Back in November 2020, Clym reported on a potentially landscape-shifting investigation by Belgian’s Data Protection Authority (“BDPA”), which had determined that the Interactive Advertising Bureau’s (“IAB”) TCF framework (“TCF”) for obtaining Internet users’ consent for targeting with behavioral ads is noncompliant with the requirements of Europe’s General Data Protection Regulation (“GDPR”). This finding, if confirmed, would have massive ramifications for European companies, as up to 80% of EU internet traffic has adopted the TCF. Unlike our competitors, in the wake of BDPA’s finding, Clym halted its exploration of implementing the TCF so as to not jeopardize our customers with potential fines and penalties for GDPR noncompliance. Today, 28 EU data protection authorities, led by the BDPA, have confirmed that IAB was aware of the risks of noncompliance, had “systematic deficiencies” and overall IAB was “negligent”. In a striking result, the authorities demanded that all data collected through the TCF must now be deleted, a result that will affect thousands of businesses who have adopted the TCF.
In April 2018, IAB developed its Transparency and Consent Framework (“TCF”), with the stated aim to help publishers comply with the GDPR. IAB stated that the TCF would help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive. As noted above, the TCF has been widely adopted by consent management providers and their customers. In November 2020, the BDPA found that the TCF was noncompliant, excoriating IAB’s own approach to GDPR, and the case has been ongoing since that time.
What are the Findings?
Regulators found that the TCF infringes the GDPR by:
- Failing to ensure personal data are kept secure and confidential (Article 5(1)f, and 32 GDPR)
- Failing to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)
- Failing to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR)
- Failing to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR)
- Failing to respect the requirement for “data protection by design” (Article 25 GDPR)
Regulators fined IAB and outlined 8 changes that could, if adopted by IAB, render the TCF compliant, however those changes would significantly change the TCF’s functionality. The decision is immediately binding and enforceable across the EU.
How Can Clym Help?
Clym has not implemented the TCF, so our customers are not affected, and while we aim to stay on top of regulations as they evolve, we won’t adopt unproven standards that jeopardize our customers’ compliance. Companies currently using the TCF for GDPR compliance should review their data privacy protocols in light of this decision, and make changes as required. Clym provides a cost-effective, scalable and flexible platform to help comply with CCPA, GDPR, and other laws as they continue to change. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.