IAB TCF illegal? All facts here in the FAQ

The Belgian data protection authority APD, in a procedure that has been going on for a good year, on 02. Feb 2022 made a decision. The approximately 130-page explanatory text shows many weaknesses of the IAB TCF, but also many opportunities for reform. Is the Transparency and Consent Framework now illegal? What do publishers have to consider? And how does it continue? Our FAQ explains.

Updated June 2023

(Updated June 2023) With the TCF 2.2, the IAB has set the course for taking the steps mentioned in the action plan. A transitional phase will now run until September 30, 2023, during which providers and websites can update to the new standard. From October 2023 only the IAB TCF in version 2.2 will apply.

Update January 2023

(Updated January 2023) The action plan submitted by IAB Europe was accepted by APD and further steps towards GDPR compliance were initiated. The IAB Europe now has 6 months to implement the action plan.

April 2022 update

(April 2022 update) The IAB Europe has meanwhile lodged a complaint with the responsible court (Market Court) and challenged the procedure and the decision as such. At the same time, the requested action plan was submitted by IAB Europe. The APD will now examine the action plan; however, a decision is not expected before the end of June 2022. If the action plan is accepted by APD, IAB Europe must then implement it within 6 months.

May 2022 update

(May 2022 update) IAB Europe withdrew a requested stay of proceedings after APD confirmed the timeline for reviewing the Action Plan. Accordingly, APD will not make a decision on the action plan before September 1, 2022. By then, the Belgian court (market court) will also have decided on the procedure and the implementation of the action plan can take place in the subsequent 6 months.

What happened?

In its final report, the Belgian data protection authority APD formulated various problems for the IAB Europe and the IAB TCF. The main sticking point is that APD sees IAB Europe as the client. Furthermore, the TC string generated by the TCF (the consent information) is regarded as personal data, which would itself require consent.

What does Belgium have to do with it?

Since the GDPR came into force in 2018, there have been several complaints in different countries against IAB Europe as the body behind the IAB TCF Standard and the related policies and CMPs. Since the IAB Europe is based in Brussels, the Belgian data protection authority was in charge of the procedure (“one-stop-shop” regulation of the GDPR).

Does the Belgian judgment also apply in other countries?

Yes, all data protection authorities must follow the Belgian ruling and not deviate from it.

What exactly does the judgment say?

The verdict is more than 120 pages long and can be downloaded here as a PDF (English). It gets “interesting” from section 535, in which the actual offenses are explained:

• The TCF does not represent a valid legal basis for the processing of user decisions. Consent has not been given sufficiently (see next point)
• The TCF does not transparently reflect the information that a user needs to make a decision.
• The security of the TCF as a mechanism is not sufficient enough (e.g. to prevent misbehavior of CMPs).
• The IAB is viewed as the client (controller) and the data. This results in certain obligations for the IAB Europe, which have not been complied with to date; specifically, a list of data processing is missing.
• The IAB Europe did not carry out a DPIA, although it would be necessary to do so.
• The IAB Europe has not commissioned a data protection officer, although this would be necessary.

What are the consequences?

The sanctions against the IAB Europe ultimately result from the offenses (see above) and are:

• (Re)design the TCF in such a way that it results in a valid legal basis.
• Data that IAB Europe has collected so far must be deleted.
• The legal basis “legitimate interest” may no longer be used in the TCF.
• Reorganized the TCF so that CMPs have a “harmonized” way to obtain consent in a GDPR compliant manner. Information should be presented in a concise, concrete but understandable manner.
• Appropriate security mechanisms must be developed to protect the TCF.
• The IAB Europe must create a register of data processing.
• The IAB Europe must conduct a DPIA.
• The IAB Europe must appoint a data protection officer.

Furthermore, the IAB Europe is required to draw up an “Action Plan” within 2 months. This is to show the steps that are to be taken to make the TCF compliant in the future. As soon as the plan has been accepted by the APD, the IAB then has another 6 months to implement it accordingly.

Are all CMPs illegal now?

no A CMP like that of consentmanager is generally independent of this – after all, a website operator can configure the CMP in such a way that it becomes compliant or switch off the TCF completely in the CMP.

Is the TCF illegal now?

no The current form is considered insufficient. The IAB Europe now has the task of initiating appropriate measures and making the TCF compliant again.

What’s next?

The IAB Europe now has 2 months to develop measures and/or to submit an objection. It is assumed that both will happen: There will certainly be an objection to individual components of the decision – at the same time, we will see how the TCF can be put on a secure footing. In particular, the aim here is to convert the TCF into a Code of Conduct (CoC). The IAB has been working on this for a long time. A CoC would have further advantages and greater legal certainty.

Who does the judgment affect?

For the time being, it only directly affects IAB Europe. Indirectly, it affects CMPs, providers and publishers in the medium term – at the latest when new purposes and legal bases have to be set in the consent layer or the technical substructure changes.

How should I react now?

As with everything. it is not wrong to take a close look and wait and see how the actors behave.

As a general recommendation, it can be deduced that “legitimate interest” is not regarded as a sufficient legal basis for online advertising – this had already been announced in advance and in other judgments. If you use marketing tools on your website, you should check whether they require consent.

In general, we recommend using the TCF only when it is really necessary. This might not be the case for most e-commerce websites, for example. At the same time, most news sites will continue to rely on the TCF. Here we recommend checking the description texts and provider lists carefully and, if necessary, providing more precise descriptions and further information.

Do I have to delete all my data now?

no The Belgian judgment only affects IAB Europe for the time being. Indirectly, however, it can be assumed that a “pure TCF CMP” also falls under the conditions of the judgment and has therefore not legally obtained approval.

Are websites using the TCF now at risk?

no On the one hand, actors will initially wait – this also applies to the other data protection authorities in other countries. As long as the procedure is still “pending”, it makes no real sense to use the procedure as a basis for warnings or new procedures.

On the other hand, it is still unclear whether the TCF itself can be used in a compliant manner under certain conditions. Here, too, it remains to be seen and, if necessary, to keep an eye on the development of the TCF.

What does consentmanager do for me? What should I do?

As a member of IAB Europe and various national associations and other groups, consentmanager is actively involved in the deliberations and decisions within the IAB. In this respect, consentmanager will be able to implement all necessary steps promptly in order to be able to protect its customers legally or technically.

As a consentmanager customer, you do not have to do anything specific (see above for exceptions). All technical and procedural adjustments that a “new” TCF requires can be made internally by us – there is no need to exchange codes now.

Don’t see your question?

Feel free to contact us directly.