Complianz is an IAB registered Consent Management Platform (CMP). This means we can offer a possibility to our premium users to show advertisements on their website with the help of the IAB Europe’s Transparency & Consent Framework (TCF), the most widely-used advertising industry framework in Europe and the US. In February 2022, the Belgian Data Protection Authority (DPA) issued its final decision on using the framework.
What does it mean for TCF?
Contrary to some misleading headlines in the media, the decision contains no prohibition for website publishers or CMP’s such as Complianz to use the Transparency & Consent Framework further. The IAB Europe has been given two months to present an action plan to the DPA and then six months to fix the purported infringements. This means TCF will stay in use for the coming months. We expect an update from IAB at the end of March to see what changes are needed, with a deadline somewhere in September 2022.
What does it mean for you?
The decision, however, contains two action points that indeed are relevant for the users of Complianz CMP:
1. Legitimate Interest is not allowed as legal basis
the establishment of a valid legal basis for the processing and dissemination of users’ preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF
This among other things, means that the legal basis of “consent” can not be used if one or more purposes for which consent is being asked are prechecked. The decision also means that the legal basis of “Legitimate interest” is no longer allowed.
Therefore, IAB should ask the advertising industry to stop using that legal basis (Legitimate Interest) and delete all the personal data they received under those legal bases. We will update Complianz soon to disable all legitimate purposes before a users consents.
2. Transparency & Consent Framework
the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;
This concerns the fact that most CMP’s only provide a one layer banner which is not only too complicated but also doesn’t prove enough information about, for example, the TCF data processing, the parties that data is being shared with, and the rights that visitors have based upon the GDPR.
In Complianz, we use our banner as the first layer and a cookie policy as the second layer. In that cookie policy, we describe, among other things, the rights a visitor has under the GDPR. We also hyperlink to the descriptions of the TCF Cookies and other technologies on cookiedatabase.org, which is more information than described by the IAB guidelines.
The IAB has been ordered by the DPA to come up with solutions to harmonize how the information will be presented to visitors. In the meantime, we are looking into ways to give even more information to the visitors to be sure that our autogenerated cookie policy and privacy statement remains compliant with the GDPR, as it is today.
Stay up-to-date
The legal team of Complianz is monitoring the situation very closely. We are aware that some DPAs such as the Dutch Autoriteit Persoonsgegevens, wrongfully have interpreted the decision of the Belgian DPA into an order to stop using TCF immediately. If you are in any way insecure about further use of TCF, we suggest you disable the use of TCF in our wizard until further notice from us, from IAB or the Belgian DPA.
You will be updated automatically if any action is required.