APD v IAB – TCF Changes Ahead

What is the TCF?

The TCF intends to provide a standardised method through which all stakeholders in the adtech ecosystem (publishers, vendors and, indirectly, advertisers) can technically communicate an end user’s choices and preferences as to how personal data relating to that user may be used. This includes obtaining and communicating a user’s informed consent to processing of such data for a number of predefined purposes.

Operation of the TCF is undertaken through the use of consent management platforms (“CMPs”) that are displayed to a user on a given publisher site, and provides the relevant required transparency information, and permits the user to accept/reject their data being used for the specified purposes.

Key to the TCF is the Transparency and Consent String (“TC String”). This defined set of letters and numbers is generated by the CMP and encapsulates the user’s preferences in a standardised manner. This is then subsequently communicated throughout the adtech ecosystem to indicate that user’s preferences to those parties that do not have a direct path to the user themselves (for example, adtech vendors and advertisers).

Key findings of the APD’s ruling

IAB Europe presents the TCF as simply being a framework to allow for participants to communicate in a standardised manner. By creating certain rules, parameters and structure around the framework, and requiring certification for participation for certain types of organisations, IAB Europe intends for TCF to provide a controlled, trusted environment for user preferences to be collected and communicated.

However, the complainants contended that IAB Europe exercises sufficient control over the TCF and granularly determines its operation in such a manner that it becomes a data controller of the scheme as a whole, including in relation to personal data used by its participants.

In its ruling, the APD adopted the latter view, holding that IAB Europe is in fact a data controller in respect of the TCF and the processing of data through the framework, and a joint controller with other participating organisations of the TC String. This represents a very broad application of the concept of a data controller under GDPR by APD.

This finding leads to several further implications, together with consideration and assessment of key elements of the TCF, including its ability to obtain valid consent from a user.

Notably, this represents the first ruling specifically on the TCF by a data protection authority.

Within the ruling, the APD made a number of additional key findings:

• The TC String, although itself not able to directly identify a user, can be combined with a user’s IP address to indirectly identify an individual, making this personal data. This shows the APD adopting a similar position to that taken by the EDPB – if data allows an organisation to “single out” an individual, in order to make decisions in relation to that individual, such data would be considered personal data. As the position taken by IAB Europe previously (and the TCF participants) was that the TC String was not personal data, this has a number of consequential impacts within the ruling.
• The processing of the TC String itself, even to communicate “no consent” is therefore processing of personal data its own right. This is an important point as the previously adopted position by IAB Europe and TCF participants provides that the TC String is not personal data. Accordingly, CMPs (who are responsible for obtaining a lawful basis for processing of personal data from users and subsequently encoding these preferences into TC Strings before communicating these to TCF participants) have not designed their solutions (including their compliance positions) on the basis of processing personal data. In fact, given the finding that the TC String is personal data, the ruling further holds that CMPs should be considered joint controllers of the creation and communication of TC Strings and the “processing of users’ personal data within the TCF and the OpenRTB system”. Given that CMPs currently only focus on obtaining a lawful basis for process of the personal data within the relevant bid requests, that are flowing through the TCF to adtech vendors (and not the TC String on the previous basis of the TC String not being personal data), CMPs do not make any provision for their own processing of personal data as they encode a user’s preferences to create, and subsequently communicate, the TC String. This position is not compliant with their new responsibilities as joint controllers of these activities and will need to change going forward.
• In its current form, TCF, as implemented by CMPs, does not provide a valid lawful basis for processing personal data – therefore a lawful basis cannot be communicated through the adtech ecosystem under TCF. The reasoning for this is two-fold: (i) in relation to consent, the APD considers that information currently provided by CMPs is not sufficiently transparent to allow a user to provide valid and informed consent; and (ii) in relation to legitimate interests, the APD does not consider this to be an appropriate or valid lawful basis under TCF (see below for full analysis).
• IAB Europe does not currently sufficiently monitor and police participating organisations’ compliance with the rules of the TCF.

