On August 5, 2022 news broke that the French Data Protection Authority (“CNIL”) proposes fining adtech company Criteo €60 million for undisclosed GDPR violations as part of an ongoing investigation opened by the CNIL in 2020. The investigation followed a 2018 complaint by the privacy NGO Privacy International against Criteo and a number of other industry players concerning breaches of the GDPR, including for processing personal data without a valid legal basis. Criteo has issued a statement strongly contesting the CNIL’s findings but no other information on the substance of the decision is available. The CNIL has not yet published an official statement, and a final ruling is not expected until well into 2023.
The Criteo fine is just the latest blow for the adtech industry and only adds to existing uncertainty. It follows the news in February this year of the Belgian Data Protection Authority’s (“APD”) decision in which it ruled that IAB Europe’s Transparency & Consent Framework (“TCF”), the most commonly used digital advertising consent mechanism in Europe, fails in a number of key respects to comply with the GDPR. The APD, working with 28 other EU supervisory authorities, issued IAB Europe with a fine of €250,000 and required it to submit an action plan setting out corrective measures. IAB Europe appealed the decision, and submitted its as yet unpublished action plan on April 1, 2022. If the APD approves the action plan, IAB Europe will have six months to implement it. This blog post explores the APD’s decision and its implications for digital advertising.
How Does the TCF Work?
IAB Europe intends for the TCF to provide a solution for publishers, adtech vendors, and advertisers to communicate an individual’s choices in relation to targeted advertising (specifically real-time bidding) across the ad network, in a way that is compliant with the GDPR.
Consent management platforms (“CMPs”), one of the key players in the TCF, present visitors to publisher websites with a means of controlling how their data is used and shared, often in the form of a pop up or banner. User preferences are captured by CMPs in a standardized ‘Transparency and Consent String’ (“TC String”), consisting of a combination of letters, numbers and other characters. This TC String is shared as part of every ad call with other organizations partaking in the TCF, who decipher the TC String to determine whether they have the necessary legal basis to process a user’s personal data.
Key Findings by the APD
IAB Europe is a joint controller with TCF participants: The APD rejected IAB Europe’s argument that participating organizations in the TCF govern the purposes of processing and so exempt IAB Europe from data controller status. The APD determined that IAB Europe exercises control over the TCF as a whole, so, even though it does not access or otherwise process personal data, it is a joint controller along with the CMPs and adtech vendors in relation to registering user consent signals, choices and preferences via the TC String. In its decision the APD placed particular emphasis on the policies and technical specifications of the TCF, through which it found that IAB Europe has a decisive influence on the purpose and means of the processing. In particular, the APD pointed to how IAB Europe defines how and who can generate TCF strings, how long they are stored for, in some cases where they are stored and who they are shared with.
TC Strings are personal data: The APD agreed with IAB Europe’s argument that in itself the TC String does not directly identify users or devices as it merely reflects technical information, namely the users’ choices. However, in line with the EDPB’s findings in relation to Google Analytics (see our blog post here on this topic), the APD found that as the CMP combines the user’s IP address with the TC String, this information can be used to “single out” a natural person and therefore the preferences of users in a TC String do constitute personal data. As such, a legal basis should be established and notified to users for the creation and sharing of the TC String itself.
Consent obtained via the TCF is inadequate for processing operations within the advertising ecosystem: The APD determined that information provided to users is not sufficient for consent to be specific and informed as required by the GDPR, given the large-scale nature of the processing and the impact this could have on individuals. For example, the APD pointed out that it is difficult for users to see beyond the first layer of data controllers, and that even if they did the list would be too lengthy for users to fully process the information. The APD also took issue with how slowly a request to withdraw consent filters through the advertising ecosystem.
Legitimate interests is not a valid legal basis for targeted advertising or profiling within the TCF: The APD applied the three conditions set out in the CJEU Rīgas case for determining whether the legitimate interests of the data controller are met, and found that they were not, due in part to the sheer volume of data, and the absence of measures to ensure that unnecessary data is not disseminated. The APD did entertain however that legitimate interests may in theory be relied upon for the processing of the TC String itself, if an option were presented to users to opt-out entirely of having their preferences captured.
IAB Europe should delete all personal data that it processed under the TCF: As the data has been collected unlawfully, the APD has ordered IAB Europe to delete all such data.
IAB Europe does not effectively monitor compliance: Under the current TCF system, adtech vendors receive a signal of consent without any technical or organizational measure in place to ensure that this consent signal is valid or that a vendor has actually received it (rather than generated it). The APD found that IAB Europe had violated the GDPR’s principles of accountability and data protection by design and fault, and failed to implement sufficient security measures, by failing to put in place sufficient systems in place to monitor participating CMPs and adtech vendors.
What Next?
For the TCF: The future of digital advertising in Europe is unclear. Although IAB Europe has firmly rejected the APD’s decision it has, at least publicly, welcomed the opportunity for an open dialogue with the APD on the future of the TCF. We expect the corrective measures proposed by IAB Europe as part of its action plan to present an attempt at a more transparent and uniform user experience across CMPs, and for IAB Europe to commit to increased oversight of participants. How IAB Europe and its stakeholders will address the inherent issues presented by the complexity of the adtech ecosystem remains to be seen. The Criteo decision, when published, will no doubt highlight the same areas of concern.
For participating companies: In the meantime, given the APD has instructed IAB Europe to delete data collected through the TCF that it holds, companies across the sector are left wondering whether they should proactively do the same. Given there are currently few viable alternatives to the TCF, however, many companies are holding tight in their continued use of the TCF.
For other vendors: This decision has ramifications for companies outside of the digital advertising space. The APD’s decision to extend the role of controller to vendors who purport to have no interaction with personal data processed nor have access to such data, should serve as a stark warning to businesses operating under similar illusions that they sit outside of the GDPR framework altogether. IAB Europe is however appealing this broad interpretation.