Purposes in IAB Europe’s TCF: Which Legal Basis and How Are They Used by Advertisers? (original) (raw)

Abstract

The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) discuss purposes for data processing and the legal bases upon which data controllers can rely on: either “consent” or “legitimate interests”. We study the purposes defined in IAB Europe’s Transparency and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR .

C. Matte and C. Santos—Co-first authors listed in alphabetical order.

Similar content being viewed by others

Notes

    1. In our work, the denomination of “cookies” covers all tracking technologies.
    1. We do not study the legal bases of purposes declared by publishers in this paper.

References

  1. AP (Dutch DPA), Standard explanation of the basis of the legitimate interest
    Google Scholar
  2. Article 29 Working Party, EDPB opinion 4/2007 on the concept of personal data (WP136). Accessed 20 July 2007
    Google Scholar
  3. Article 29 Working Party, Guidelines on automated individual decision-making and profiling for the purposes of regulation 2016/679 (WP251 rev.01)
    Google Scholar
  4. Article 29 Working Party, Opinion 03/2013 on purpose limitation (WP203)
    Google Scholar
  5. Article 29 Working Party, Opinion 04/2012 on cookie consent exemption (WP 194). Accessed 7 June 2012
    Google Scholar
  6. Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under article 7 of directive 95/46/EC (WP217)
    Google Scholar
  7. Article 29 Working Party, Working document 02/2013 providing guidance on obtaining consent for cookies
    Google Scholar
  8. Article 29 Working Party, Opinion 13/2011 on Geolocation services on smart mobile devices (WP 185) (2011). Accessed 16 May 2011
    Google Scholar
  9. Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (wp259rev.01) (2016)
    Google Scholar
  10. Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01) (2018). Accessed 11 April 2018
    Google Scholar
  11. Attachments to the paper (dropbox repository). https://www.dropbox.com/sh/0g1qlsaatc8yplz/AACAaFLJNrwRH3eWRmGm_zqsa?dl=0
  12. BfDI (German DPA), Guidance from German authorities for telemedia providers
    Google Scholar
  13. Centre for Information Policy Leadership, CIPL examples of legitimate interest grounds for processing of personal data
    Google Scholar
  14. CNIL, Décision n MED 2018–042 du 30 octobre 2018 mettant en demeure la société VECTAURY (2018)
    Google Scholar
  15. Décision n MED 2018–042, Délibération n 2019–093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif) (2019)
    Google Scholar
  16. Decision of the conference of independent data protection supervisors of the federal and state governments - 07.11.20191, Datenshutzkonferenz
    Google Scholar
  17. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed System Security Symposium (NDSS) (2019)
    Google Scholar
  18. Judgement of the court of justice of the EU, Case c-673/17
    Google Scholar
  19. Directive 2009/136/ec of the european parliament and of the council of 25 november 2009 amending directive 2002/22/ec on universal service and users’ rights relating to electronic communications networks and services
    Google Scholar
  20. Judgment of the court (second chamber) of 4 May 2017, Case C-13/16
    Google Scholar
  21. European Data Protection Board (EDPB), Guidelines 2/2019 on the processing of personal data under article 6(1)(b) gdpr in the context of the provision of online services to data subjects
    Google Scholar
  22. European Data Protection Board (EDPB), Guidelines on consent under regulation 2016/679 (wp259 rev.01). Accessed 10 April 2018
    Google Scholar
  23. European Parliament, the Council and the Commission, Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, 18 December 2000 (2000/C 364/01)
    Google Scholar
  24. Forbrukerrådet, Out of control - how consumers are exploited by the online advertising industry (2020)
    Google Scholar
  25. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (2016)
    Google Scholar
  26. IAB Europe, IAB europe transparency & consent framework policies. https://iabeurope.eu/wp-content/uploads/2019/08/IABEurope_TransparencyConsentFramework_v1-1_policy_FINAL.pdf. Accessed 20 Nov 2019
  27. IAB Europe transparency & consent framework policies, IAB Europe transparency & consent framework policies. https://iabeurope.eu/wp-content/uploads/2019/08/TransparencyConsentFramework_PoliciesVersion_TCFv2-0_2019-08-21.3_FINAL-1-1.pdf. Accessed 21 Jan 2020
  28. IAB Europe transparency & consent framework policies, Transparency and consent framework (2018). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework
  29. IAB Europe transparency & consent framework policies, Transparency and consent framework (v2), August 2019. https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/tree/master/TCFv2
  30. IAB Europe transparency & consent framework policies, Dates you need to know for the TCF V2.0 switchover (2020). https://iabeurope.eu/tcf-2/dates-you-need-to-know-for-the-tcf-v2-0-switchover/
  31. IAB Europe and IAB Tech Lab, Global vendor list (GVL, v1.1, version 183), January 2020. https://vendorlist.consensu.org/v-183/vendorlist.json
  32. IAB Europe and IAB Tech Lab, Global vendor list (GVL, v2.0, version 20), January 2020 .https://vendorlist.consensu.org/v2/archives/vendor-list-v20.json
  33. IAB Tech Lab and IAB Europe, Transparency and consent string with global vendor & CMP list formats, December 2019. https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#the-core-string
  34. ICO, ICO report into adtech and real time bidding. Accessed 20 June 2019
    Google Scholar
  35. ICO report into adtech and real time bidding, Lawful basis for processing legitimate interests (2018)
    Google Scholar
  36. ICO report into adtech and real time bidding, Guidance on the use of cookies and similar technologies, July 2019
    Google Scholar
  37. Koops, B.-J.: The (in) flexibility of techno-regulation and the case of purpose-binding. Legisprudence 5(2), 171–194 (2011)
    Article Google Scholar
  38. Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)
    Google Scholar
  39. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: Conference on Human Factors in Computing Systems (CHI 2020) (2020)
    Google Scholar
  40. Panoptykon Foundation, Panoptykon files complaints against Google and IAB Europe (2019). https://en.panoptykon.org/complaints-Google-IAB
  41. Ryan, J.: French regulator shows deep flaws in IAB’s consent framework and RTB (2018). https://brave.com/cnil-consent-rtb/. Accessed 28 Mar 2019
  42. French regulator shows deep flaws in IAB’s consent framework and RTB, Regulatory complaint concerning massive, web-wide data breach by google and other “ad tech” companies under europe’s gdpr (2018). https://brave.com/adtech-data-breach-complaint/. Accessed 02 May 2020
  43. French regulator shows deep flaws in IAB’s consent framework and RTB, Brave answers us senators questions on privacy and antitrust (2019). https://brave.com/senate-qrfs-june2019/. Accessed 02 May 2020
  44. Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? deciphering eu legal requirements on consent and technical means to verify compliance of cookie banners, ArXiv, vol. abs/1912.07144 (2019)
    Google Scholar
  45. von Grafenstein, M.: The Principle of Purpose Limitation in Data Protection Laws: The Risk-Based Approach, Principles, and Private Standards as Elements for Regulating Innovation, 1st edn. Nomos Verlagsgesellschaft mbH (2018)
    Google Scholar

