On February, 2nd, 2022, a very important decision was reached by the Belgian Data Protection Authority (the APD: Autorité de Protection des Données) with deep consequences for the advertising industry (publishers, advertisers and vendors). Naturally, we've been getting a lot of questions from clients, partners and prospects on the topic.
As a Consent Management Platform (CMP) provider, we're front and center in helping our clients collect and manage consent, and it’s important for us to open the conversation and provide useful documentation on the topic.
In an effort to promote transparency, we decided to hold a webinar on the 10th of February to communicate on this decision and discuss with clients, prospects and partners about our recommended actions, how business could be impacted, and what the future might look like.
It was hosted by Didomi’s Chief Technology Officer (CTO) Jawad Stouli, Chief Privacy Officer (CPO) Thomas Adhumeau, Vice-President (VP) of Product Antonio Anguiano, and Agnostik’s founder Frank Ducret. Watch the recording here, and continue reading to learn more:
What is the Transparency and Consent Framework (TCF)?
Before jumping into the APD’s decision, it’s important to understand what the Transparency and Consent Framework (TCF) is.
Created by IAB Europe, the TCF is described as "the global cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements under the General Data Protection Regulation".
For the digital advertising industry to provide the right level of transparency to users while giving the appropriate level of control to publishers, a standardized, widely adopted way to manage consent was indeed needed. It consists in four pillars:
A set of policies that publishers, vendors and CMPs must abide by
Specifications, that participants need to implement
A global vendor list, so that there is a centralized and up-to-date list of all participants
CMPs, not directly managed by IAB Europe
This decision from the Belgian APD has impacted all four pillars.
Understanding the Belgian APD's decision
The Belgian APD’s decision in its entirety is quite a complex document. To facilitate its understanding, we’ve extracted a high-level summary of finding, with four key insights:
The Transparency & Consent (TC) string, the consent signal stored by players in the advertising industry, is considered personal information, for which participants need to establish a legal basis, be it consent, legitimate interest or something else
IAB Europe is a data controller of that information, regardless of the fact that it doesn't process the consent information
IAB Europe is a joint controller with TCF participants (vendors, CMPs, publishers). As a result, the APD considers that it failed to establish a legal basis for processing the TC string
The security measures in place to protect the integrity of the consent signal were not sufficient.
As a result, IAB Europe was fined EUR250k. It has to come up with an action plan within the next two months, followed by 6 months to comply from the moment that action plan is validated by the APD.
What does it mean for our customers? And what are the consequences of the decision for publishers and advertisers?
The use of legitimate interest as a legal basis for data processing by organizations participating in the TCF in it current format will be prohibited (at least with respect to behavioral advertising purposes)
Users cannot reasonably give informed consent for hundreds of vendors. Therefore consent, as currently obtained, is not valid
The information currently being provided is not sufficient for users to give informed consent.
What can our clients do while IAB Europe works on its action plan?
Recommended actions for our clients
In order to help you navigate the coming months, our team has put together a list of six recommendations for our clients and partners regarding the APD’s decision. We can only provide recommendations at this point as we are a data processor and it is not our position to dictate the way forward to our customers.
Recommendation 1: Require consent for all TCF vendors and purposes via publisher restrictions
The APD has stated that legitimate interest cannot be a legal basis for the purposes of the TCF. As a consequence, our first recommendation is to use our publisher restrictions feature to filter vendors based on legitimate interest and to only require consent as a legal basis going forward.
Recommendation 2: Evaluate and limit the number of vendors for which consent is collected
The APD states that users cannot reasonably provide informed consent when the number of vendors presented in a single consent notice is too high.
Your list of vendors should be exhaustive and reflect a high level of control of your digital supply chain. To do that, we recommend auditing your list of vendors and identifying which ones are the most important for your business. This can be done using a platform like Agnostik, which provides a unique expertise in assessing vendor identity and behavior.
