European watchdog: All data collected about users via ad-consent popup system must be deleted

All data collected "so far" through the Transparency & Consent Framework (TCF) by means of a TC String – part of its consent popup system – must now be deleted by international digital marketing and advertising association IAB Europe.

Over 1,000 firms pay IAB Europe to use TCF. This includes Google's, Amazon's and Microsoft's online advertising businesses.

The TC String is a coded character string storing information about consent in the context of the realtime bidding (RTB) system OpenRTB.

This is according to a decision handed down today by the Belgian data protection authority [PDF] finding that the "consent solution" fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking under Article 5(1)a, and Article 6 of the GDPR.

The DP watchdog also cited additional GDPR breaches, namely that: consent was not "properly requested"; there was not enough "transparency about what will happen to people's data (articles 12, 13, and 14)"; there was a failure to "implement measures" to ensure data processing was compliant with the GDPR (article 24); and that IAB failed to respect the requirement for "data protection by design" (article 25).

The ruling spoke about the use of the TCF in the context of the realtime bidding (RTB) system OpenRTB. OpenRTB is a protocol that governs the connection between ad space providers, publishers (ad exchanges, sell-Side Platforms, ad networks etc), and competing buyers who are bidding on that ad space.

IAB Europe has argued that it can't be held responsible for the alleged illegal practices of "RTB participants, as the TCF is completely separate from RTB." The litigation chamber conceded that IAB Europe was not "a data controller in that context," but maintained that because "TCF is the tool on which OpenRTB relies to justify its compliance with the GDPR," it "plays a pivotal role as regards the OpenRTB."

What is TCF?

TCF is a "consent solution" designed to help online ad-slingers to show they comply with the EU's General Data Protection Directive (GDPR) and ePrivacy Directive when they process personal data or access and store information on a user's device. Broadly, this includes cookies, ads IDs, ways to identify users' devices and more. The data is pivotal to the operation of real-time bidding (RTB) systems, which automatically match adverts with the viewers whom advertisers want to reach (based on data collected).

IAB Europe describes itself as "the European-level association for the digital marketing and advertising ecosystem." It represents over 5,500 organisations, including trade assocs and private companies. The IAB Global Network, meanwhile, is made up of several international licensee organisations.

The most recent iteration of TCF, v2.0, came out in August 2019, "following extensive industry consultation particularly with publishers and the industry associations."

Delete it all

The litigation chamber ruled:

• Belgium watchdog reckons online advertisers should be data controllers under GDPR
• Euro watchdog will try to extract $900m from Amazon for breaking data privacy laws
• Dutch national broadcaster saw ad revenue rise when it stopped tracking users. It's meant to work like that, right?
• Google fined €500m for not paying French publishers after using their words on web
• Ex-Brave staffer launches GDPR sueball in Germany over tech giants' real-time bidding for ad inventory

IAB Europe responded to the ruling, saying: "We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.

"Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF's continuing utility in the market."

It also noted in a recent report it commissioned by GfK that "digital advertising in the EU generates annual revenues of €41.9bn, with growth of 12.3 per cent yoy," that "behavioural targeting is used in 66 per cent of all digital advertising and contributes to 90 per cent of digital advertising growth," and that "69 per cent of Europeans are willing for their browsing data to be shared for advertising, in order to access digital content such as news articles and online video, for free."

This specific lawsuit was first filed in June last year by the Irish Council for Civil Liberties with the Belgian Data Protection Authority (although the ruling will apply Europe-wide due to the GDPR's "one-stop-shop" mechanism). However, it followed some years of complaints about the insecurity of the online advertising Real-Time Bidding (RTB) system initiated by Johnny Ryan and others.

Ryan, formerly the chief policy officer at privacy-focused browser biz Brave, called today's decision "momentous news."

Ryan has previously touted the benefits of contextual targeting, such as that used by privacy-focused search engine DuckDuckGo, citing a study showing a Dutch national broadcaster got more ad revenue when it stopped tracking users than it had netted when it followed them.

Besides deleting already collated data, under the ruling, the IAB will have to make the TCF GDPR-compliant with the breached articles, carry out a data protection impact assessment covering both the processing activities under the TCF and the "impact of these activities on subsequent processing under the OpenRTB," and get a data protection officer in place to oversee all this.

It also has to provide "a valid legal basis for the processing and dissemination of users' preferences within the context of the TCF." It has six months to do so and has to submit an action plan to the DPA within two months, or else pay a fine of €2,000 a day.

IAB has 30 days to appeal.

Over in the United States, the ads-trade body is facing similar moves to curtail data processing in the form of the Banning Surveillance Advertising Act [PDF]. The proposed federal legislation, which was floated just last week, seeks to ban targeted advertising by saying that "advertising facilitators" may not target ads to individuals "based on their personal information."

"Banning personalized ads would severely impact an increasingly important economic sector, stifling innovation and dramatically harming the small business community who use data-driven advertising to promote their goods and services and reach customers all over the world," IAB CEO David Cohen said of the move at the time.

The IAB's Annual Leadership meeting takes place this coming Monday. Oh to be a fly on the wall. ®