Is IAB Europe's TCF the answer to the digital advertising industry's privacy problems?

What is the TCF?

The TCF stands for Transparency and Consent Framework and is an industry framework first launched in March 2018 by the International Advertising Bureau Europe (IAB). It was created as a means to allow the digital advertising (adtech) industry to continue operating in a manner compliant with GDPR and the ePrivacy Directive.

As we discuss here, the adtech system is extremely complex, both in terms of what users see (through cookie banners and notices), and what happens in the background between the multiple types of business involved in delivering digital advertising,  This is the reason the TCF exists – to address the central challenge adtech has faced since its inception. GDPR and the ePrivacy Regulation require informed consent for certain activities and accessible, easy to understand transparency about data collection and use in a way the average user can understand.  How do you achieve that when, for some digital advertising, hundreds, sometimes thousands of different platforms can process user data for a range of purposes, and the identity of those platforms may not be known in advance?   

If you apply the demand for granularity in the Whatsapp decision from the Irish DPC: requiring that users know exactly what data will be processed by whom and for what purposes all explained in sufficient detail for them to understand and make an informed decision on whether to exercise their GDPR rights, you can quickly see the urgency of finding a viable solution

What does the TCF actually do?

The TCF doesn't just lay down requirements for consent and transparency – it creates a technical methodology and standard for the creation, sharing and recognition of "consent signals" which record the extent to which a user has consented (or not) to, or has opted out (or not) of, digital advertising using their information for a list of 12 different purposes all relating to different activities within the digital advertising ecosystem.  Most users do not have the patience, but you can click through the CMP screens to object to specific purposes if you want to.

Consent signals are captured in a string of letters and numbers known as the "TC string" created by the CMP in response to how the user interacts with the cookie banner and the options and controls that sit behind it.  The TC string is handed on like a relay baton by the platforms so each of them can read the signals and their software reacts instantaneously, understanding the extent to which they are able to use that user's information to do what they do in the ecosystem, in line with their declared TCF purposes.  This is necessary because apart from the publisher on whose digital properties the ads will be shown, participants in the ecosystem do not have a direct relationship with the users enabling them to seek consent or obtain transparency in relation to their processing.

Digital advertising companies typically have teams of engineers and privacy professionals whose job it is to ensure that the way they recognise and react to consent signals, and share them with other companies in the supply chain, remains aligned with TCF and any changes made to it.   It is a significant element of their compliance efforts.

The TCF has become a cornerstone of the digital advertising industry since its inception and is the only alternative to consent flows designed individually by or for online publishers, but whether or not it satisfies data privacy requirements remains to be agreed.

What did the Belgian DPA decide?

In February 2022, the Belgian DPA, the APD, declared the current version of the TCF unlawful under GDPR, which caused some consternation if not surprise in the digital advertising industry.  The APD's objections fall into two main categories:

Valid consent is not achieved and the level of transparency is deficient

Objections include:

• The 12 processing purposes set out in the TCF are not explained in enough detail and some are actually misleading.
• The TCF provides no overview of the categories of data collected and users are unable to find enough information on the identity of controllers who will collect and use their data.
• Consent cannot be withdrawn by users through the TCF quickly enough as there is no process for its immediate communication to participants who already have the user's data.

These are fundamental objections to the very core of what the TCF is designed to achieve, but also not unexpected – even after the launch of the much-improved v2 of the TCF there have been misgivings as to whether it meets the rigorous standards of the GDPR.

The TC string constitutes personal data and IAB Europe, through its role in creating and overseeing the TCF, is a joint controller of each TC string

The APD thinks the TC string is personal data because it can be combined with identifiers like an IP address, so it indirectly identifies the user, including in cases where a TC string indicates that no consent has been provided (so the user's data is not used by participants for TCF purposes which require consent).

We know from cases like Fashion ID, that an organisation does not have to have any role involving 'touching' personal data in order to be a controller of it – as the test is the extent of its decision-making over the purposes and essential means of the processing.  Still, it will have come as a surprise to the IAB that it is deemed a controller as it had not taken steps to ensure its own controller compliance as regards the TCF, treating itself like any other industry body involved in setting standards and assuming that it is not itself directly responsible as controller for the personal data processed by participants.

What may be different in the case of the TCF, is the degree of granularity in the technical standards as to the elements making up the consent string.  Other industry standards tend to be more agnostic as to the nature of the data that participants collect and use.

