IAB Europe Press Statement: Response to Latest GDPR Complaints
This week has seen complaints submitted to four new European Data Protection Authorities (DPA), in Belgium, Luxembourg, the Netherlands and Spain, by a number of consumer privacy activists. This follows complaints originated by Johnny Ryan, an executive from an internet start-up, and it has been suggested by a lawyer working with the complainants that this is part of a co-ordinated approach to generate a “cascade of complaints” to a wide range of DPAs.
As the nature of the complaints are very similar, it suggests there is still some confusion regarding the mechanics of the online advertising industry, the role a not-for-profit trade association such as IAB Europe plays and the purpose of an industry framework like the IAB Europe Transparency & Consent Framework (TCF).
Whilst this is not the forum to go into detail on the nature of Real-Time Bidding (RTB), we did want to provide some further clarity on the IAB Europe Transparency & Consent Framework.
The TCF was developed with the sole purpose of ensuring that when personal data is processed for the purpose of digital advertising that this takes place under an appropriate GDPR legal basis, with the various conditions of that legal basis being met.
The current version of the TCF enables website publishers to obtain consent from a user for the processing of personal data in relation to advertising and content personalisation and to store or access information in connection with processing data for one of those purposes. During this process, the B2B advertising technology companies the publisher works with to generate advertising revenue for their site are also disclosed to the user.
The TCF uses a standardized protocol – a series of rules, guidelines and language – to capture and communicate in a consistent way the choices made by a website user. The protocol makes it clear to all parties operating within a digital advertising value chain which vendors have received user consent for data processing, and for what purposes. If any vendor or Consent Management Platform (CMP) implementing the TCF shares the personal data of a user with another vendor that does not have a GDPR legal basis, that vendor or CMP is acting in violation of the TCF Policies and Terms & Conditions and will be suspended from the Framework.
We launched the Transparency & Consent Framework (TCF) in April 2018 and have recently issued an update, TCF v2.0, for public consultation. Once implemented, as part of a more complete accommodation of the “legitimate interests” legal basis, Version 2 will integrate the users’ “right to object” functionality directly into the string of data being communicated between business partners. This will increase visibility and control for users and publishers and give confidence to users that their data may not be used for personalised ads, if that is their wish.
Over the past year we have had the chance to present V1 of the TCF to a number of European DPAs. Indeed, some of the changes in V2 reflect our attempts to take account of DPA feedback on V1. As we socialize V2 and the important changes it brings, we will continue to work with DPAs and to seek their guidance on how the Framework can promote compliance with both the GDPR and the ePrivacy Directive.