The future of the framework

Of course, the ruling raises a number of questions as to the future of the TCF and its ongoing form. To highlight some of the key themes:

• Valid consent is potentially obtainable through TCF, albeit not in its current form
  • As noted above, in its current format, the TCF does not provide a valid lawful basis for processing of personal data, as:
    • “the proposed processing purposes are not sufficiently described, and in some cases are even misleading”;
    • “the user interface of the CMPs does not provide an overview of the categories of data collected”;
    • “the TCF makes it particularly difficult for users to obtain more information about the identity of all data controllers to whom they give consent to process their data […]. In particular, the recipients for whom consent is obtained are so numerous that users would need a disproportionate amount of time to read this information”;
    • “the information CMPs provide to users remains too general to reflect the specific processing operations of each vendor, thus preventing the necessary granularity of consent”; and
    • “enrichment of the data in a bid request with personal data already held […] cannot possibly be properly informed, since the TCF in its current format does not provide for participating organisations to indicate what personal data they already hold and what processing operations they already perform with these data”.
  • Finally, the ruling holds that consent, once obtained by CMPs, cannot be withdrawn as easily as it was given and any withdrawal will not be communicated proactively by CMPs to TCF participants – rather, it will only take effect the next time that the applicable TCF participant engages with that user through the CMP API (meaning processing of that personal data could continue during such period despite consent having been withdrawn).
  • Despite the concerns raised by the APD, as noted above, by requiring IAB to update the requirements of TCF to provide additional transparency and information to users, the APD does seem to endorse (or at least not entirely reject) TCF as conceptually being able to provide valid consent were these areas to be remedied.
  • In its current form, however, TCF and its implementation by CMPs does not reach the GDPR required standard of transparency. There remains a question as to what exactly “informed” consent requires in the context of the adtech ecosystem. Throughout the ruling, the APD places significant emphasis on the large number of parties involved in the adtech ecosystem, together with the complexity of the use of data. The age-old challenge therefore of providing sufficient information for a user to be considered “informed” but without overwhelming that user with complex, technical information, remains.
  • The APD in a number of places within the ruling mentions potentially requiring CMPs to present a “unified user interface” across all publishers. The exact form of this interface, and the information this includes, remains to be seen.
• Creating and communicating the TC String is, in itself, processing personal data
  • In order to meet their legal obligations to have a lawful legal basis for processing the TC String, given that the ruling holds the TC String to be personal data in itself and CMPs to be data controllers of such processing activities, we expect to see a third option offered to users by CMPs (in addition to the current accept all/reject all) that provides the user with the ability to decline from permitting the CMP to create a TC String at all for that user in order to be able to justify a lawful basis for the creation and communication of the TC String (whether consent or legitimate interests).
  • The challenge here will be the adjustments needed throughout the adtech ecosystem to react to this third option – currently many tech stacks are set up to either process personal data (where a TC String is provided that permits this) or not process that same data (where a TC String is provided that indicates that there is no lawful basis for such processing). Publishers as well as vendors will need to consider the impact of this third option and how their tech stacks will need to be updated to function in this circumstance.
• Legitimate interests is no longer a valid lawful basis under TCF for targeted advertising (but may be for processing the TC String)
  • Within the ruling, the APD undertakes a detailed analysis of the use of legitimate interests as a lawful basis for: (i) processing and communicating the TC String; and (ii) processing personal data through the TCF and OpenRTB system, in each case considering the three-limb test established in the Rigas judgment, namely that in order for a controller to rely upon “legitimate interest” as a lawful basis for processing, the controller must demonstrate that:
    • “the interests it pursues with the processing can be recognised as legitimate (the 'purpose test');
    • the processing envisaged is necessary for the purposes of achieving those interests (the ‘necessity test’); and
    • the balancing of these interests against the interests, fundamental freedoms and rights of data subjects weighs in favour of the data controller or a third party (the ‘balancing test’)”.