Note that the APD has not provided a specific number of recommended vendors. We recommend making this list as short as possible (and document how you reached this number). We recommend that you run an analysis to assess what is right from a compliance standpoint taking into consideration the transparency you owe to your users, your business priorities, monetization and overall ad operation constraints.
Recommendation 3: Present the categories of data collected in the CMP text
This recommendation is about clarity. We strongly suggest that you display the categories of data you are collecting on your site, something you can easily implement with our CMP. By specifying the categories of data you collect ("We are collecting contact information and professional data" for example) in your notice, you're communicating with your users in a transparent way.
Most of our clients already do so, but it is worth highlighting as it is explicitly mentioned in the decision.
Recommendation 4: Nest IAB purposes into categories
One of the points highlighted by the APD is that the purposes of the TCF are not clear enough, which could compromise the validity of the consent collected since the end user might not understand what he/she’s accepting.
We suggest nesting purposes into categories in plain language, making it clearer and easier to understand for your users. This is also easily configurable in our platform.
Recommendation 5: Make consent withdrawal easy and accessible
Ineffective consent withdrawal endangers the validity of the consent, as users might not know how to revoke it. Our advice is to make it easy to locate for users, directly available in their user settings or profile.
Recommendation 6: Resurface the CMP notice to your users
Finally, and since the APD decision suggests that all the consent signals collected prior to its decision might be in breach of the GDPR, we recommend resurfacing the CMP notice to your users after all other recommendations have been implemented.
To go into more details about our recommendations regarding the Belgian APD decision, head to our dedicated help center documentation.
Possible future scenarios and how businesses can adapt
In light of the APD decision, we believe that there are two possible scenarios in the near future.
Scenario #1: The TCF, after working with the APD and implementing required improvements, gets accepted.
Scenario #2: Even after implementing the required improvements, the TCF gets rejected by the APD.
Whatever the outcome, we need to have alternative solutions for businesses whose livelihood relies on advertising, either as publishers or advertisers. In light of the decision, advertising via the open RTB is challenging from a compliance standpoint.
To conclude, we’ve listed below some of the best questions asked during the webinar for your reference. For any further questions, please read more in our documentation on the topic and reach out to your account manager if you’re a Didomi customer.
Frequently asked questions
Is it a Belgium-only decision? Should businesses in other European countries also apply the APD decision?
A draft of the decision was initially shared with other DPAs, with the APD receiving comments from two authorities on certain points:
The joint-controllership established by the APD
The use of legitimate interest for certain processing operations
The scope of the corrective measures
The administrative fine and the relationship between IAB Inc. and IAB Europe.
The revised draft was then shared with the other related DPAs, but no further comments were added. This tells us that these other DPAs were aligned with the findings. It is likely that they will take this decision into account to assess any claim going forward.
What is the timeline of the decision?
The APD decision has been appealed. IAB Europe has been granted two months to present a plan to the APD, and an additional six months to implement these changes once the plan is accepted by the APD.
Are there legal risks for me to continue using a CMP integrated with the TCF?
If you do not activate the TCF, you will not be impacted by this decision.
If you do use the TCF through our CMP, we recommend that you look at our recommendations to mitigate the risks.
Didomi and the APD decision
CMPs were called by the APD as joint controllers. What are your views?
We’ve always seen ourselves as a data processor. This is because we do not dictate how our customers should interact with their users. In the future we might eventually change that and see ourselves as a data controller to comply with the APD decision.
What are the impacts of the APD decision on Didomi as a CMP under the TCF?
We are still evaluating the impacts of the decision, but it would appear that the APD takes the stance that CMPs are joint controllers of the consent information (the TC string in this instance). CMPs should therefore establish a legal basis as any controller would.
Are you going to take any actions on your end or make any changes in the CMP?
We've always considered ourselves a data processor. We only support an integration with the TCF, but we do not impose its use.
Ultimately, we do not believe we should impose a view on what compliance means for specific publishers and their audience.
