The Belgian Data Protection Authority (APD) recently released a draft decision imposing a €250,000 fine ($285,000) on the provider of a consent mechanism that operates within a real-time ad bidding program. The ad bidding program, OpenRTB, allows advertisers to place online ads through an automated online auction of available ad space. Thousands of advertisers can bid on space in real time, through a fairly complex process involving many different entities (a schematic of the process was included by the ADP in its decision on page 9). The case first arose in 2019, and after several interim decisions the ADP has now held in this draft decision, among other things, a two month deadline for IAB Europe to present a remediation plan to the ADP. The case was one with cross-Europe impact, and thus the ADP’s decision has been sent to its European counterparts for feedback.
The subject matter of the case was IAB Europe’s “Transparency and Consent Framework” (TCF). TCF was designed to provide consumers control over the targeted ads they are served through the OpenRTB process. Under TCF, the first time a user visits a website with targeted ads served through OpenRTB, the user sees a pop-up that asks for consent. This includes asking if information can be shared with third parties, and consent for ad tech vendors’ processing of information. The IAB then stores and shares these consent preferences with companies that participate in their program.
The APD ruled that IAB Europe’s Transparency and Consent Framework did not meet the lawfulness, transparency, and accountability provisions of the GDPR. The ADP found, among other things, that users didn’t truly understand what they were agreeing to. Thus, that the consent was not clear. Providing clear consent was the responsibility of IAB Europe, the ADP held, since it was the “controller” of the information. (That finding, of being the “controller” is something IAB Europe has disagreed with.) Included in the sanctions imposed on IAB Europe was strict vetting of companies participating in the program to make sure that they complied with GDPR. The APD decision gives IAB Europe two months to present an action plan to remedy the violations and bring TCF into compliance with GDPR. IAB Europe has since stressed that TCF has not been prohibited, but that it will need “additional functionality.” The European data protection authorities to whom the draft has been sent have until early March to provide their input.
Putting it Into Practice: We anticipate that the TCF program will be changing soon. While we wait, publishers and vendors who rely on the TCF may need to “adapt” their use of TCF (as noted by IAB Europe). IAB Europe has provided a list of FAQs for those companies who rely on TCF which may be useful, and we will continue to monitor for developments.