The TCF decision and the future of digital advertising

The advertising industry faces significant pressure from regulators, legislators, and the public to reform its use of individuals’ personal data. As such, now is the time for industry players to understand their involvement in digital advertising, takes steps to mitigate compliance risks, and make themselves part of the conversation about the future of the industry.

AWO has been assisting clients at the forefront of legal and public policy debates around digital advertising. We have acted in ground-breaking legal cases on programmatic advertising, which have highlighted the significant data protection risks it poses. We are also currently conducting pioneering research on future policy responses to digital advertising for, among others, the European Commission.

Regulatory response to digital advertising

Digital advertising is a $500 billion industry with forecast growth of more than 10% in 2022. However, there are significant changes afoot in digital advertising as regulators increasingly scrutinise third-party data tracking and systems like Real Time-Bidding (“RTB”), which underpin programmatic advertising.

This month, the Belgian data protection authority (“ADP”) found that the system that underpins RTB is in breach of the EU General Data Protection Regulation (“GDPR”).

When the GDPR came into force in 2018, many outside (and within) the advertising industry noted that the lack of transparency and absence of user control over data flows in RTB appeared to be in direct tension with the Regulation. Some even predicted that the end of programmatic advertising was nigh.

Despite these warnings, programmatic advertising spend grew by 70% in the following years, leading some to question warnings about non-compliance. This month’s ruling by the ADP, however, confirms that while regulatory enforcement may take time to catch up with new technologies, the data protection concerns raised were valid.

AWO’s role

AWO has first-hand knowledge of these developments. In September 2018, AWO was instructed to consider the legality of RTB and draft complaints to data protection regulators. Our legal analysis focused regulators’ attention on specific actors in the RTB system who established the rules and frameworks underpinning the system. We argued that those actors have a responsibility for ensuring that individuals’ data rights are adequately protected as those individual’s data is transmitted (through multiple intermediaries) between large numbers of sellers and purchasers of advertising space.

The ADP relied on AWO’s submissions when analysing the legal enabling framework of ‘OpenRTB’ (one of the major RTB systems), the Transparency & Consent Framework (the ‘TCF’), which was developed by IAB Europe, a consortium of organisations involved in digital advertising. In its investigation, the ADP exposed several flaws in the TCF which it says appear difficult to reconcile with fundamental data protection principles such as transparency, fairness, and lawfulness. These principles, the ADP noted, are undermined by the “large number of third parties i.e. ad tech vendors that will potentially receive and process the personal data of the users contained in the bid request.” (p. 100) In other words, the scale of data sharing that is engineered into RTB results in a fundamental tension with data protection norms.

The ADP’s findings

The ADP’s findings are complex; we summarise them below:

The TCF – a purported legalising framework for OpenRTB – is unlawful under the GDPR.

This is because the operational mechanism of the TCF, through the TC String, whose purpose is to identify individuals, involves the processing of personal data. That processing is not GDPR-compliant. Two of the main deficiencies are:

• Whereas the GDPR requires that entities to have a specific lawful basis for processing personal data, no lawful basis was identified for the TCF. Neither consent nor legitimate interests would be an appropriate lawful basis, given the nature of the processing.
• The TCF’s security and safeguards were insufficient because no measures were in place to prevent actors from falsifying or ignoring the content of TC Strings.

Given the nature of ADP’s detailed concerns with the TCF, it is difficult to see how it could be regularised in practice. Therefore, the broader processing for OpenRTB does not rest on a legally solid foundation as the transparency and consent measures put in place to make OpenRTB GDPR-compliant are not effective in their current form.

The ADP found that IAB Europe is a joint controller for the processing of personal data through the TCF, jointly with various other TCF participants. The DPA also set out how it would approach the issue of controllership of the broader OpenRTB processing. Although not core to the binding decision, it found IAB Europe to be a joint controller of at least some of that broader processing. This was because IAB not only (i) practically enabled that further processing but also (ii) played a central role in setting the rules for that further processing on an ongoing basis, in a purported effort to ensure GDPR compliance.

The DPA also considered the lawfulness of the broader OpenRTB processing, finding it potentially deficient in some key respects:

• Insufficient information is provided to users about the nature and extent of the processing involved in OpenRTB. As well as breaching transparency requirements, this also means that consent from individual data subjects cannot be relied upon as a lawful basis as such consent will not be sufficiently “informed” to meet the conditions in the GDPR.
• Whereas the GDPR requires a genuine legitimate interests balancing exercise to carried out in respect of processing conducted under the legitimate interest legal basis, none is conducted in respect of processing in the RTB chain. In any event, the extent to which data subjects’ information was shared to facilitate open bidding meant the processing was not capable of being within their reasonable expectations.
• IAB Europe provides no accountability in respect of the processing across the OpenRTB chain. It fails to keep records, audit, or enforce compliance with its own system. This is particularly relevant as the GDPR requires these accountability measures and the express aim of IAB Europe’s TCF system is to make OpenRTB GDPR-compliant.

These findings are applicable across the Union because the ADP acted as the lead supervisory authority and other data protection authorities have approved its decision through the GDPR’s cooperation mechanism.

