Shockwaves in the CMP world: the IAB's TCF protocol violates GDPR!
10th February 2022
You’ll probably have seen Leonardo DiCaprio’s film Don’t Look Up on Netflix. It’s about scientists who realise a meteorite is coming, and it’s going to destroy the whole planet in a couple of weeks.
They warn everyone, nobody listened.
In summary, it's the story of warnings of an announced catastrophe, which no-one took seriously.
This story is the same as the one about the IAB and GDPR: a protocol is introduced to collect personal data in bulk (the TCF), it breaches the GDPR, but most of the Marketing industry is encouraged to use it anyway.
Most CMPs - whose purpose is the collection of personal data in line with GDPR - would rather not reject the TCF protocol as “everyone else is using it” and it, so far, seemed to be a good way to get more clients and revenue.
But, by overstepping the mark and giving European Data Protection Authorities the finger, a serious backlash was to be expected.
Now, it’s a done deal and all those who chose a “TCF-compatible CMP” are kicking themselves as they now face unsolvable problems.
The DPA (Belgium's Data Protection Authority) has said the party’s over, and other European Data Protection Authorities have followed that decision. Thanks to the one-stop-shop mechanism that standardises decisions in the EU, this ensures that every member country makes the same judgement.
In reality, the consequences are serious, onerous and potentially costly. We’ll look at some detail below.
For transparency purposes, each point will include the relevant reference from the decision so you can check what the decision says for yourself.
Make a coffee, get comfy and have a read. As Mulder said, “the truth is out there”.
The summary is provided by Hielke Hijmans, Chairman of the DPA’s Litigation Chamber, who explains: the press release: “The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR”)
Can we be clearer?
There are defensive communications being issued saying that only RTB (Real-Time Bidding: programmatic advertising that auctions each impression independently) is affected by the ban: this is not true.
The decision states that the TCF protocol clearly violates the provisions of the GDPR.
Therefore, by collecting data via this protocol, even indirectly, you are liable for a sanction. Why? Because the GDPR includes joint-responsibility mechanisms ensuring that all stakeholders are involved in guaranteeing compliance. Every player in the compliance chain must make sure partner, processor and data controller abide by the GDPR.
If not, each individual stakeholder can be held jointly responsible for any irregularities.
The DPA mentions this in point 371 of its decision (page 81): To summarise, the responsibility held by other compliance chain players does not limit the IAB’s responsibility.
The DPA establishes a real chain of responsibility, which is no surprise: it’s part of the GDPR.
The DPA devotes an entire chapter to it in its decision titled: “B.3 Joint controllership of publishers, CMPs and adtech vendors with regard to the means and purposes of the processing of personal data within the context of the TCF and of the OpenRTB” (page 79).
2. Does the TCF comply with GDPR?
The DPA titles its official communiqué as follows: “Serious and multiple violations found by the supervisory authority: the TCF is incompatible with the GDPR.”
Why such a devastating decision?
Simply because the supervisory authority notes that the IAB has imposed a protocol with a design that violates the key provisions of the GDPR:
- “The current TCF does not provide a legal basis for the processing of user preferences” (point 535, page 115): this isn’t a basis error, but the absence of a basis allowing data to be collected. It’s hard to imagine a more serious or astonishing situation...
- Breach of Articles 12 and 13 of the GDPR: “Users of a website or an application participating in the TCF are not given sufficient information about the categories of personal data collected about them, nor are they able to determine in advance the scope and consequences of the processing.” (Point 535: pages 115-116 of the decision).
- Breach of Articles 24, 25, 5.1.f and 32 of the GDPRwithout any technical or organisational measure to ensure that this consent signal is valid
The truth is, everything stems from the qualification of the TC String used by the IAB.
The DPA defines it thus: "The TC String is meant to capture in a structured and automated way the preferences of a user when he visits a website or app of a publisher that has integrated the CMP. This concerns in particular the capturing of consent (or not) to the processing of personal data for marketing and other purposes, whether or not to share personal data with third parties (adtech vendors) and the exercise or not of the right to object.”
