The case of the European IAB, the Belgian DPA and the GDPR

How the ruling by the Belgian Market Court may impact the ad targeting ecosystem

There have been a lot of emotive headlines recently relating to a 14^th May ruling by the Belgian Market Court on the legality of IAB Europe’s “Transparency and Consent Framework (TCF)”. Many have described it as now being illegal under the GDPR and a point of reckoning for programmatic buying. Privacy campaigners view this as a moment for celebration, while the ad tech space has adopted a more pessimistic outlook. But what will the real impact be?

In the short term it is likely that very little will change, but the ramifications of this are potentially significant and something which advertisers must be aware of. The ruling is yet another reminder that the status quo in the ad tech space is changing, and strategies need to adapt accordingly. To understand why this is and why there has been so much noise around this ruling, we need to go back to the start of the story and understand how this has developed.

What is the TCF and how does it work?

Developed by IAB Europe, this is the framework which has been utilised by the ad tech space as a mechanism to operate in a consented model under the GDPR. It’s the compliance infrastructure that sits behind the cookie consent pop-ups which we’ve all become used to interacting with.

When a user interacts with the banner their preference is encoded into a “Transparency and Consent String” (TC String), which is then shared with various ad tech vendors participating within the RTB ecosystem. This data is then used to feed behavioural retargeting models much loved by platforms such as Google, Amazon and Meta.

Why has the TCF been challenged?

Whilst billed as a GDPR-compliant solution, following several complaints the Belgian regulator determined that the mechanism was in breach of the GDPR. Their decision was impacted by some key findings:

1. The TCF doesn’t give the user meaningful control over their data.
2. The consent given wasn’t specific, informed or freely given.
3. The TC String themselves represent personal data under the GDPR.
4. The IAB themselves should be taking responsibility as a joint data controller for the collection and processing of the data.

The IAB pushed back vigorously on this ruling, which has led to a years-long legal saga which saw its latest twist on the 14^th May. In a legal ruling made by the Belgian Market Court, the original decision was thrown out on procedural grounds, but some of the core findings were still upheld.

Where does this leave us for now?

Despite attention-grabbing headlines on both sides of the argument, the TCF hasn’t been declared to be illegal, but the ruling does still have some far-reaching consequences. So, what were the core elements still upheld?

1. The TC Strings are personal data, since the IAB or TCF participants can reasonably use this data for identifying an individual. This is based on older versions of the TCF, and language has since been revised, but it does appear to set a precedent on the use of this type of data.
2. IAB Europe is a joint controller of the TC String in relation to their processing of this data. Whilst they claim they just set the standard, the ruling lays out that the IAB play too central a role in the collection of the data and must take joint responsibility for the processing of personal data for this purpose.
3. Responsibility stops with the processing of the TC String. Whilst joint controller of this data set, the IAB’s responsibility stops there. In a row-back from the original decision they are no longer seen as accountable for what a third party does next with the data.

What has the decision highlighted?

For the IAB, beyond a £250k fine, they must implement their action plan. This has already been submitted and approved by the regulators, and there is no existing threat to its continued use. There are implications for those continuing to use the framework though.

Legal basis for processing: Simply relying on the TCF isn’t enough; companies must ensure they have a valid legal basis for processing personal data, such as explicit user consent.

Transparency and user control: There is a need for clearer, more granular information to be provided to users regarding data processing activities. All providers accessing the data must be listed.

Accountability: Organisations must implement appropriate technical and organisational measures to demonstrate compliance with GDPR principles, one requirement being that they must provide access to their consent logs for audits at any point without “undue delay”.

What does this mean for advertisers?

If you’re still using cookie-based personalised ads, you need to be incredibly careful and ensure that the data has been gathered with genuine consent. We advise our clients to diversify their targeting and focus on cookie-free solutions to future-proof their marketing, whilst continuing to deliver high-performing campaigns.

Harnessing first-party data. Use your own data collected directly from your users with transparency and clear consent. This offers great opportunities to segment your audience on shared behaviours, demographics and engagement, understand your highest-value clients, and build appropriate profiles. By using a Customer Data Platform (CDP) these segments can then be used to deliver targeted messaging across a range of RTB channels.

Contextual. This allows you to place your messaging in highly relevant environments, increasing the opportunity for engagement. Next-generation contextual tools like our Semantix engine are changing the landscape, using short phrases rather than keywords to find articles specifically discussing the topic which your messaging focuses on. You can read more about this approach here.

In summary, the Belgian Market Court’s decision underscores the importance of robust data protection practices in the digital advertising space. Organisations must prioritise transparency, user consent and accountability and be wary that third-party frameworks aren’t a silver bullet.

The marketers that win in this new world are the ones that respect user privacy and embrace privacy-first ways to deliver relevant, compelling messaging to their audiences.