iab europe Logo
Home Resources Articles 3 months with TCF 2.0 - Criticism from the Belgian data protection authority and official statement of the IAB Europe

3 months with TCF 2.0 – Criticism from the Belgian data protection authority and official statement of the IAB Europe

by Usercentrics
Oct 26, 2020
iab europe Logo
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Book now
Get your free data privacy audit now!
Start scan

The Transparency and Consent Framework (TCF) version 2.0 of the Interactive Advertising Bureau (IAB Europe) has been officially in force since 15 August. 

The TCF 2.0 was intended to finally introduce a technical market standard that defines the retrieval and transmission of a user’s consent signals between publishers and third parties who have joined the framework (such as Google, Criteo, or Taboola). 

While some players in the digital advertising industry are celebrating the framework as a long-awaited standard to harmonize a heterogeneous market, critical voices are gradually becoming louder. But what exactly has happened?

 

According to the Belgian data protection authority, TCF 2.0 violates the GDPR

Only recently, the Belgian data protection authority (APD-GBA) published the preliminary results of a study on TCF 2.0 with a knock-on effect. The central message  was that, in their opinion, TCF 2.0 violates several points of the General Data Protection Regulation (GDPR). The report states:

“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects”.

The accusation that the TCF 2.0 makes the processing of especially sensitive data such as health data, information regarding sexual orientation etc. technically possible for advertisers in Real Time Bidding (RTB), with or without the user’s permission, weighs particularly heavily.

“The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data”. 

What does the IAB Europe say?

In response to the report, IAB Europe has already published a statement challenging the Belgian data protection authority. IAB Europe points out that these are only preliminary findings without any legal effect.  

“The APD’s report represents the preliminary views of the APD’s investigations unit and has no binding effect with regard to any breach of the law by IAB Europe”.

IAB Europe also noted that although TCF 2.0 is a voluntary standard, it was developed in cooperation with European data protection authorities.

“The TCF is a voluntary standard whose purpose is precisely to assist companies from the digital advertising ecosystem in their compliance efforts with EU data protection law.” […]  “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with multiple DPA guidance materials across the EU (CNIL, DPC, ICO, etc.), should be the focus of an enforcement action, rather than an opportunity for a constructive, good-faith dialogue on how the TCF can be improved in ways that better align with the APD’s vision and with consumer and industry needs.” […] “We will also continue to work with regulators and seek their guidance on how the TCF can promote compliance with both the GDPR and the ePrivacy Directive.”

Source IAB: https://iabeurope.eu/all-news/iab-europe-comments-on-belgian-dpa-report/ 

 

To summarize, there is currently a lot of discussion on which TCF 2.0 CMP implementations are compliant and which aren’t. As the market is currently very dynamic, it remains to be seen what standards will prevail. 

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.

Products

Regulations

Legal

Resources

Company

© Copyright 2024 Usercentrics GmbH Terms & Conditions Terms & Conditions USA Privacy Policy Legal Notice Trust Center
Partnerships and certifications
CMP_BadgeG2 Leader - Winter 2024iab-logo-84huc-patentedBVDWiapp Bronze MemberWeb Content Accessibility Guidelines (WCAG) certification is considered the gold standard for web accessibility.ISO TÜV_Small (2)