IAB Europe’s Transparency & Consent Framework, a key pillar of how online advertising is conducted on the Continent, is in breach of laws protecting people’s data privacy, a key European regulator has found.
The Belgian data protection authority, the APD-GBA, found on 16 October that the TCF, a set of best-practice guidelines for collecting and processing data for ad targeting, is in breach of the General Data Protection Regulation.
The APD-GBA’s findings will be seen as significant. Each member state has a national data protection authority, as does the UK, which had chosen to adopt the GDPR into UK law after Brexit. But Belgium is the “lead supervisory authority” under the GDPR “one-stop-shop” mechanism.
Critics have blamed the TCF, released in March 2018 on the eve of GDPR being enacted, for being inadequate in ensuring user consent in the way programmatic ads are served via real-time bidding.
Last year, IAB Europe launched a new version of the TCF, which it said would provide more transparency and control for publishers over how and why data was being collected by users for advertising purposes.
Following complaints made in 2018 by a range of privacy campaigners and academics, the Belgian regulator reported preliminary findings that the IAB framework allows advertisers to swap sensitive information about people even when they have not been authorised to do so.
“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects,” the report said.