{"id":16380,"date":"2022-03-31T11:28:10","date_gmt":"2022-03-31T11:28:10","guid":{"rendered":"https:\/\/www.webgains.com\/public\/?p=16380"},"modified":"2022-03-31T14:05:21","modified_gmt":"2022-03-31T14:05:21","slug":"iab-tcf-2-0-illegal-the-age-of-consent-for-affiliate-marketers","status":"publish","type":"post","link":"https:\/\/www.webgains.com\/public\/en\/iab-tcf-2-0-illegal-the-age-of-consent-for-affiliate-marketers\/","title":{"rendered":"IAB TCF 2.0 \u201cillegal\u201d: The Age of Consent for Affiliate Marketers"},"content":{"rendered":"\n
<\/div>
\u201cThere is a general ambivalence of the Affiliate Industry to how personal data is collected. Perhaps it\u2019s because despite all the scare stories since GDPR was brought into play in 2018, nothing much has changed in practice. Yes, we now have pop-up consent boxes where there were previously none, but the players in the market are playing the same game. With recent updates concerning TCF and rulings against legitimate interest instead of consent as a legal basis for processing personal data, maybe now times are (finally) changing. \u201c<\/em>\u202f\u00a0<\/div><\/div>
\"\"\/<\/div><\/div>
Richard Dennys<\/span>CEO of Webgains Ltd<\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n\n\n\n
<\/div>\n\n\n\n

The Context<\/strong><\/h2>\n\n\n\n
<\/div>\n\n\n\n

What is GDPR? <\/h4>\n\n\n\n

General Data Protection Regulation (GDPR<\/a>) is the toughest and most stringent set of data protection rules to impose limits on how organisations target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. Though it relates specifically to EU countries and its individuals, it can apply to organisations anywhere, so long as they target or collect data from people within the EU.  <\/p>\n\n\n\n

The regulation was created to harmonise data privacy laws across EU countries, as well as providing greater protection and rights to individuals. Should businesses not comply with the set of standards, there is potential for large fines and reputational damage.  <\/p>\n\n\n\n

Who\/What is the Belgian ADP  <\/h4>\n\n\n\n

The Belgian ADP stands for the Belgium Data Protection Authority (BE ADP<\/a>). This independent body ensures that businesses comply with the fundamental principles of data protection.   <\/p>\n\n\n\n

Who\/What is the IAB Europe? <\/h4>\n\n\n\n

The International Advertising Bureau (IAB Europe<\/a>) is a global association for digital marketing and advertising. Through collaborative efforts, the IAB works to deliver frameworks, standards and industry programmes that allow businesses to thrive in the European Market.  <\/p>\n\n\n\n

What is the Transparency and Consent Framework? <\/h4>\n\n\n\n

The Transparency and Consent Framework (TCF<\/a>) was created by IAB Europe in collaboration with organisations and professionals within the advertising industry. It was introduced to help primarily publishers, technology vendors meet the transparency and user choice requirements under GDPR. [explanation: agencies and advertisers are not really covered by TCF 2.0; this will be the case with a new version (TCF 3.0) which is discussed at IAB]  <\/p>\n\n\n\n

What is a Data Controller? <\/h4>\n\n\n\n

The data controller determines the purpose for processing personal data and the means by which it is processed.  <\/p>\n\n\n\n

What is a Joint Controller? <\/h4>\n\n\n\n

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers according to Art. 26 GDRP.  <\/p>\n\n\n\n

<\/div>\n\n\n\n

The Lowdown<\/strong><\/h2>\n\n\n\n

The decision<\/a> made by the Belgian ADP in February 2022 found that the IAB Europe was a (Joint) Controller, and therefore can be held responsible for the processing of data in-line with GDPR. This decision follows an investigation into the Transparency and Consent Framework (TCF), where it was revealed that the IAB Europe did not meet several of the requirements derived from GDPR.  <\/p>\n\n\n\n

First, the Belgian ADP found that IAB Europe has no legal basis for processing the Consent String created when using a Consent Management Platform based on TCF 2.0. Also a sufficient legal basis for a transfer of this consent string to subsequent adtech vendors is missing: <\/p>\n\n\n\n

\u201cThe IAB Europe [has] failed to establish a legal basis for the processing of the TC String and offered inadequate legal grounds for the subsequent processing by adtech vendors.\u201d<\/em><\/p>\n\n\n\n

Second, the IAB were found not to be following the range of requirements by the GDPR set out for a Data Controller such as: <\/p>\n\n\n\n