The Interactive Advertising Bureau Europe (“IAB Europe”) is an EU association, which aims to create standards and frameworks, among others, for digital marketing and advertising organisations and enable them to prosper in the EU market.
They created the IAB Europe Transparency and Consent Framework (“TCF”) as a General Data Protection Regulation (“GDPR”) consent solution for the digital advertising companies. The aim was to support these organisations with the compliance of the data protection and privacy regulations such as the EU GDPR and the e-Privacy Directive. In particular the TCF provides standards on how website publishers should accommodate and implement the online identifiers (i.e., cookies) and the consent management for online personalised advertising.
But why has the IAB Europe been in the spotlight recently?
Last week the Belgian Data Protection Authority (“DPA”) imposed the IAB Europe an administrative fine (€250,000) due a lack of compliance with the EU GDPR. The DPA asserted users’ preferences are stored in a “TC string” and shared with companies that rely on the OpenRTB protocol, which is a “Real-Time Bidding” system that allows the interoperability between buyers and sellers in the digital advertising sector, so that they can eventually know whether the user has accepted or rejected the non-essential cookies.
What is the DPA’s rationale?
The DPA stated that the IAB Europe is the controller of users’ consent preferences through the TC String. Consequently, the authority found the IAB Europe responsible for not:
- keeping a record of their data processing activities;
- defining an accurate legal basis to rely on for the TC String data processing
- being transparent enough with users but using a vague and unspecific wording to users through the consent management tool;
- implementing the appropriate security measures to comply Data Protection by Design and by Default principle and in particular to ensure the data subject rights exercise;
- performing a data protection impact assessment; and
- appointing a data protection officer.
What will happen now?
The IAB Europe has two months to present a remediation plan and six months, from its validations by the DPA, to implement the mitigation actions.
