The Interactive Advertising Bureau (IAB)’s Transparency and Consent Framework (TCF) emerged as a response to the General Data Protection Regulation (GDPR), aiming to simplify compliance in digital advertising. However, it’s been the subject of controversy and criticism, particularly from data protection authorities, and its future is unclear – it’s been found non-compliant with the GDPR, though there is no current deadline set for the framework to come into compliance.

It’s important to note that the IAB is not a government body, and its framework is not a regulation. On the contrary, they exist to serve the interests of the media and marketing industry. Their own website’s Our Story section makes that very clear:

The Interactive Advertising Bureau (IAB) empowers the media and marketing industries to thrive in the digital economy. Its membership comprises more than 700 leading media companies, brands, agencies, and technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members. It promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

The IAB Global Network brings together a total of 45 IAB organizations, including three regional organizations, to share challenges, develop global solutions, and advance the digital advertising industry worldwide. IABs are located in North America, South America, Africa, Asia, Asia Pacific and Europe. Each association is independently owned and operated, functioning under bylaws consonant with local market needs.

Note that the TCF is developed by the IAB Europe, an independent non-profit arm of the association.

Based on the team’s current understanding

Related Reading

1. https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr
2. https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/belgian-tcf-ruling-is-it-game-over-for-the-tcf
3. https://www.iab.com/our-story/

What Is The IAB Transparency & Consent Framework?

The IAB Transparency & Consent Framework (TCF) is an open-standard technical solution that allows websites, advertisers, and ad agencies to obtain, manage, and update consumer consent for web pages. 

Why Was The TCF Created?

Initially, the TCF was envisioned as a tool to streamline GDPR compliance for advertisers and publishers. It was meant to ensure a seamless flow of advertisements while respecting user privacy. This initiative represented the industry’s attempt to adapt to the stringent requirements of the GDPR, trying to balance the need for data-driven advertising with privacy concerns.

Rising Criticisms and Belgian DPA Decision

The framework soon came under scrutiny. In a landmark decision, the Belgian Data Protection Authority (DPA) identified significant GDPR compliance failures within the TCF. These included inadequate user information, failure to establish a valid legal basis for processing TC Strings, and a lack of security in the TCF protocol. The Belgian DPA’s decision, which reflects the majority view of the Data Protection Authorities in the European Economic Area, questioned the framework’s ability to safeguard user privacy in the complex digital advertising ecosystem.

Here’s a quote from the Belgian (BE) DPA:

Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller concerning the registration of individual users’ consent signal, objections, and preferences using a unique Transparency and Consent (TC) String, which is linked to an identifiable user. This means that IAB Europe can be held responsible for possible violations of the GDPR.

The BE DPA identified a series of GDPR infringements by IAB Europe :

• Lawfulness: IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by ad tech vendors are inadequate;
• Transparency and information of the users: the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;
• Accountability, security, and data protection by design/by default: In the absence of organizational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated;
• Other obligations pertaining to a controller processing personal data on a large scale: IAB Europe has failed to keep a register of processing activities, to appoint a DPO, and to conduct a “DPIA” (data protection impact assessment).

Related Reading

1. https://sourcepoint.com/blog/faq-updates-on-the-belgian-dpas-investigation-of-the-iabs-tcf/
2. https://www.onetrust.com/blog/belgian-dpa-iab-europe-tcf-case/
3. https://www.natlawreview.com/article/eu-supervisory-authorities-led-belgian-dpa-find-iab-europe-s-tcf-infringes-eu-data
4. https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr
5. https://techcrunch.com/2022/02/02/iab-tcf-gdpr-breaches/
6. https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/belgian-tcf-ruling-is-it-game-over-for-the-tcf 
7. https://iabtechlab.com/blog/summary-of-technical-changes-tcf-v2-2/ 

What Are Google’s New CMP Requirements?

What Do Google’s New CMP Requirements Mean For Me?

Amidst these controversies, Google introduced an additional layer of complexity by mandating secondary certifications for Consent Management Platforms (CMPs) for customers using certain ad-serving products. The new Google CMP Certification builds on top of the IAB TCF CMP certification. This move can be interpreted as Google’s effort to strike a balance between compliance and business interests in a rapidly evolving regulatory landscape, and is reportedly not a direct reaction to any decision against Google. But it does coincide with TCF 2.2, and represents a big win for that framework, at least in terms of industry buy-in, even after the Belgian DPA’s decision.

Uncertain Future

The appeal against the Belgian DPA’s decision and the subsequent suspension of the implementation of the action plan adds to the uncertainty surrounding the TCF’s future​​​​. The outcomes of these appeals are pivotal, as they will significantly influence the direction and effectiveness of the TCF in regulating digital advertising practices.

Related Reading

1. https://sourcepoint.com/blog/faq-updates-on-the-belgian-dpas-investigation-of-the-iabs-tcf/
2. https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/belgian-tcf-ruling-is-it-game-over-for-the-tcf 

Conclusion

The TCF was conceptualized as a solution to the challenges posed by GDPR in the advertising world. However, the decision by the Belgian DPA raises serious questions about its viability and effectiveness. As the digital advertising landscape continues to evolve, so too must the frameworks and regulations that govern it.

Tealium’s Position

Our approach to consent management is fundamentally different from the TCF’s – generally speaking, we block tags and connector actions when a consent signal is required but not present. On the other hand, the TCF, like Google Consent Mode, fires tracking signals regardless of consent, by either sending a signal to each vendor explaining if/how they’re allowed to process the data (the TCF string), or sending ‘anonymous’ data to a different endpoint with doesn’t set cookies (in the case of Google’s products operating under Consent Mode). Learn more about how Consent Mode works here.

Tealium has no plans to participate in the IAB TCF as a vendor, nor to offer a Google Certified CMP.  We will, of course, continue to support both ‘basic’ and ‘advanced’ Google Consent Mode in relevant products, to support our customers who decide that’s the right approach for their business.

We will continue to position ourselves as our customers’ enforcement and activation partner, helping ensure their users’ consent decisions are respected regardless how they’re captured. We will continue to offer a self-contained solution for simple consent management use cases, but our focus and area of primary investment moving forward is to support the best-in-breed Consent Manager Platforms (CMPs) through Consent Integrations while continuing to offer a simple capture option for customers with simple needs or limited resources. 

All Tealium products aspire to provide our customers the control and flexibility to easily implement the tags/solutions that fit their specific needs, and consent is no exception. We will continue to provide the critical enforcement layer, and to make it easy for customers to change their CMP or consent approach as the market evolves, including shifting to a Google Certified CMP and/or IAB TCF 2.2 CMP if that’s right for their business today.