Dutch DPA takes position on online tracking, advises companies to immediately stop using IAB framework

Decision of the Belgian DPA on IAB Europe

Before discussing the statement of the Dutch DPA, we will first provide a short summary of the Belgian's DPA decision. The Belgian DPA found that IAB Europe’s Transparency and Consent Framework (TCF) does not comply with GDPR requirements. The TCF is used for online advertising that is based on real time bidding (RTB), an automated online auction of users’ profiles for the sale and purchase of advertising space on the internet. The TCF plays an important role in the RTB system. When users visit a website, the TCF facilitates the capture of the users' preferences that users indicate via a Consent Management Platform (CMP). These preferences are shared with the organisations participating in the RTB system in a so called Transparency and Consent (TC) String to inform these organisations about what a user consented or objected to.

The Belgian DPA ruled that IAB Europe is acting as a data controller when registering individual users’ preferences. The Belgian DPA found several violations of the GDPR, including in relation to:

• Lawfulness – The Belgian DPA concluded that IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors were deemed inadequate; and
• Transparency and information of the users – The Belgian DPA concluded that the information provided to users through the CMP interface was too generic and vague to allow users to understand the nature and scope of the processing.

The Belgian DPA imposed a € 250,000 fine to IAB Europe and gave it two months to present an action plan to bring its activities into compliance.

Statement of the Dutch DPA

The Dutch DPA’s recommendation was reported in a Dutch newspaper (only in Dutch). Different than the Belgian DPA, the Dutch DPA did not only focus on the TCF of IAB Europe, but also on websites using the TCF. In short, the Dutch DPA stated that:

• the IAB framework used for online advertisements violates European privacy legislation;
• it advises websites to immediately stop using the current method for tracking online visitors and advises publishers to look for an alternative immediately (the Dutch DPA suggests placing ads based on the target group of a website, instead of personalized to individual website users); and
• it will not give any information on whether it will initiate enforcement actions against websites that use the IAB framework. Enforcement can however not be excluded.

Next Steps

Please reach out to us for more information on these developments and reasonable steps for companies to take at this moment.

Authored by Chantal van Dam and Fenneke Buskermolen.