What is new about IAB TCF: GVL changes and Action Plan of IAB TCF to the Belgian DPA Decision

On 1st April 2022, IAB Europe submitted the action plan required by the Belgian Data Protection Authority (APD)’s decision on IAB Europe and the Transparency & Consent Framework (TCF) for the next 6 months.

Background

On 02 February 2022, The Belgian DPA APD has issued its decision in connection with its investigation of IAB Europe. The decision confirms the finding that IAB Europe is a data controller of the TC String, which the APD considers to be personal data. A number of remedies are imposed, including a fine of EUR 250K.

On the same day, IAB Europe issued a statement: APD Ruling Clears Way For Work on Developing TCF into a Formal GDPR Code of Conduct: IAB Europe Statement on the APD Decision Announced.

"The TCF has not been banned, as the complainants had sought in their original complaints and throughout the proceedings. It remains the industry’s most important instrument for ensuring compliance with certain requirements of EU privacy and data protection law in connection with the delivery and measurement of digital advertising, which is why the APD decision requires us to develop and execute the action plan." - IAB Europe.

"APD ruling clears way for work on developing TCF into a formal GDPR Code of Conduct: IAB Europe statement on the APD decision announced today" - IAB Europe.

On 04 March 2022, IAB Europe published: IAB Europe Appeals Belgian Data Protection Authority Ruling.

New IAB TCF Action Plans for the Belgian DPA

On 1st April 2022, IAB Europe submitted the action plan required by the Belgian Data Protection Authority (APD)’s decision on IAB Europe and the Transparency & Consent Framework (TCF) for the next 6 months. The key points are:

• Deletion of TC Strings established in the “global-scope” context, a functionality of the TCF deprecated in June 2021;
• Determining of a legal basis for the processing of TC Strings by IAB Europe and TCF participants;
• Removal of legitimate interest as a legal basis for TCF Purposes relating to profiling and targeted advertising;
• Setting stronger data protection-related requirements for CMP user interfaces (UIs);
• Providing for technical and organisational monitoring measures to guarantee the integrity and confidentiality of TC Strings and improvements to the auditing of TCF participants.

Once the action plan has been reviewed and validated by the APD and concerned supervisory authorities, IAB Europe will have six months to implement it.

Other changes at IAB TCF

IAB Vendors are required to submit more info by 14th July 2022:

• Full legal entity address;
• Business-to-business contact details;
• Territorial scope - the EU/EEA/EFTA/UK jurisdictions where the vendor operates in the context of its TCF registration. Note that this is different from the place of establishment;
• Environment – environment(s) where the vendor operates such as web, mobile apps, CTV apps;
• Type of service – Vendor’s type of service(s) such as SSP, DSP, DMP;
• International transfer – indication if the vendor transfers data outside EU/EEA;

As a certified IAB TCF CMP, UniConsent CMP will update according to the new requirements from IAB TCF and IAB EU. UniConsent keeps updating based on all the upcoming changes and you don't have to worry about complying with the new changes at IAB TCF.

About UniConsent

UniConsent is a part of Transfon User Experience Platform serve tens of millions of users per day to provide a seamless experience for both users and publishers in the age of post GDPR. Behind Transfon, it is a group of performance and user experience experts. Contact us to know more: hello@uniconsent.com

References

• Belgian DPA Decision of 2nd February
• APD Ruling Clears Way For Work on Developing TCF into a Formal GDPR Code of Conduct: IAB Europe Statement on the APD Decision Announced Today
• Belgian DPA (“APD”) Decision on IAB Europe and the TCF: IAB Europe Submits Action Plan, A Key Milestone in the Process
• Belgian Data Protection Authority (APD)’s administrative ruling