Breaking News - IAB / TCF Framework illegal?
This decision has it all - a real - hard - hammer for the AdTech industry and for all customers using the TCF framework. The Belgian ADP (Autorité de protection des données) - which is the competent data protection authority for the IAB - has declared the entire infrastructure of the IAB / TFC Framework and all data collected so far as a breach of the GDPR in a long-awaited decision. IAB thereby collects a fine of 250,000 EUR and all partners have to delete all data obtained so far.
Note: This problem only affects customers who use the TCF framework!
How do I know if TCF is active?
Very simple - go to the administration of CCM19 - there to your domain and then to the item "IAB-Framework (TCFv2)" as shown on the screenshot. Only if the red framed hook is green - then you use TCF.
And here again the explicit hint: CCM19 is not based on TCF - TCF is an additional activatable module within the CCM19 system. You CAN activate TCF, you don't have to and CCM19 works completely WITHOUT TCF.
Decision with immediate effect
This decision is effective immediately and EU-wide! The decision was made under the "One Stop Shop" principle of the General Data Protection Regulation and therefore applies immediately and everywhere in the EU.
"The processing of personal data (for example, the collection of user preferences) under the current version of the TCF is not compatible with the General Data Protection Regulation, as it violates the principle of fairness and lawfulness," quote Hielke Hijmans, Chairman of the Authority's Trial Chamber.
The decision in the press
Here are some links to comments in the press about this decision.
- Article at heise.de "... Central standard for cookie banners illegal"
- Netzpolitik.org "Important building block for cookie banner is illegal"
- Techcrunch - in English
Background - what is the TCF framework
Basically, the system of targeted advertising under the TCF Framework works as follows: Each call of a visitor at a website participating in the TCF Framework leads to an auction among the providers of advertisements.
Within milliseconds, a detailed profile of the visitors is used to decide which advertisements they will see. This is called real-time bidding (RTB). For this to work well, or at all, the providers need to know as much as possible about the visitors: Age, gender, websites visited, interests, place of residence, presumed purchasing power, etc. are just some of the criteria. All the information together constitutes a visitor's profile - this can be as detailed as desired.
To convey these profiles, IAB Europe's Transparency and Consent Framework is used. When visitors click on the "Accept Cookies" button or simply do not object, the TCF framework generates the so-called TC string. The TC-String is the basis for the creation of the individual profiles mentioned above and for the auctions in which thousands of international partners participate.
These violations were found.
The following violations of the General Data Protection Regulation were documented and criticized.
- Articles 5.1.a and 6 (lawfulness of processing; fairness and transparency)
- Articles 12, 13 and 14 (transparency)
- Articles 24, 25, 5.1.f and 32 (security of processing; integrity of personal data; data protection by design and by default)
- Article 30 (register of processing activities);
- Article 35 (data impact assessment);
- Article 37 (appointment of a data protection officer).
And a lot more of miscellaneous details. The bottom line is that these problems cannot be fixed with the current structure of the TCF framework
What is the IAB doing?
The IAB has reacted "decisively" and first published a press release in which it writes that it is considering legal options and looks forward to working with ADP on a compliant version of the TCF framework in the next 6 months.
It also writes that it is believed that the TCF framework has not been banned
While this is certainly true in this form, the use in its current form is not DSGVO compliant and thus a very big problem for the users of this framework! The IAB must then already put up with the criticism, why one has not acted the last few years, when this process was running. For at least the next 6 months, everyone is up in the air, since there is no resilient and DSGVO-compliant structure.
Officially, after this decision, IAB Europe has two months to submit an action plan showing how it will comply with the authority's decision, and six months to then execute it satisfactorily.
Dr. Euwens - CEO of CCM19 commented, "We would like to continue working with the IAB, on a technical and communication level it has always gone very well. But please deliver a reliable construct that is future-proof, that we can also communicate to our customers."
What is the consequence for CCM19 and for you as a user of the IAB / TCF framework?
As a CMP, this decision also presents us with a major challenge - how are we supposed to provide a DSGVO-compliant TCF Content Banner to our customers if the foundation that must be used in a mandatory manner is not DSGVO-compliant? This will not be possible in this form, the IAB leaves us and all customers using the TCF framework now clearly out in the cold after all.
Reassuring for all customers who do NOT use TCF, but only the standard banners: This does not affect them.
What other consequences this decision will have in detail is not yet clearly foreseeable, but they will be enormous. At this point in time, however, it is definitely clear: continuing to use the TCF framework in this form violates the GDPR. However, the IAB does not offer any way to change this. There is no form of the TCF framework that would be DSGVO-compliant at this point in time. Whether there will be one in the future remains to be seen. We hope that the ad tech industry will work with IAZ to come up with a concept that works
The technology for this exists - also from our side. So IAB - get your job done!
In our interface, with the next update today, there will be an indication of this condition in the interface, as seen here in the screenshot.
What can you do / What are the options for action?
Basically, there are 2 options on how to deal with the situation:
- You can of course let this continue to run, but you need to be aware of the risks. All processes that exclusively require the TC string may no longer be used as of today, since they are not DSGVO-compliant. This includes the entire IAB / TCF construct. It is up to you to decide whether you adhere to this; of course, we cannot recommend it.
- If you use processes that do not require TCF, you can use them as normal embeddings; you only need to ensure that they are described correctly. You are then on the safe side.
We are of course aware of the enormous economic resources involved in this situation, but the bottom line is that we are only mapping the mask for handling the TCF framework, which:
- It is 100% mandatory for the IAB - deviations are not allowed
- Is therefore more or less identical for all CMP providers
we can't really exert any influence at this point, the ad tech industry has to act together with the IAB and do so as soon as possible.
We would like to continue to work with the IAB, on a technical and communication level it has always been very good. But please deliver a reliable construct that is future-proof.
Good example Google Adsense
Google actually requires the use of the TC string. If you don't use it or don't use it correctly, you get error messages and threats that Google will block your account. Nevertheless, the ads were played out and, to our knowledge, there was no blocking for this reason so far. Presumably / hopefully there will be a change of position on the part of Google in the near future. So if you are currently using Google Adsense, you need strong nerves.
What is your opinion on this? Let us know.