“the Litigation Chamber notes that the TC String, as an expression of users’ preferences on the processing purposes and the potential adtech vendors being provided through the CMP interface, constitutes the cornerstone of the TCF.”
In its decision, the DPA mentions complainants’ argument that a “(...) unique identification number, such as the TC String generated and stored in a cookie, is personal data within the meaning of Article 4(1) of the GDPR (...)” (Point 93, page 25).
The Belgian supervisory authority objectively raises the point that if “(...) it is not conclusively established that the TC String, due to the limited metadata and values it contains, in itself allows for direct identification of the user (...)”, the fact remains that “(...)when the consent pop-up is accessed by script from a server managed by the CMP, it inevitably also processes the user's IP address, which is explicitly classified as personal data under the GDPR (...). CMPs have the technical means to collect IP addresses (...) and to combine all information relating to an identifiable person. The possibility of combining the TC String and the IP address means that this is information about an identifiable user. (...)” (Point 304, page 65).
3.The obligation to delete all data collected up to now via CMPs using the TCF protocol.
Billions of pieces of personal data have been collected under the TCF. The inevitable question is therefore what should happen to this illegally collected data.
The consequences are dire, especially for users of CMPs with the TCF protocol. This is one of the points with the most serious repercussions.
In point C1 535 of its sanction, the supervisory authority states: “(...) it is the responsibility of the CMPs and the publishers who implement the TCF, to take the appropriate measures, in line with Articles 24 and 25 GDPR, ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly.”
What does this mean? All data collected since 25.05.2018 via a CMP subject to the IAB’s TCF protocol has been collected illegally and must therefore be destroyed...
And if a company doesn’t destroy it, it will face the sanctions in Article 83 of the GDPR summarised as follows by the CNIL: “the amount of financial penalties can be up to 20 million euros or in the case of a company up to 4% of the annual worldwide turnover.”
4. A decision that applies to all countries in the European Union and beyond...
Decision 21/2022 of 2 February 2022 has been made in the context of the one-stop-shop procedure. What is this?
The CNIL explains on its website that the one-stop-shop mechanism set out in the GDPR aims to standardise, at the European level, decisions made by Data Protection Authorities about cross-border processing. These authorities should coordinate with each other about all these decisions.
Hence why the Belgian DPA refers to this collaboration on page 5 of its decision: “The following supervisors have indicated their willingness to act as concerned supervisory authorities (...): the Netherlands, Latvia, Italy, Sweden, Slovenia, Norway, Hungary, Poland, Portugal, Denmark, France, Finland, Greece, Spain, Luxembourg, Czech Republic, Austria, Croatia, Cyprus, and Germany (...), Ireland (...)."
The DPA also states:suggesting that other decisions of the same type may follow in the coming months.
We learn that “On 23 November 2021, the Litigation Chamber submitted its draft decision with the other concerned European supervisory authorities” (point 275, page 59 of the decision) and that the Dutch authority (point 277, page 59) and the Portuguese authority (point 279, page 59) requested further information on the decision.
And this is what the one-stop-shop procedure provides: a formidable and effective collaboration between countries applying the GDPR. It goes beyond the European Union as GDPR also applies to countries that are members of the EEA (European Economic Area): Iceland, Lichtenstein and Norway.
What does this mean?
The DPA’s decision will not be questioned by other supervisory authorities and will therefore apply in similar situations across the whole “GDPR zone”.
To be fair, we don’t do false modesty at Axeptio. It wasn’t easy to reject the TCF: the GDPR principles meant an array of potential clients were off-limits to us. This is however something we’ve always accounted for and accepted.
But now, we’re proud to be able to say we made the right choice. Anyone who wants to get involved in the data business can do so with our solutions and comply with the texts and the spirit of “Marketing you consent to” rather than “Marketing sprung upon you”.