TC String

• For processing and communicating the TC String, the APD holds that, in respect of:
  • the first limb of this test, “capturing users’ approval and preferences in order to […] be able to demonstrate that users have validly consented to or not objected to the processing of their personal data for advertising purposes may be considered to be carried out for a legitimate interest” and hence the first limb is met;
  • the second limb of this test, “the information processed in a TC String is limited to data that are strictly necessary to achieve the intended purpose” and hence the second limb is met;
  • the third limb of this test, “users are not offered an option to completely oppose the processing of their preferences in the context of the TCF”, instead the choice offered to users is to either accept or reject the processing of personal data for given purposes and by given adtech vendors, through the TCF framework. Whichever choice is made by a user, this choice will be encoded within a TC String and stored within a cookie on the user’s device. Given that users are not informed of this processing and cookie storage, and are not informed of their right to object to such processing, the third limb “is not currently met”.
• The above analysis undertaken by the APD would seem to open the door for CMPs and other joint controllers (including IAB Europe) to potentially be able to rely on legitimate interests as a lawful basis for the creation, storage and communication of the TC String, provided the requirements set out within the third limb are met going forward (i.e. that the user is offered a choice to completely oppose the processing of their preferences in the context of the TCF and is informed of their right to objct to any such processing).

OpenRTB

• For processing personal data through the TCF and OpenRTB system, the APD repeats the same three-limb analysis and very clearly concludes that legitimate interests “cannot be deemed an adequate legal ground for the processing activities occurring under the OpenRTB, based on users’ preferences and choices captured under the TCF”, in particular as:
  • “the lack of specificity of the stated purposes means that the first condition for specific lawful processing is not met with the standard descriptions of the processing purposes and pursued interests”;
  • “in the absence of measures that adequately demonstrate that no inappropriate personal data are being disseminated, the [APD] is forced to decide that the second condition has not been met”; and
  • “due to the large number of TCF partners that may receive [a user’s] personal data, data subjects cannot reasonably expect the processing associated with [the] disclosure [of their personal data to such TCF partners]. In addition, there is the considerable amount of data that, in accordance with the preferences entered within the TCF system, is collected by means of a bid request and transmitted to the adtech vendors within the context of the OpenRTB protocol”; and
  • the APD also makes reference to the EDPB’s previous opinion on purpose limitation that “legitimate interest does not constitute a sufficient legal basis in the context of direct marketing involving behavioural advertising” and the ICO’s conclusion within its update report into adtech and real time bidding that “legitimate interest is not a basis for legality in the context of RTB”.

• Current uncertainty over existing data collected through TCF
  • The ruling specifically relates to IAB Europe and its role with regard to TCF. As such, it creates no direct obligations upon publishers, CMPs or vendors – a point which the APD specifically reiterates in a number of places. However, the ruling does state that “it is the responsibility of the CMPs and the publishers who implement TCF, to take appropriate measures […], ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly”.
  • As such, although we are not expecting to see publishers and vendors electing to unilaterally delete data previously collected in reliance on the TCF, we could see national DPAs enforcing against specific publishers and/or vendors on the back of the APD ruling.
  • We would not expect this to happen, however, until after any appeal process (to the extent IAB Europe elects to do so), although this is discretionary on the part of the relevant national DPA rather than being automatic.
  • In the event of an unsuccessful appeal, it is currently unclear as to whether any relevant national DPAs will then subsequently wait for the expiry of the resolution period (as noted below) for TCF compliance before undertaking any such actions to see whether the TCF will have reformed into a compliant framework or whether they will directly look to enforce.
  • Of course, if any such mass deletion is required, this will have a very large impact and be a significant exercise for all involved.
• IAB Europe will likely increase its oversight of TCF
  • The ruling requires that IAB Europe implements effective measures to guarantee the integrity of the TC String and prevent it from being changed or tampered with. In addition, APD requires, as an example of measures under Article 32 of GDPR, IAB Europe to put in place a strict vetting process for all organisations participating in the TCF.
  • We would therefore expect IAB Europe to increase its rights and ability to undertake compliance audits and an explicit approval process for each participating organisation, irrespective of whether they are publisher, vendor or CMP.

