent popups. This is because the APD considers user preference signals (i.e, TC Strings under TCF) as personal data that requires the establishment of a legal basis under the GDPR and also, that users cannot reasonably expect that their preferences are saved. As a result, disclosing information about such additional personal data collection and processing (in consent prompts) could be the only way to establish transparency about and user control over the creation, storage and processing of TC Strings.

Will the legitimate interest legal basis be removed from Didomi’s CMP?

​​The APD assessed and concluded that reliance on legitimate interest was inadequate for purposes that entail targeted advertising or profiling of users (excluding non-marketing related purposes such as audience and performance measurement). It is therefore unclear if the requirement for IAB Europe to prohibit the reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants shall apply to all TCF purposes or solely to purposes related to personalised advertising and profiling. Because of the lack of clarity of the APD’s position on this point, IAB Europe will look at this issue in its discussions with the APD - as well as in any legal challenge, if applicable (see question “Will IAB Europe appeal to the Market Court?”).

In the meantime, you can still add publisher restrictions to impose consent as a legal basis (see our Recommendation 2 above).

What are the impacts of the APD decision on Didomi as a CMP under the TCF?

We are still evaluating the impacts of the decision, but it would appear that the APD takes the stance that CMPs are joint controllers of the consent information (the TC string in this instance). CMPs should therefore establish a legal basis as any controller would.

Didomi as a potential joint-controller.

We note that, according to the APD, CMPs could be considered joint controllers of the consent information. This directly conflicts with what other DPAs have said. We will work with IAB Europe and our customers to determine the best course of action. If we were to conclude that we are indeed joint controllers with IAB Europe and our customers, we will ensure that an appropriate legal basis is established.

Legitimate interest as a legal basis.

Although the APD appears to consider neither consent nor performance of a contract are available legal basis for the processing of TC String by IAB Europe, it seems legitimate interest could constitute an adequate legal basis : the APD considers that capturing users’ approval and preferences to ensure and demonstrate users have validly consented to or not objected to advertising purposes may be considered a legitimate interest, and that the information processed in a TC String is limited to data strictly necessary to achieve the intended purpose. However, it notes that users must be informed about their preferences being stored in the form of a TC String, and provided with a way to exercise the right to object to such storage/processing.

What is the timeline?

The APD decision (i) can be appealed and (ii) includes a grace period, in the form of first a period of two months to present a plan to the APD to take into account the APD’s conclusions and an additional six months to implement them. 

Is it a Belgium-only decision? Should businesses in other European countries also apply the APD decision?

A draft of the decision was shared with other DPAs. The APD received comments from two authorities regarding the joint-controllership established by the APD, the use of legitimate interest for certain processing operations, the scope of the corrective measures, as well as the administrative fine envisaged and the relationship between IAB Inc. and IAB Europe. A revised draft of the decision was then shared with the other concerned DPAs, which did not trigger any comment.

This indicates that the other DPAs were aligned with the findings of the APD. As a result it is likely that other DPAs will take this decision into account to assess any claim going forward.

 

If you have any further questions relating to this decision, please reach out to your Customer Success Manager.