The Interactive Advertising Bureau (IAB) Europe ad tracking consent framework, commonly known as IAB TCF, was one of the first industry standards established to help publishers ensure compliance with General Data Protection Regulation (GDPR) terms governing consent to participate in targeted ad systems and is widely used. There’s just one small problem; it may not actually comport with the relevant GDPR data protection rules.
The Belgian data protection agency (DPA) has completed an investigation of the IAB TCF and has found a number of areas in which it does not meet GDPR standards, including a failure to establish rules for processing special categories of sensitive personal information that require additional care in handling.
The IAB TCF may no longer stand up
Introduced in 2018 just before the GDPR went into effect, the IAB TCF is used by many organizations throughout Europe including some of tech’s biggest names (such as Google). The framework was meant to guide all types of publishers in staying within the bounds of GDPR regulations while using personalized ad tracking systems, particularly in terms of legally gathering end user consent.
The Belgian DPA’s investigation, which was initiated by user complaints, found that the use of personal data in the real-time bidding (RTB) component was not compatible with GDPR security requirements. Real-time bidding is a system that allows advertisers to pre-place bid amounts for ad impressions tied to certain demographic qualities and/or key search phrases, with the highest bidder “winning” the impression at the time that the targeted user loads the page it will appear on.
The investigation found that the IAB TCF system was processing sensitive personal information in special categories without adequate rules and safeguards in place. This includes health information, sexual orientation and political affiliations. The DPA also found that the system lacked adequate “transparency, fairness and accountability.” Another strike against the IAB was that the organization appears to have never appointed a Data Protection Officer and was not adequately accounting for internal processing of personal data.
The ad organization responded to the investigation by saying that it disagreed with the Belgian DPA’s conclusions and that IAB TCF is a “voluntary minimum standard” meant to be a “minimal set of best practices.” The agency called for a dialogue rather than a jump to enforcement action, and opined that legal action against the IAB TCF could have a “chilling effect” on the development of future open-source compliance standards.
Ad tracking under fire in the EU; is GDPR enforcement forthcoming?
The investigation of the IAB TCF stems from a more general campaign against RTB systems that dates back to the beginnings of the GDPR era. Critics of RTB systems characterize them as a widespread and ongoing data breach, harvesting and using personal information in ways not supported by the GDPR even when affirmative consent is given by the end user.
Much of the concern centers on bugs, glitches and exploits that have been discovered in these ad tracking systems. One example is a 2019 Twitter glitch that caused the location data of some iOS users to accidentally be shared with an advertiser. Another 2019 complaint claims that Google’s Doubleclick/Authorized Buyers ad tracking system broadcasts personal information such that advertisers can defeat its “pseudonymizing” technology to identify the data subject’s name.
RTB ad tracking systems have faced investigations in the past, most notably Google’s Ad Exchange facing scrutiny from Ireland’s DPC last year, but critics contend that the data protection authorities have thus far done nothing more than extend the length of investigations (pausing some indefinitely due to the pandemic) and occasionally issue toothless warnings.
The Irish DPA generally takes point on rulings that could involve cross-border personal information transfer, but this sharply worded statement by the Belgian DPA could indicate that regional authorities may be more willing to take proactive measures against the ad tracking industry when the complaints begin to pile up.
The current report is only preliminary, and any actual action by the Belgian DPA would not take place until 2021. The case now goes to the agency’s litigation chamber which determines what the next steps will be. While it’s possible that the IAB TCF could be invalidated as a usable ad tracking framework, it’s unclear if or how the organization might be fined for it given that it’s provided as a voluntary framework. Any fines would more likely be directed at internal data processing activities. This could have a substantial impact on the operations of many organizations, however, given that the IAB has been looking to have the TCF adopted as a standard model in California for compliance with the California Consumer Privacy Act (CCPA).