The latest report from the Belgian Data Protection Authority concludes that the IAB TCF framework does not comply with GDPR. The findings are damning, but it is only a report, not a decision. The APD procedure is still ongoing. For website publishers, however, it may be time to switch to opt-in marketing. This is our market news of the day.
The damning report of the Belgian Data Protection Authority
- The English and Irish authorities were the first to be seized;
- Other complaints followed: in Belgium, Luxembourg, the Netherlands…
Recently, Techcrunch revealed some shocking findings: the conclusions drawn by the Belgian Data Protection Authority’s investigative service. The investigations focused on RTB and the framework proposed by the IAB to secure data collection via advertising trackers.
According to the report, the framework does not comply with GDPR. The findings are particularly unfavorable:
- The IAB aims to offer a framework and best practices to implement on its website. However, according to the APD, IAB Europe plays a role in processing data… up to assuming responsibility for processing.
- Non-existent governance: 1/ No Data Protection Officer has been appointed; 2/ IAB Europe needs to keep a register for the data processing it carries out; 3/ No privacy policy on its website to inform Internet users.
- The TCF framework does not respect the major principles underlying the processing of personal data: transparency, loyalty, accountability, the lawfulness of processing;
- The TCF allows sensitive data (political opinions, religious affiliation, sexual orientation…) to be processed without sufficient supervision. For example, the Irish Council for Civil Liberties, which supports these coordinated complaints, examined how data on LGBT+ profiled individuals influenced a national election.
The IAB’s TCF is affected but has not (yet) sunk
No hasty conclusions: the APD has not reached a final decision.
As the IAB pointed out, this is only a report from the APD’s investigative service. This report will be handed over to a litigation service to initiate a procedure. Not before 2021…
Indeed, the investigations conducted by the British data protection authority (ICO) led to publishing of a public report in 2019 urging the ADtech sector to reform. But since then, nothing. Any further action has been suspended during the pandemic.
Furthermore, the IAB has announced that it has recently published a v2 of its framework. Discussions are ongoing with European and national authorities regarding how to make the TCF compliant.
What are the consequences for your websites?
This unfavorable context for real-time bidding (RTB) is a significant opportunity for you. Stand out, and show your concern for the personal data of your prospects and customers.
The subject of cookies still needs to be better understood by many users. However, online advertising, particularly tracking and retargeting, is attracting growing concern.
So, what can you do?
- Switch to a revitalizing marketing approach. Opt-in marketing and chosen marketing are waiting for you.
- Play the transparency card. Make it pleasant to find out which cookies are deposited on your site and make a choice to accept or refuse them.
- Don’t display an ugly cookie banner; consider the design and user experience. Offer an aesthetic module and a friendly experience. From now on, you will be helping by giving control over cookies.
- Make your privacy policy and cookie section readable.
Axeptio offers a cookie management module that exactly meets these objectives. We can accompany you in installing the tool and even offer in-house illustrations.
