Ad
Image: Uliana/Adobe Stock
European regulators have ruled that the consent mechanism used for tracking-based advertising by companies like Google, Amazon, X (formerly Twitter), and Microsoft violates the General Data Protection Regulation. Specifically, the Transparency and Consent Framework or TCF developed by the Interactive Advertising Board (IAB) Europe, which standardizes how websites obtain user consent for tracking, was found to fail GDPR requirements for valid informed consent.
In 2022, the Belgian Data Protection Authority (DPA) determined that the way websites collect and share visitor data through Real-Time-Bidding (RTB) — the system used to auction digital ad space — illegally processes personal data without valid consent. IAB Europe was fined €250,000 and ordered to overhaul the TCF.
While IAB Europe appealed, the Belgian Market Court recently upheld the DPA’s findings, confirming that IAB Europe is responsible for the unlawful consent framework, though not directly accountable for how third-party advertisers process data downstream. This nuance limits IAB Europe’s responsibility but does not change the fact the current TCF setup is GDPR non-compliant.
IAB Europe has proposed changes to the TCF to address these compliance issues.
What’s hot at TechRepublic
How tracking-based advertising works
Different online advertising spaces derive their value from the user profiles of the individuals they are shown to, and the more specific those personas are, the better. These profiles are formed through tracking users across websites and apps using cookies, which collect data on their behaviour, interests, and browsing history.
The advertising spaces are then divided out through a process called Real-Time Bidding, where advertisers bid within milliseconds for the opportunity to display their ads to specific individuals they are targeting. One of the pieces of information advertisers are given about a spot is the Transparency and Consent (TC) string, which indicates what data the user has agreed to share and how it can be used.
SEE: Google Abusing Dominant Position in Ad Tech Sector, Says U.K. Government
The TC string theoretically helps ensure that advertisers only bid on spaces where they are legally allowed to process user data for targeted advertising. It is a component of the so-called Transparency and Consent Framework, developed by IAB Europe, which standardises how websites with advertising space gain consent for tracking their visitors.
But when a user clicks “I accept” to advertising cookies, do they really understand what they are consenting to? Are they fully aware of every website, advertiser, and ad tech company that will have access to their user profile? Given the inherent complexity and opacity of the RTB system, it’s unlikely. The courts have deemed the TCF string personal data within the scope of GDPR, and the lack of transparency and informed user consent renders the TCF insufficient and thus GDPR non-compliant.
Ad
