Skip to main content

IAB Europe Fined by Belgian DPA for GDPR Violations

    The latest GDPR violation decision comes from Belgium, as the Belgian DPA fined IAB Europe €250,000 for GDPR violations stemming from their Transparency and Consent Framework (TCF). We explore the background of this case and the range of impacts it will have on marketing and advertising agencies across Europe.

    What is IAB Europe?

    IAB (Interactive Advertising Bureau) Europe is a digital marketing and advertising association made up of national IABs, media companies, tech firms, and marketing & advertising agencies. Their mission is to promote collaboration between politicians and the advertising and marketing industry, in order to create industry-wide standards and practices that help business development throughout Europe.

    What is the Transparency and Consent Framework (TCF)?

    One of their greatest achievements was the creation and implementation of the TCF. They describe it as “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach.”

    Basically, the TCF creates an environment where website owners can inform visitors about what types of personal data are being collected, how the data will be processed and used, and which other third-parties have access to it. The TCF also gives professionals a common language to use when delivering information about informed consent regarding the collection of personal data.

    The purpose was to help ensure that everyone involved in the digital marketing and advertising process was compliant with GDPR and ePrivacy when processing personal data or storing information on devices through the use of cookies, IDs, and other tracking technologies.

    This has been especially important for companies using the OpenRTB protocol - one of the most widely used real-time bidding protocols, important for advertisers bidding for ad space on websites. Everyday users are often unaware of these protocols and algorithms, which target them and control the processes behind the scenes, but they are familiar with pop-ups. These pop-ups or banners - usually run by consent management platforms (CMP) - allow users to consent to the collection and use of their personal data. The TCF helps capture, through the CMP, the users’ preferences. 

    Afterwards, the preferences are stored in a TC String that can be shared with other organizations in the OpenTRB system. This string, along with the cookies, are tied to the IP address of a user - making them identifiable.

    The Case against IAB Europe

    Since 2019, the Belgian DPA has received numerous complaints about IAB Europe, specific to the TCF and how it violates GDPR. Just this week, they concluded the case and agreed with the arguments in the complaints. 

    Based on the use of TCF, the DPA stated that IAB Europe is “acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user”. This means that they are bound by GDPR and responsible for any violations. They went on to list various GDPR infringements: 

    • Lawfulness: IAB Europe did not establish a legal basis for processing the TC String.
    • Transparency: The information provided by the CMP is too generic and vague, which makes it difficult for users to have control of their personal data.
    • Accountability & security: There are no organization or technical measures in line with data protection by design and by default.
    • Other obligations: IAB Europe had not appointed a DPO, completed a DPIA (data protection impact assessment), or kept a log of processing activities. 

    Based on these findings, the Belgian DPA has fined IAB Europe €250,000, while giving them two months to create an action plan for remedying these infringements and six months to implement them. The DPA has also stated that IAB Europe must, without delay, delete all user data that has currently been processed under the current TCF system.

    IAB Europe plans to appeal this decision, telling Forbes magazine: “We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”

    The Impact of the Belgian DPA Decision

    Just like with the Austrian DPA decision against Google Analytics, the recent Belgian decision, will have far-reaching effects across Europe and the US.

    As Hielke Hijmans, Chairman of the Litigation Chamber of the BE DPA, stated in regard to the decision, “The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness. People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”

    Based on the one-stop mechanism, this decision in Belgium is immediately enforceable across the entire EU. Currently, around 80% of Europe’s internet relies on TCF, according to the Irish Council for Civil Liberties. The decision to sanction IAB Europe and limit the use of TCF, along with the requirement to delete all current data, will impact publishers, advertisers, tech companies, and big tech companies like Google and Amazon. 

    Many advertisers are looking for a way forward, but for publishers and website owners next steps could be implementing cookieless options that no longer track IP addresses, store data on user devices, or require consent preferences through CMPs. 

    At Visitor Analytics, we build everything with a privacy-first mindset, meaning our product is GDPR/CCPA compliant and able to function without the requirement of cookies, consent banners, or the storing of data.