Introduced in spring 2018, the IAB Transparency & Consent Framework, or TCF, aims to standardize consent sharing across the digital advertising industry. But a ruling in February 2022 has cast doubt on the future of TCF – so what does this all mean for publishers?

The Headlines

• Created as a response to Europe’s GDPR legislation in early 2018, IAB Europe’s Transparency & Consent Framework was designed to streamline consent management so it could be shared seamlessly from publishers to advertisers via the programmatic supply chain.
  
  
• Following two iterations of the framework, TCF v2.0 was placed under significant scrutiny by regulatory bodies, leading to a ruling in February 2022 by Belgium’s Data Protection Authority (APD) that deemed TCF to breach GDPR in its current form.
  
  
• IAB Europe was fined €250,000 and has been given 6 months (from February 2022) to rework TCF so that it abides by GDPR requirements. In March 2022, the IAB filed an appeal against the ruling, placing the timeline in question.

What is the IAB Transparency & Consent Framework (TCF)?

When General Data Protection Regulation (GDPR) came into effect across the European Union on May 25th 2018, the browsing experience for users in the region changed forever. Consent pop-ups gathering permission to track and/or target users became commonplace when first loading a website, and remain so to this day. 

For ad tech’s part, the challenge was finding a way to translate consent from the individual user all the way down the programmatic supply chain. 

Around the same time, in April 2018, IAB Europe launched the first version of the Transparency & Consent Framework (TCF) – a direct response to GDPR and the ePrivacy Directive - as a way for publishers to confirm user consent and transmit it via the supply chain. This is achieved via the ‘TC (Transparency and Consent) string’, which is an alphanumeric value stored within a local first-party cookie. The TC string contains information about the user’s consent: which areas it covers, the specific partners it extends consent coverage to, on what basis consent is processed, and so on. It’s the content of the TC string, and its ability to be passed downstream between vendors, which forms the crux of some complaints against TCF. 

In 2020, the IAB released an updated version of TCF, aptly named TCF v2.0, which tightened the restrictions on how consent is gathered within consent pop-ups. TCF v2.0 was quickly adopted by leading Consent Management Platforms (CMPs), meaning that any publisher working with a TCF-compliant CMP could essentially automate consent collection without disrupting their existing programmatic supply chain. 

All seemed well in the world of TCF, with 80% of Europe’s digital publishers relying on its consent management framework… until February 2022. 

The APD Ruling on TCF – and what it really means

On February 2nd 2022, the Belgian Data Protection Authority (APD) along with 27 EU data protection authorities announced that they had ruled TCF v2.0 to be in breach of GDPR in its current form. The ruling follows a number of complaints from independent groups dating back to 2018 which question the legality of TCF and the way it processes “personal data” via the TC string. 

If you’re looking to dive right in, you can read the full 127-page ruling on TCF, but if you’re short on time, here are the specific points within the GDPR legislation which the APD believe TCF is breaching:

• Articles 5.1.a and 5.2 (principles of fairness, transparency and accountability)
• Article 6.1 (lawfulness of processing)
• Article 9.1 and 9.2 (processing of special categories of personal data)
• Article 12.1 (transparency of information, communications and modalities for exercising data subjects' rights)
• Article 13 (information to be provided when personal data have been obtained from the data subject)
• Article 14 (information to be provided when personal data have not been obtained from the data subject)
• Article 24.1 (responsibility of the data controller)
• Articles 32.1 and 32.2 (security of processing)

To distil all of this into plain English, the crux of the APD’s ruling is that, by collecting personal data of individuals via the TC string and passing it to other vendors, the IAB is acting as a “data controller”. If the IAB were acting as a data controller, they would need to be able to prove a legal basis for data processing, have a data protection officer (DPO) employed, maintain a register of data processing activities, among other requirements.

Acting as a data controller is something the IAB disputes, instead insisting that it is processing user data under the auspices of “legitimate interest” (LI): one of six conditions within GDPR which will allow organizations to process personal data. The APD and other detractors contend that the use of LI is essentially a loophole to skirt GDPR rules and that TCF doesn’t align with the true definition of LI. 

The APD ruling goes on to describe the ways in which the TCF makes it difficult for individuals to maintain control over their personal data, with CMP pop-ups not explaining data usage in a “transparent, comprehensible and easily accessible manner”.

The sanctions, the appeal, and the (possible) future of TCF

At the time of the ruling in February 2022, the APD immediately hit IAB Europe with a €250,000 fine. In addition, it demanded that all of the personal data collected via the TCF must be deleted by any companies which pay IAB for use of the framework (that’s over 1000, including The MediaGrid and other well-known organizations). 

Finally, it set a hard deadline of 6 months from the date of the ruling – around August 2022 – for the IAB to rework TCF in a way which meets all regulatory requirements for GDPR. For each day beyond this deadline that the IAB doesn’t comply, a further fine of €5000 will be imposed. 

Importantly, the APD did not demand that TCF immediately cease operations, meaning the IAB and any publishers using the framework can continue to do so until at least the six month deadline. 

All of that said, on March 4th 2022, IAB Europe confirmed that it has filed an appeal against the APD’s decision, requesting a suspension of all sanctions until the Market Court in Belgium has made a final choice on whether they should be upheld. It expects this decision in the coming weeks. 

In the meantime, it makes sense for publishers to keep a close eye on the developments in Belgium, as well as ensuring they can adapt quickly should big changes happen to the way consent is handled in programmatic.    

If you’d like to learn more about leveraging industry best practices to secure your revenue as a publisher, get in touch with The MediaGrid team today.