The APD found that the IAB is a joint controller with the participants of the TC string, raising the prospect of shared liability for how the data is used in the framework and the possible need for the IAB to assess and manage its liability for how the TCF is implemented by participants – a risk industry bodies are not used to managing.   This aspect of the APD's decision is being appealed (as discussed below) but, if confirmed by the ECJ, this will likely mean a more active role for the IAB in auditing and enforcing the TCF, and we expect the IAB to look at indemnification by other participants where their failures lead to liability for the IAB.

How did IAB Europe respond?

In response to the APD's decision, IAB Europe submitted an action plan to remedy the first category of objections.  It also appealed to the Belgian Court of Appeal on procedural grounds, as well as against the findings that the TC string constitutes personal data of which IAB Europe is a joint controller, and that IAB Europe violated GDPR in not having taken the steps required of a controller.

The Belgian court, with the agreement of all parties has referred to the European Court of Justice the two questions as to whether the TC string (in conjunction with an IP address or otherwise) is personal data for IAB Europe and whether, if it is personal data, IAB Europe is a joint controller in relation to it.

The APD then took everyone by surprise in January 2023 by approving the IAB's proposed action plan before the ECJ has given judgment on the two crucial questions of principle. This required the IAB to work to a six-month deadline to complete the work it had proposed (so by July 2023), and then potentially needing to undo or re-do elements of that work depending on where the ECJ decision lands.

This led the IAB to lodge a second appeal against the APD, arguing that the IAB should not be required to conduct any remedial work on the TCF until the position of the ECJ is known. Sensibly, the APD announced on 20 March that it will not be seeking to force IAB Europe to complete the remedial work pending the Belgian court's decision on this second appeal, expected within the next six months.

So where are we now?

Out of what has become a procedural mess, we can draw the following conclusions:

• The IAB is in a challenging position if it is found to be controller for TC strings, as it would need to take steps across the board to act as controller.
• The TCF and its participants have not so far treated the TC string itself as personal data. If the ECJ decides it is personal data, changes to the TCF and resultant impact on compliance steps by all participants will be required.
• The good news remains that the APD thinks the TCF can ultimately deliver compliance, just not in its present form, so the first regulator analysis of the TCF has not, as some feared, raised the possibility of the end of targeted advertising or its real-time bidding variant in Europe, although risks and challenges remain.
• Combining clear transparency without overwhelming users with technical information remains a key challenge for the remediation plan. The complexity of the ecosystem and the different processing within means this will remain a contentious issue.
• We expect the remediation plan to remove some options to choose legitimate interests for certain purposes, especially around targeted advertising using personal data.
• For the time being, companies are continuing to use the TCF. Moving away from it would seem premature for most participants, not least because any home-grown alternatives would face the same challenges around achieving defensible consent, transparency and control and would be difficult to implement across relevant participants.
• The move away from cookies will not, in our view, materially reduce the pressure on TCF.

What should participants do now, pending the second appeal in the Belgian courts and the referral to the ECJ?

• Keep an eye on developments as remedial work may be a substantial undertaking and will need time to plan, design and implement, and engineering resources will often be required.
• Digital advertising platforms should be ready for questions from publisher and advertiser customers and partners as to what their approach is to the challenge to the TCF, and at present it is likely that generic statements about watching developments closely etc may be all that can be said.
• Review the use of consent for the TCF purposes which allow consent or legitimate interests – in the light of the APD ruling (which we broadly expect other DPAs in Europe to follow), purpose 4 especially – relating to the delivery of personalised ads - looks a prime candidate to move to consent only if you currently allow legitimate interests. Revenue projections following any move to consent may be worthwhile to prepare the business decisions which are likely to be needed.
• If the TC string itself is found to be personal data, all participants will need to adjust their procedures and policies – likely involving engineering 'lift' - to reflect this, including CMPs who to date have not, in general, designed for their own compliance. The APD thinks CMPs are joint data controllers for the TC strings they generate and share with the participants, which may mean a more significant lift for them than others in the ecosystem.
• It remains to be seen how the IAB will react to being joint controller, if that is the final decision reached, but some additional audit and enforcement of TCF participants seems likely.

When will there be clarity?

We will know more after the Belgian Market Court's decision expected in the next few months.  If the court agrees with the APD, the six month implementation period will resume and would likely conclude around the end of 2024. The timing of the ECJ decision is less certain but is likely to have a material impact.  This means there is uncertainty around where the TCF will land and the timing, but participants should expect material remediation work, probably in 2024.