2 min

Tags in this article

, ,

The organization is considering legal action after receiving a fine for breaching GDPR rules.

IAB Europe is considering legal action having been fined by the Belgian Data Protection Authority after they found that the IAB’s Transparency and Consent Framework (TCF) failed to comply with GDPR measures.

As a consequence, the Belgian Data Protection Authority (APD) fined the organization 250,000 euros.

According to the chief executive of the European arm of the Interactive Advertising Bureau (IAB), Townsend Feehan, it was “grossly unfair” that “a small body like ours should bear legal responsibility for the data processing activities of an entire industry.”

The crux of the problem is the APD considers the IAB a data controller—therefore, directly accountable under the GDPR for how companies use its framework when carrying out digital marketing.

The IAB’s Transparency and Consent Framework (TCF)—the de facto standard for the adtech industry—is meant to be a GDPR-compliant way for companies to use and profile customers’ personal data so they can target customers with more specific advertising and digital content based on their preferences.

The APD believes the framework fails to comply with the GDPR because it does not establish a proper legal basis for processing personal data. They say it fails to properly inform users how their data will be used and what they might be consenting to. It also provides users with little choice other than to accept or reject a website’s terms.

“The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement,” Belgian authorities said.

The IAB shared a statement on the Belgian DPA’s decision. “Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”