IAB Europe has been fined and given six months to try remedy the issues with the TCF and OpenRTB systems, bringing them into compliance with the GDPR. This – and an appeal – mean that legal implications for other actors in the RTB system are not necessarily immediate. However, the ADP may have left IAB Europe with a set of “impossible asks.” Indeed, many of the deficiencies in the TCF flow directly from the structure and market logic of real-time bidding. For example:

• the practical tension of providing meaningful transparency to end-users where large numbers of participants may process their data (including by combining it with other data sourced from brokers) renders the provision of meaningful transparency almost impossible;
• the difficulty of meaningfully balancing the various legitimate interests of large numbers of RTB participants with the rights and freedoms of data subjects prevents participants from relying on this legal basis;
• the tension between the need for specific and informed consent, as well as the capacity to provide ease of withdrawal of consent means consent is unlikely to be appropriate basis for processing; and
• It would be highly impractical and costly of for IAB Europe and/or other joint controllers to audit compliance and provide for the exercise of data subjects’ rights in relation to the system as a whole.

Thus:

• It is doubtful whether the TCF/OpenRTB system can be brought into compliance without reform so fundamental as to change its economic structure; and
• Other RTB systems following a similar market logic may be open to challenge on similar grounds.

The decision represents an expansive approach to where joint controllership might arise in the OpenRTB system. This may run counter to how actors engaged in RTB have hitherto understood their roles, and in the medium-term raises the prospect of liability for unlawful processing for advertisers and publishers as well as exchanges, CMPs and other intermediaries. In particular, the GDPR introduces joint and several liability for all actors where an individual suffers damage. As a result, any actor on the chain can be responsible for “all the damage” caused by processing that infringes of the GDPR.

A new future: from unrestrained broadcasts to individual rights and control

In parallel with regulatory action and legal challenges, legislators are also looking at how to restrict the use of personal data in advertising. For example, the European Parliament recently proposed a ban on the use of sensitive data and children’s data for digital advertising.

Furthermore, a new bill introduced in the US last month proposes to limit the use of personal data for advertising purposes. And in China, new rules came into effect at the end of 2021 that require consent to use people’s data for advertising purposes. Therefore, many of the same issues that RTB faces in Europe may resurface in other jurisdictions.

At the same time, the technical data collection methods that underpin RTB are set to change significantly in the coming months and years. Google plans to block third-party companies from tracking individuals on Android phones and Google Chrome. These plans have created waves in the advertising industry. Similar privacy changes made by Apple last year led to outcry amongst ad tech firms, with Facebook claiming to have lost $10 billion in ad revenue as a result.

Critics question whether Apple and Google’s motivations are genuinely about privacy or more about squeezing out ad industry competitors. Some publishers, fearing that ad spend will now flow towards large online platforms that have big stores of first-party data, have launched legal actions against Google in Germany, UK and at the EU-level.

Policymakers are looking carefully at the competition balance in the digital advertising market too. The European Commission launched an investigation into possible anticompetitive conduct by Google last year, and in the US Google is fighting claims by regulators that it unlawfully acquired and maintained monopoly power in various parts of the digital advertising market. The upcoming EU Digital Markets Act promises to restrict the combination of data across different services owned by the same digital ‘gatekeeper’, which may limit Google’s ability to profit from its unrivalled access to first-party data in the future.

However, while some fear that enforcement of data rights may lead to large online platforms gaining a monopoly of access to the data needed to attract advertising revenue, others are looking towards a new approach. A new European Commission study, led by AWO, aims to look at ways to safeguard individual privacy and “support the evolution of a more balanced online advertising ecosystem.” It plans to look at how to incentivise the adoption of alternative advertising models which do not rely on tracking, profiling, and sharing data with multiple third parties. This could open up a broader dialogue about the wider digital economy and the role of advertising within it.

The European Commission’s new Directive on ‘corporate sustainability due diligence’ also promises to foster ‘responsible corporate behaviour’ by anchoring human rights in companies’ operations and ensuring that businesses address adverse impacts in their value chains. If this approach were to be applied to digital marketing practices, this could open up another avenue for companies to be held accountable for privacy violations and incentivise companies to take a more pro-active approach to compliance.

Calls for reform are now coming from all sides: civil society, academics, policymakers have been investigating and calling out unlawful and unethical practices in digital advertising for many years. The industry itself is also deeply critical of existing practices, with the world’s biggest advertiser describing the market as “murky at best, fraudulent at worst” and cutting millions of dollars of “largely ineffective” ad spend as a result.

Getting the right advice

The ADP’s decisions shows that participants in digital advertising are likely to be carrying a significant amount of legal risk, and that some industry practices conflict with data protection principles too much to continue working in their current form. Companies should treat advice that they can continue with ‘business as usual’ with some scepticism. Indeed, the industry is already changing, with major players leading a debate about how to build resilient, effective, and privacy-respecting approaches to delivering digital advertising in the future.

AWO understands the shift that is taking place because we have worked first-hand on some of the legal challenges driving it. We are also part of the research and policy debates that are looking at how the industry can respond. Those involved in the digital advertising ecosystem have much to gain by getting the right advice on how to actively manage their legal risk and make themselves part of the building the future of advertising.