IAB TCF 2.0 “illegal”: The Age of Consent for Affiliate Marketers

The Context

What is GDPR? 

General Data Protection Regulation (GDPR) is the toughest and most stringent set of data protection rules to impose limits on how organisations target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. Though it relates specifically to EU countries and its individuals, it can apply to organisations anywhere, so long as they target or collect data from people within the EU.  

The regulation was created to harmonise data privacy laws across EU countries, as well as providing greater protection and rights to individuals. Should businesses not comply with the set of standards, there is potential for large fines and reputational damage.  

Who/What is the Belgian ADP  

The Belgian ADP stands for the Belgium Data Protection Authority (BE ADP). This independent body ensures that businesses comply with the fundamental principles of data protection.   

Who/What is the IAB Europe? 

The International Advertising Bureau (IAB Europe) is a global association for digital marketing and advertising. Through collaborative efforts, the IAB works to deliver frameworks, standards and industry programmes that allow businesses to thrive in the European Market.  

What is the Transparency and Consent Framework? 

The Transparency and Consent Framework (TCF) was created by IAB Europe in collaboration with organisations and professionals within the advertising industry. It was introduced to help primarily publishers, technology vendors meet the transparency and user choice requirements under GDPR. [explanation: agencies and advertisers are not really covered by TCF 2.0; this will be the case with a new version (TCF 3.0) which is discussed at IAB]  

What is a Data Controller? 

The data controller determines the purpose for processing personal data and the means by which it is processed.  

What is a Joint Controller? 

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers according to Art. 26 GDRP.  

The Lowdown

The decision made by the Belgian ADP in February 2022 found that the IAB Europe was a (Joint) Controller, and therefore can be held responsible for the processing of data in-line with GDPR. This decision follows an investigation into the Transparency and Consent Framework (TCF), where it was revealed that the IAB Europe did not meet several of the requirements derived from GDPR.  

First, the Belgian ADP found that IAB Europe has no legal basis for processing the Consent String created when using a Consent Management Platform based on TCF 2.0. Also a sufficient legal basis for a transfer of this consent string to subsequent adtech vendors is missing: 

“The IAB Europe [has] failed to establish a legal basis for the processing of the TC String and offered inadequate legal grounds for the subsequent processing by adtech vendors.”

Second, the IAB were found not to be following the range of requirements by the GDPR set out for a Data Controller such as: 

  • Data Protection by design 
  • No processing registers 
  • No appointment of a data protection officer 
  • Data Protection impact assessments 

The phrase “..the prohibition of the use of legitimate interest as a basis for the processing of personal data within the context of the TCF..” is key to the changes outlined in TCF 2.0. Up to now the ADP decision is not binding as IAB Europe has filed an appeal against this administrative ruling and asked for a suspension. 

So, what does this mean for the Webgains Network? 

First and foremost, unlike other affiliate networks, we strongly advocate for and implement the use of ‘Consent’ as a legal basis for storing cookies on end-user’s device. It is the responsibility of our advertising merchants to collect consent during the live session on the ecommerce store hosted by the brand advertiser. If consent is not obtained, the tracked session is discarded, and no commission is payable to our affiliates. To make the terms clear, the advertising merchant is classed as the Data Controller and Webgains is classed as the Data Processor. The merchant is obliged to collect consent when dropping cookies, therefore we only act when processing the data in the context of user tracking. 

The only time we process personal data based on the use of ‘Legitimate Interest’ is when we act as Joint Controllers with certain publishers and advertising merchants. This happens when we process data to fulfil our contractual obligations towards publishers and to assess how the data transfer takes place between advertising merchant and Webgains, as well as Webgains and Publisher. As stated above, we predominantly work on the basis of ‘Consent’ and avoid the use of ‘Legitimate Interest’ where possible. Our dedication to the use of ‘Consent’ is further emphasised in the IAB Europe TCF list, where our entry in the “LegIntPurposes” field is marked “[]” to signify we do not use this basis. This means, should the IAB look to amend their TCF, Webgains already meets the criteria, as required by the Belgian DPA. 

In comparison, other affiliate networks use a different method of dropping cookies. Typically, a cookie is already dropped when a user visits the publisher’s page. Either the publisher drops the cookie, or the affiliate network does acting in the interest of the advertising merchant. This regularly leads to a Joint Controllership according to Art. 26 GDPR which is in practice ignored widely by a lot of affiliate networks. . Ultimately, the advertising merchant will need to thoroughly check that the consent collected by Publishers is in-line with GDPR even when the affiliate marketing network is deemed to be a controller and not processor. This is practically impossible for advertising merchants to organise. Since such networks regularly exclude liability for the activities of the publishers, this leads to a shift in liability towards the advertising merchant. 

All in all, this means that current advertisers and affiliates on the Webgains network can continue working with us without needing to change anything at all. 

How to Discover if a Network is using Legitimate Interest 

Unlike Webgains’ legal basis for data processing, not all AdTech providers, affiliate networks or platforms are following the same steps. To discover an affiliate player’s legal basis, follow the steps below: 

  1. Access the TCF vendor list here in a web browser  
  1. Use CTRL-F to open the browser window search function  
  1. Type in the name or part name of the company you wish to search. In the case of Webgains you will find:   
  1. Check the entry next to the parameter marked “legIntPurposes”  
  1. If the box is simply “[]” – as it is for Webgains – then Legitimate Interest is not being used as a DP basis  
  1. If the box has a number in it (i.e. “[7]”) then Legitimate Interest is being used, so is therefore in technical breach of the GDPR ruling by the recent Belgian DPA. In order to continue to use the TCF, this company will either need to change their processing basis or stop using the TCF.  

If you discover that the company you are working with or searching for are using Legitimate Interest as a basis for data processing, then follow these actions: 

  • Speak to your relevant account manager. Ask them where the consent for data processing is being given during the ecommerce session and whether legitimate interest is being used on your behalf to process personal data.  
  • Speak to your legal department as soon as possible for their opinion on the risk assessment given the increasing numbers of legal judgements and fines being imposed.  

Alternatively, if you cannot find the legal basis in which they are collecting data, you can simply go to their privacy policy, which needs to be legally available at any time and look for yourself.   

Please note: The TCF vendor list is relevant when a publisher collects consent or wants to rely on ‘legitimate Interest’ as a way to process data as legal basis. It is important to remember that a merchant can implement a Consent Management Platform (CMP) to collect consent for storing cookies and implement the TCF 2.0, but this is at their own discretion. To reinforce what is already stated, in Webgains’ case, it is the merchant who will collect consent for storing cookies on an end-user’s device as he is the controller and Webgains is acting as a processor.

Key Takeaways

  • Data controllers are liable for the bulk of the fines and sanctions under the GDPR.   
  • Webgains has never and will never use Legitimate Interest as a basis for collecting personal data regarding the tracking taking place. Advertisers and Publishers on the Webgains network can continue as they are. 
  • You can discover which network or player is using Legitimate Interest as a basis for consent by accessing the TCF vendor list.  
  • If you discover a company is using Legitimate Interest to process data (or unable to find out the information) speak to the relevant account manager, check their privacy policy and/or speak to your legal department.   
  • When looking at the APD decision, Webgains has developed a safe affiliate marketing platform to avoid uncertainties within various frameworks, especially when third-party consent is concerned.  

Further Reading

The TTDSG Act In Germany: What It Means For You, Webgains And The Affiliate Marketing Industry. Read now to stay abreast of the recent changes.