IAB Europe TCF (Transparency and Consent Framework) under fire again

November 2021

The Belgium regulator (APD) is expected to announce that IAB is a data controller with TCF

What does the future hold for third-party cookies? The Belgium DPA has apparently notified IAB Europe that they will find them to be in breach of GDPR. An investigation has been carried out by Belgium DPA which will be shared with other Data Protection regulators across Europe. 

These regulators have 30 days to review the proposed ruling before it is adopted by Belgium DPA or referred to European Data Protection Board. If adopted IAB has six months to change its framework to comply. The IAB has robustly defended its position and says it will be able to comply. The IAB stated:

 “It will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe,” 

How did this start? 

This started in 2018 with a series of complaints made about the IAB’s Transparency and Consent Framework. In particular, the complainants contended that the use of personal data in the process to place digital advertising, known as Real-Time Bidding, represented a massive worldwide data breach. 

One of the complainants, ICCL (The Irish Council for Civil Liberties) noted:

“these (cookie) popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.”

The ICCL has also launched a privacy lawsuit against the IAB in Germany.

The Belgium DPA investigated these complaints and published their initial findings in October 2020. It appears that they are now about to announce formal action against IAB.

What is the problem?

At its heart is the issue of whether the IAB is a legal data controller. IAB has said that Belgium DPA considers them to be a legal data controller for the TC Strings – also know as:

“digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement” 

 “The APD is understood to consider these signals to be personal data,” 

IAB Europe has vehemently rejected the notion that they are anything but a data processor. They have consistently asserted that the AdTech providers they serve are the data controllers. 

What does this mean?

Potentially, all Real-Time bidding activity using TCF could be stopped. The more likely outcome is that IAB will rectify the problem within the 6-month period allocated to them. Longer-term, though, this is just another nail in the coffin for the use of third-party cookies for targeting digital advertising. 

For any marketing team who are not giving serious consideration to how they’re going to replace the Real-Time Bidding free for all, this is yet another warning that the world is changing. Even if IAB Europe does manage to fend off this particular attack, the future of the Transparency and Consent Framework is under threat. 

The future of third-party cookies

To many, it is obvious third-party cookies have had their day. Google announced that they would not be supported by Google Chrome from around now. Although their launch of the Google Sandbox has been delayed, this is a stay of execution, not a change. As Google controls more than 60% of the browser market, this was a game-changing announcement. 

What should marketers do?

  1. If you haven’t started your programme of first-party data collection, start now. This is data supplied by individuals through the course of a transaction or communication. It could be their address, email telephone number etc. Obviously ensuring you have used an appropriate lawful basis to use that data to create marketing segments is essential and that this activity is mentioned in your privacy notice. 
  2. Investigate how you can start to collect Zero party data. This is a newish term coined by Gartner in 2020. This means data that is collected by inviting individual users to volunteer information through surveys/questionnaires etc. By definition, the lawful basis for using this data will be consent but make sure that the use case is clearly communicated at the point of data capture. 
  3. Seek out contextual advertising solutions. These are programmatic advertising solutions that use context to understand the audience rather than those systems powered by segments built using third-party cookies. Several major media owners have already signed contracts with big providers such as Permutive. 
  4. Also, consider using any promotional solutions which employ Edge computing. Look for advertising solutions that do not suck a user’s data into a central hub but allow that data to stay on the user’s own device.
  5. Investigate the use of second-party data. This is permissioned data owned by one organisation that is sold directly to another for that organisations’ exclusive use. Also, look at data cooperatives, data marketplaces & exchanges and technical data environments – sometimes called clean rooms. These also use permissioned data to build audience insight. The key here is to interrogate the provenance of that data. Can the supplier provide a clear audit trail? 
  6. Consider the use of vertical networks – a blunter object than contextual advertising solutions but an effective way of promoting your services to special interest groups.

Whilst we remain in a state of limbo with third-party cookies, it may seem difficult to decide what to do next. The reality is that we need to assume that cookies will disappear and the sooner other compliant and more ethical targeting methods are used, the better.