Transparency and Consent Framework System not GDPR compliant
The Belgian DPA recently fined an international digital marketing organization for non-compliance with GDPR.
On 2 February 2022 the Belgian Data Protection Authority (DPA) ruled that the Transparency and Consent Framework (TCF) developed by an international digital marketing organization did not comply with several provisions of the General Data Protection Regulation (GDPR). The DPA imposed a fine of 250.000 EUR and required an action plan for compliance with the GDPR in two months.
TCF is a widespread mechanism that facilitates the management of user preferences for online personalized ads. It reflects processing purposes and user preferences with respect to potential vendors, aiming to strengthen the GDPR compliance of organizations by relying on the so called OpenRTB protocol.
This protocol is used very frequently for "Real Time Bidding". When users visit a website or application that contains ad space, technology companies, representing thousands of advertisers, can bid for that ad space "in real time" behind the scenes through an automated auction system that uses algorithms to show targeted ads tailored to the visitor's profile.
An interface (Consent Management Platform) appears upon first visit of a website or application where users can give their consent or objection to the collection and sharing of their personal data or the various types of processing, which happen based on the legitimate interests of ad tech vendors.
TCF captures the users' preferences, which are then encoded and stored in a "TC string” (Transparency and Consent String). These preferences are shared with the organizations participating in the OpenRTB system, giving them knowledge of the users' consent and objections. The CMP also places a cookie on the user's device. This cookie, in combination with the TC string, can be linked to the user's IP address, making the user identifiable.
The Belgian DPA considered that the international digital marketing organization acted as a data controller with respect to the registration of the destination signal and the users' preferences and objections by means of the unique "TC string", which is linked to an identifiable user.
Following this conclusion, the Belgian DPA found some violations of the GDPR. Regarding the lawfulness of the processing, the Belgian DPA stated that the international digital marketing organization has no legal basis for the processing and that the legal grounds provided by TCF for further processing by ad tech vendors were insufficient. Furthermore, the information provided through the CMP interface was considered too general and vague to understand the nature and scope of the processing, making it (too) difficult for users to retain control over their personal data.
Furthermore, a number of other violations of the GPDR, such as the fact that no register of processing activities was drafted, no data protection officer was appointed and no data protection impact assessment was conducted, were established.
Given the risk that a large group of citizens might lose control over their personal information, the Belgian DPA has imposed an administrative fine of €250,000 in addition to corrective measures (including establishing a valid legal basis and thoroughly screening participating organizations on GDPR issues) to make the current version of the TCF compliant under GDPR.
It is worthwhile mentioning that, in the light of the “one-stop shop” mechanism (the cooperation mechanism under the GDPR), the current decision was approved by all authorities involved.
If you have any questions, do not hesitate to reach out to us.