That has been and still is our stance for now. Given the fact that the APD seems to consider that CMPs are also controllers of the consent information however, we may have to change a few things.
It's important for us to communicate transparently with our customers, prospects and partners on big industry news such as this one, but these are still early stages. We will communicate if we decide to make changes to the CMP that would apply to all publishers.
Will Didomi delete personal data collected on the basis of a TC string?
In the decision, the APD is requesting from IAB Europe to delete the data that they have access to in the context of the global scope of the TCF. It is not clear whether it applies to other participants in the framework.
Our position is that our publishers should probably recollect consent, which will act to the effect of erasing the TC string that has been collected previously.
Will the legitimate interest legal basis be removed from Didomi’s CMP?
Reliance on legitimate interest was called out as inadequate by the APD for purposes related to targeted advertising or profiling of users, except non-marketing related purposes such as audience and performance measurement.
As of right now, it is unclear whether the requirement to prohibit the reliance on legitimate interest for the processing of personal data by TCF participants applies to all TCF purposes or only to personalized advertising and profiling.
Until this is clarified, we recommend adding publisher restrictions to impose consent as a legal basis.
The Transparency and Consent Framework (TCF)
Should I disable the TCF on my website?
We don’t necessarily recommend it but it remains an option to turn off the TCF. The risks associated with the APD decision will immediately be cleared but it might also impact a big chunk of your revenue.
Ultimately, this is an assessment which every business should run on their own. But we are here to help you understand the context, give you recommendations, and support your activity, whatever happens in the future. We will keep our customers updated as the situation evolves.
Why do you continue recommending the TCF?
We are not recommending the TCF. We serve as a facilitator for publishers relying on us to implement the TCF structure.
Having said that, we do believe that if the TCF is taken down, users will be left off in a worse position, because the transparency and consent framework was designed to provide more information regarding what’s happening behind the scenes.
It’s probably far from perfect at the moment, but it’s the only tool that exists.
Do you suggest using TCF stacks?
The APD indicated that the TCF language is not clear enough for the users to be able to give informed consents. Stacks can still be used but they should be complemented with more (and clearer), plain-language explanations to users as the stacks themselves are not sufficient to give granular information to the user.
If I don't have any IAB vendors performing advertising (as an audience measurement), am I still impacted?
If you do not have vendors relying on the TCF at all then you are not impacted. You should disable the TCF on your websites/mobile apps/TV apps.
Specific actions and recommendations
What is the maximum number of vendors that should be allowed?
The APD unfortunately does not clearly express how many vendors are too many or how many are acceptable.
It is hard to make a clear recommendation on this and it needs to be evaluated by each website/app/publisher specifically, also as a trade-off with your monetization constraints. For monetization purposes, we see that websites usually perform ideally with around 200 vendors and apps with around 50. 200 is likely to still be too many for the APD although it is hard to be sure.
How to present the categories of data collected in the CMP text?
If you're a Didomi customer, there is a special field in our Console to add text on top of purposes, or you can do as we did: Pushing categories in the first layer of your consent notice, to be as transparent as possible.
Do you suggest removing legitimate interest for all purposes?
No. The APD only targets legitimate interest as a legal base for real-time bidding. We are only talking about the perimeter of the TCF. Legitimate interest for other areas is not in question at the moment.
When it comes to special features of the TCF, consent is always required. With respect to special purposes, legitimate interest is still the only legal basis that’s available in the context of the TCF. Publishers won’t be able to do anything about it for the time being, and it will be on IAB Europe to make changes if required.
Which solution for features, special features and special purposes ?
That's a good question and one that will need to be answered by the IAB Europe in its updates to the TCF.
Special purposes are based on legitimate interest at the moment and the framework does not provide any control over them to CMPs/publishers. Special features and features are based on opt-in (not necessarily consent) and should be acceptable still.
To learn more about Didomi, book a demo with one of our experts: