Are cookie banners compliant with the GDPR under the TCF 2.0 standard? Belgian Data Protection Authority on the IAB “Transparency and Consent Framework”

The online marketing industry association, Interactive Advertising Bureau (IAB) Europe, said in a release on November 5, 2021, that the Belgian Data Protection Authority (APD) has informed them that a draft decision will be adopted in the near future that will conclude IAB Europe’s investigation and its role in the TCF.
This draft arguably identifies breaches of the GDPR by IAB Europe. The central points of the draft are apparently the following:

  1. APD assumes that TCF “TC Strings” are personal data. The “TC Strings” are digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement.
  2. IAB Europe shall be considered as the controller in this context.
  3. IAB Europe is likely to be considered as a joint controller of “TC Strings” with many other online advertisers in the specific context of OpenRTB. OpenRTB (Real-Time Bidding) is a tracking-based ad system that allows advertisers to buy ad space or ad impressions on publishers’ websites by bidding automatically and in real time when delivering ads.

So far, based on previous guidance from other data protection authorities and the fact that IAB Europe does not process, own or otherwise decide on the use of specific TC Strings, as well as on previous case law, official opinions and its own understanding of the GDPR, IAB Europe says it has assumed not to be a controller in the context of the TCF.
This position can be well argued in the light of the previous benchmarks on the notions of controller and processor, such as those established by the European Data Protection Board (EDPB). The role of the IAB is not directly related to the processing of personal data. Rather, it merely creates and regulates the framework conditions as well as a technical infrastructure for the exchange of the “TC Strings”.
The crucial factor in this matter will be where the line is to be drawn as of when the influence on the data processing is already so great that one can speak of a responsibility for the processing.
Our recommendation:
We will be able to finally answer this question about the impact only once the draft decision has been published and other supervisory authorities have taken a position on it. In any case, there has been a recent trend to increasingly bring as many data processing operations as possible under the umbrella of “joint responsibility” and to extend the “controller” label to more and more use cases.

(UNVERZAGT Rechtsanwälte)