The TCF stands for Transparency and Consent Framework and is an industry framework first launched in March 2018 by the International Advertising Bureau Europe (IAB). It was created as a means to allow the digital advertising (adtech) industry to continue operating in a manner compliant with GDPR and the ePrivacy Directive.
As we discuss here, the adtech system is extremely complex, both in terms of what users see (through cookie banners and notices), and what happens in the background between the multiple types of business involved in delivering digital advertising, This is the reason the TCF exists – to address the central challenge adtech has faced since its inception. GDPR and the ePrivacy Regulation require informed consent for certain activities and accessible, easy to understand transparency about data collection and use in a way the average user can understand. How do you achieve that when, for some digital advertising, hundreds, sometimes thousands of different platforms can process user data for a range of purposes, and the identity of those platforms may not be known in advance?
If you apply the demand for granularity in the Whatsapp decision from the Irish DPC: requiring that users know exactly what data will be processed by whom and for what purposes all explained in sufficient detail for them to understand and make an informed decision on whether to exercise their GDPR rights, you can quickly see the urgency of finding a viable solution
The TCF doesn't just lay down requirements for consent and transparency – it creates a technical methodology and standard for the creation, sharing and recognition of "consent signals" which record the extent to which a user has consented (or not) to, or has opted out (or not) of, digital advertising using their information for a list of 12 different purposes all relating to different activities within the digital advertising ecosystem. Most users do not have the patience, but you can click through the CMP screens to object to specific purposes if you want to.
Consent signals are captured in a string of letters and numbers known as the "TC string" created by the CMP in response to how the user interacts with the cookie banner and the options and controls that sit behind it. The TC string is handed on like a relay baton by the platforms so each of them can read the signals and their software reacts instantaneously, understanding the extent to which they are able to use that user's information to do what they do in the ecosystem, in line with their declared TCF purposes. This is necessary because apart from the publisher on whose digital properties the ads will be shown, participants in the ecosystem do not have a direct relationship with the users enabling them to seek consent or obtain transparency in relation to their processing.
Digital advertising companies typically have teams of engineers and privacy professionals whose job it is to ensure that the way they recognise and react to consent signals, and share them with other companies in the supply chain, remains aligned with TCF and any changes made to it. It is a significant element of their compliance efforts.
The TCF has become a cornerstone of the digital advertising industry since its inception and is the only alternative to consent flows designed individually by or for online publishers, but whether or not it satisfies data privacy requirements remains to be agreed.
In February 2022, the Belgian DPA, the APD, declared the current version of the TCF unlawful under GDPR, which caused some consternation if not surprise in the digital advertising industry. The APD's objections fall into two main categories:
Valid consent is not achieved and the level of transparency is deficient
These are fundamental objections to the very core of what the TCF is designed to achieve, but also not unexpected – even after the launch of the much-improved v2 of the TCF there have been misgivings as to whether it meets the rigorous standards of the GDPR.
The TC string constitutes personal data and IAB Europe, through its role in creating and overseeing the TCF, is a joint controller of each TC string
The APD thinks the TC string is personal data because it can be combined with identifiers like an IP address, so it indirectly identifies the user, including in cases where a TC string indicates that no consent has been provided (so the user's data is not used by participants for TCF purposes which require consent).
We know from cases like Fashion ID, that an organisation does not have to have any role involving 'touching' personal data in order to be a controller of it – as the test is the extent of its decision-making over the purposes and essential means of the processing. Still, it will have come as a surprise to the IAB that it is deemed a controller as it had not taken steps to ensure its own controller compliance as regards the TCF, treating itself like any other industry body involved in setting standards and assuming that it is not itself directly responsible as controller for the personal data processed by participants.
What may be different in the case of the TCF, is the degree of granularity in the technical standards as to the elements making up the consent string. Other industry standards tend to be more agnostic as to the nature of the data that participants collect and use.
The APD found that the IAB is a joint controller with the participants of the TC string, raising the prospect of shared liability for how the data is used in the framework and the possible need for the IAB to assess and manage its liability for how the TCF is implemented by participants – a risk industry bodies are not used to managing. This aspect of the APD's decision is being appealed (as discussed below) but, if confirmed by the ECJ, this will likely mean a more active role for the IAB in auditing and enforcing the TCF, and we expect the IAB to look at indemnification by other participants where their failures lead to liability for the IAB.
In response to the APD's decision, IAB Europe submitted an action plan to remedy the first category of objections. It also appealed to the Belgian Court of Appeal on procedural grounds, as well as against the findings that the TC string constitutes personal data of which IAB Europe is a joint controller, and that IAB Europe violated GDPR in not having taken the steps required of a controller.
The Belgian court, with the agreement of all parties has referred to the European Court of Justice the two questions as to whether the TC string (in conjunction with an IP address or otherwise) is personal data for IAB Europe and whether, if it is personal data, IAB Europe is a joint controller in relation to it.
The APD then took everyone by surprise in January 2023 by approving the IAB's proposed action plan before the ECJ has given judgment on the two crucial questions of principle. This required the IAB to work to a six-month deadline to complete the work it had proposed (so by July 2023), and then potentially needing to undo or re-do elements of that work depending on where the ECJ decision lands.
This led the IAB to lodge a second appeal against the APD, arguing that the IAB should not be required to conduct any remedial work on the TCF until the position of the ECJ is known. Sensibly, the APD announced on 20 March that it will not be seeking to force IAB Europe to complete the remedial work pending the Belgian court's decision on this second appeal, expected within the next six months.
Out of what has become a procedural mess, we can draw the following conclusions:
We will know more after the Belgian Market Court's decision expected in the next few months. If the court agrees with the APD, the six month implementation period will resume and would likely conclude around the end of 2024. The timing of the ECJ decision is less certain but is likely to have a material impact. This means there is uncertainty around where the TCF will land and the timing, but participants should expect material remediation work, probably in 2024.
1 of 5 Insights
Lukas Kolligs, Gözde Cengiz and Sasun Sepoyan look at the consequences of the Irish DPC's Meta decisions on the EU's digital advertising market.
3 of 5 Insights
Mary Rendle looks at the regulatory landscape for digital advertising in the UK.
4 of 5 Insights
Marc Schuler and Laura Huck look at the impact of cookie regulations on France's digital advertising sector.
5 of 5 Insights