Download references

Acknowledgements

We thank Johnny Ryan for his comments on the analysis of the purposes. We thank anonymous reviewers of APF 2020 for their useful feedback. This work has been partially supported by ANR JCJC project PrivaWeb (ANR-18-CE39-0008), ANSWER project PIA FSN2 No. P159564-2661789/DOS0060094 between Inria and Qwant, and by the Inria DATA4US Exploratory Action project.

Author information

Authors and Affiliations

  1. Inria, Paris, France
    Célestin Matte, Cristiana Santos & Nataliia Bielova
  2. Université Côte d’Azur, Nice, France
    Cristiana Santos

Authors

  1. Célestin Matte
    You can also search for this author inPubMed Google Scholar
  2. Cristiana Santos
    You can also search for this author inPubMed Google Scholar
  3. Nataliia Bielova
    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence toCélestin Matte .

Editor information

Editors and Affiliations

  1. University of Porto, Porto, Portugal
    Luís Antunes
  2. LUMSA University, Rome, Italy
    Maurizio Naldi
  3. LUISS, Rome, Italy
    Giuseppe F. Italiano
  4. Goethe University Frankfurt, Frankfurt am Main, Germany
    Kai Rannenberg
  5. ENISA, Athens, Greece
    Prokopios Drogkaris

Appendices

A Evolution of the Number of Advertisers

We leverage the fact that all versions of the Global Vendor List of the TCF are public and dated – we can therefore display the evolution of the number of registered advertisers (vendors) in Fig. 4. We observe a fast increase in the first three months following the release of IAB Europe’s TCF in April 2018 (one month before GDPR came in force in the EU), followed by a slow increase until March 2020. Version 2.0 was announced in August 2019 and is supposed to operate alongside version 1.1 until the end of March 2020. The increase in registered advertisers is far from being as fast as for the release of version 1.1, and as of January 16\(^\mathrm{th}\) 2020, only 92 advertisers are registered, compared to 574 for version 1.1. This is surprising if we consider that advertisers do not have to pay the registration fee a second time to register for version 2.0.

Fig. 4.

figure 4

Evolution of the number of registered advertisers in the IAB Europe’s Global Vendor List between May 2018 and March 2020.

Full size image

B Attachments

We report several lists of advertisers collected in this work in a publicly available repository [[11](#ref-CR11 "Attachments to the paper (dropbox repository). https://www.dropbox.com/sh/0g1qlsaatc8yplz/AACAaFLJNrwRH3eWRmGm_zqsa?dl=0

")]:

This analysis has been done for the Global Vendor List for TCF v1.1 (version 183) [[31](#ref-CR31 "IAB Europe and IAB Tech Lab, Global vendor list (GVL, v1.1, version 183), January 2020. https://vendorlist.consensu.org/v-183/vendorlist.json

")].

C Purposes, Features, Special Purposes and Special Features of TCF v2

We present definitions of the following notions as quotations from the TCF v2’s policy [[27](#ref-CR27 "IAB Europe transparency & consent framework policies, IAB Europe transparency & consent framework policies. https://iabeurope.eu/wp-content/uploads/2019/08/TransparencyConsentFramework_PoliciesVersion_TCFv2-0_2019-08-21.3_FINAL-1-1.pdf

. Accessed 21 Jan 2020")]:

Rights and permissions

© 2020 Springer Nature Switzerland AG

About this paper

Cite this paper

Matte, C., Santos, C., Bielova, N. (2020). Purposes in IAB Europe’s TCF: Which Legal Basis and How Are They Used by Advertisers?. In: Antunes, L., Naldi, M., Italiano, G., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2020. Lecture Notes in Computer Science(), vol 12121. Springer, Cham. https://doi.org/10.1007/978-3-030-55196-4\_10

Download citation

Publish with us