How has IAB Europe responded?

IAB has released a statement that it “rejects the finding that [IAB Europe is] a data controller in the context of TCF” and that it is “considering all options with respect to a challenge”. However, it also notes that “the decision contains no prohibition of the TCF” and that the “APD considers the purported infringements by IAB Europe … to be susceptible of being remedied in six months”.

Further, IAB Europe continues its intention to “submit the [TCF] for approval as a GDPR transnational Code of Conduct” and that the ruling appears to “clear the way for work on that to begin”.

Immediate next steps

IAB Europe has 30 days to appeal the ruling. It is currently unclear as to whether it will do so, but it would appear likely given the importance of the ruling.

In the absence of an appeal, IAB Europe has 2 months to produce action plan to bring TCF into compliance. This plan will then be validated by the APD. There are no timescales currently placed on this validation period.

Subsequently, IAB Europe will have 6 months from the date of validation being provided to complete all relevant matters within the action plan.

The ruling does not provide for the scenario whereby the action plan is submitted for validation by IAB Europe but is not approved by the APD.

What does this mean for you?

Unfortunately, we are now in a period of uncertainty. However, there is no need to immediately panic - the adtech ecosystem will not stop functioning in Europe tomorrow.

In light of the ruling, companies making use of TCF should be prepared for likely significant changes and may wish to consider mitigation plans and strategies in the event of the various scenarios that may develop.

Publishers:

• For Publishers there remain questions as to whether they should continue with an exclusive reliance on the TCF going forward. This should not be a decision which is made lightly, however, given that alternatives (e.g. in-house consent management platforms) are costly to develop, would be complex to build, and may not meet advertiser requirements potentially. In addition, there is no guarantee that any in-house platform would be better positioned to meet the challenges posed by the APD within this ruling.
• Scenario modelling of different outcomes, and assessing any alternative approaches in this light, may well be a prudent planning step at this stage.
• In addition, it is worth considering advertiser requirements and whether these will continue to compel publishers and others in the adtech ecosystem to make use of TCF-certified CMPs to obtain user consents as a manner of (potentially limited) risk mitigation on the part of the advertiser by requiring adoption of the “industry standard” approach to obtaining valid consent, that to-date has been represented by TCF. It may be a useful first step to undertake an audit of existing arrangements with ad buyers to identify where this may be a contractual requirement currently.
• There also remain questions as to the form that any “unified user interface” might take, were CMPs compelled (by a regulator or through an updated version of the TCF) to implement such a system. Certainly, publishers may well be concerned as to how this might impact their user journey and the look and feel of their web properties.

Adtech vendors:

• Vendors in the ecosystem find themselves in a somewhat difficult situation as they are to an extent stuck in the middle without a direct path to end users and reliant upon publishers to provide their lawful basis for processing.
• At the moment, there seems to be little that these adtech vendors can do other than wait and see how any appeals process may play out, together with any future TCF requirements. To the extent alternative solutions and processes exist, vendors may wish to explore the viability of these options should this be needed.
• Potentially, we may see some larger vendors possibly withdrawing from TCF, at least temporarily, particularly where they have alternative methods of obtaining consent. As always, there remains a particular focus in the industry on Google’s actions following the judgment.
• One particular point to note (as stated above) is that adtech vendors should expect any updated TCF version to include significant additional audit rights on the part of IAB to vet ensure compliance with the framework.

Advertisers:

• To date, regulatory focus has generally been on the operators of adtech platforms, and publishers responsible for obtaining consent, rather than users of adtech.
• This seems likely to continue to be the case in the near future, but advertisers should ensure that they remain up to date on these developments, particularly if alternative solutions are developed.

Key Contacts for this article: Alex Dixie, Partner, Benoit Van Asbroeck, Partner and Simon Mortier, Associate