Nearly five years on from the introduction of GDPR, the search for clarity continues for many in the ad industry.
Despite its ambitions to champion consumer privacy to the EU and beyond, the GDPR legislation that came into force in May 2018 has faced issues around its effectiveness. PMW’s own panel of experts asked if GDPR is still “fit for purpose” due to lack of clarity on compliance, evolving technology and the amount of resources each country's regulator has to track and investigate breaches.
In anticipation of the issues the ad industry would face, advertising trade body IAB Europe began working on the Transparency & Consent Framework (TCF) back in 2016. This was a tricky balancing act – trying to sustain crucial third-party addressability on the open web while complying with the EU’s incoming data privacy rules, rules that widened the scope of what would be considered “personal data”, narrowed the legal bases available to process it, and also threatened bigger fines than anything seen before.
The TCF aimed to standardise how businesses — publishers and adtech vendors predominantly, but also agencies — ensure that they comply with a limited set of requirements laid down by the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other tracking technologies.
But the course of the TCF has not been smooth, and now a key component of ad targeting, delivery and measurement, namely the management of consent preferences, hangs in the balance.
PMW caught up in November with Townsend Feehan, CEO at IAB Europe to talk us through its current dispute with the Belgian Authority. Feehan discusses how she thinks the industry can move forward in a way that works for advertisers, web users and regulators alike.
“Waving at the user”
“GDPR wasn't Europe's first privacy law,” Feehan tells PMW. “We had Data Protection Directives from 1995. In some ways, GDPR tweaked and expanded what we’ve already had in privacy regulation for a long time.”
“But the language in GDPR is quite vague. For example, user consent is supposed to be ‘unambiguous, specific, informed and freely given.’ Those are the four qualities of consent. But within that, there's not an annex showing what that really means for digital advertising, or any other sector for that matter. In response, IAB Europe laid out a framework and went to market, a month before GDPR was out in 2018.
“That had a pretty narrow functionality. It was just trying to help websites interact with their users for the purpose of establishing a legal basis, getting user agreement for processing of user data from vendors that were in the background and waving at the user and saying, ‘excuse me I want your permission to process your data’,” Feehan explains.
“A magnet for unwanted attention”
Alongside this consent legal basis, in 2020, the trade body rolled out TCF v2, enabling vendors to assert a ‘legitimate interest’ in processing users’ personal data.
“We standardised the way information should be presented to users and how the choices they make should be captured,” says Feehan. “We also established how this digital signal could be shared with the vendors.”
This proactive approach had an unfortunate side-effect that put a bullseye on the trade body itself, as Feehan explains: “It immediately became a magnet for unwanted attention, from people who are opposed to that whole system completely. On the basis of these complaints, rather than opening up a policy discussion, the Belgian authority decided to go for an enforcement action last February.”
In that decision, the Belgian authority found that the ‘TC String’ (the digital signal capturing users’ preferences) should be considered personal data. It also found that IAB Europe acts as a (joint) controller for the dissemination of the Strings and for other data processing done by TCF participants. Other elements of the decision concerned the TCF Policies (for example, legal bases facilitated by the TCF for personalised advertising).
IAB Europe appealed the decision, which led to the Belgian Market Court's interim (partial) ruling of 7 September 2022 that declared the Belgian Data Protection Authority’s decision on the TCF illegal. The ruling contained definitive findings on procedural arguments, but referred questions on substantive issues to the European Court of Justice. The finding of illegality - part of the procedural findings - arose from the regulator's “lack of due care” in reaching the conclusion that the TC String itself constituted personal data.
“On the procedural arguments, the court has already deliberated and they've already found that Belgian decisions are illegal on procedural grounds,” Feehan says. “But on the substantive arguments, the case on the merits, the Belgian court has said they can't issue a judgement without going to the European Court.”
The Belgian Market Court decided to seek guidance from the Court of Justice of the European Union on both these points.
A chance for new dialogue?
“We have a shared interest in getting to the right answer and extending the framework, making it more functional, and broadening it in some of the general directions in ways that go beyond what's in the action plan, ” Feehan concludes.
Townsend Feehan is CEO at IAB Europe
*Since this interview took place in November, the Belgian Data Protection Authority validated IAB Europe’s submitted action plan. The plan was validated in its entirety in January 2023. While IAB Europe is pleased that the action plan was favourably received by the APD, it has grave reservations about the APD preempting responses from the CJEU, in effect imposing changes to the TCF that might need to be rolled back at the end of the appeal process. IAB Europe’s reaction to this announcement can be found here.