The EU has ruled that the TCF breaches GDPR. But the findings go far beyond the IAB. The ruling effectively declares that there is no lawful basis for processing consumer data in RTB - and there is no easy fix.

On 2 February, EU data protection authorities identified multiple GDPR breaches in the IAB Europe’s Transparency & Consent Framework (TCF).

But this is about much more than the IAB and the TCF.

The complaint against IAB Europe was cleverly constructed to allow the Belgian regulator to pass judgment on a limited case while considering the entire scope of the realtime bidding (RTB) system.

The EU regulator has ruled that RTB, in its current guise, has insolvable issues. There is currently no lawful basis for adtech vendors to process consumer data in RTB.

Below, we describe three conclusions that will have the most significant impact.


Legitimate Interest is not a lawful basis for processing

The latest version of the TCF allowed for ‘legitimate interest’ to be used as a legal basis processing personal information from consumers. The opt-out for this consent was generally hidden behind a different tab in CMP UIs, making it unlikely to be found, resulting in consumer data being shared across adtech without transparency.

For a UK audience, this should come as no surprise. In 2019, the ICO stated that, “the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements.” The UK regulator reiterated this point in 2021, specifically commenting on the TCF.

The EU’s ruling states that legitimate interest may not be used for advertising in RTB and demands that the practice ceases within two months. CMPs and publishers will need to change their interfaces and adtech vendors will not be able to rely on consent that has been gained in this way.


CMPs cannot provide sufficient consent for consumer data to be shared into the programmatic system

The most fundamental outcome from the ruling is simply that the current consent system is inadequate. There is no lawful basis for adtech companies to process consumer data in the current programmatic system

For consumer data to be processed legally, practically one of two conditions must be met: either there must be a legitimate interest, or “informed consent” must be given by the consumer. We have already seen that the first of these has been disallowed.

Adtech fundamentally relies on the second of these – with “informed consent” being collected from consumers through the use of CMPs on publisher websites. The ruling from the EU clearly rules that this process is not adequate.

The ruling gives myriad reasons why CMPs do not, and cannot, achieve the required standard of “informed consent”. Here are a few of those:

  • Consent collected is “insufficiently free, specific, informed and unambiguous”;
  • Processing purposes are not sufficiently clearly described;
  • CMPs provide little or no insight into the scope, nature or length of the processing;
  • Categories of data are not accurately described, making it impossible for users to give their informed consent;
  • The future enrichment of the data in RTB by almost limitless adtech vendors is so byzantine a consumer can never fully be informed;
  • Consent cannot be withdrawn by users as easily as it was given; and
  • No measure is provided to ensure that adtech vendors cannot continue their processing after consent is withdrawn.

It is hard to conceive of a CMP interface that could rectify these failings with the RTB system as it currently stands.

There is no easy fix – fundamental change is required

So, it is clear that both legitimate interest and informed consent are incompatible with RTB in its current form.

There is simply no getting around this.

It is common to find commentary that suggests that the remedies would be so dramatic that they would break adtech and therefore cannot be reasonable. Or, similarly, that the only compliant option is to revert to the dumbest form of contextual advertising.

These arguments make a very fundamental flaw. The law does not exist to support the incumbent business models of an industry that has knowingly transgressed GDPR for years. Rather, this is the moment of reckoning and the industry needs to clean up its act and comply.

So, it’s back to dumb contextual then?

No; that would be unimaginative – especially for an industry that prides itself on innovation.

There are new technologies and new approaches that can power all the required advertising functions with compliance. The sell-side can operate with straightforward consent and can drive targeting, measurement, reporting and optimization. We’ll blog more on the alternatives next week.


What next?

The IAB has welcomed the clarity from the ruling and looks forward to refining the TCF. They have been given two months to make immediate remedies and to produce an action plan for the remaining remedies. Those remaining remedies must be fixed within six months.

But this is not all about the IAB. The ruling has made it clear that the industry cannot simply wait on the IAB’s action plan.

The EU has made a clear judgment that there is no lawful basis for processing consumers’ personal data in RTB as it stands. While we are here, we should remember that the scope of ‘personal data’ is broad. IP addresses are unequivocally classed as personal data, as are cookies and all of the universal ID systems.

Every company in the industry has direct obligations and will need to take action. One of those – strikingly – is that every adtech company will have to consider the legal basis of personal data that it has collected historically. The Irish Council for Civil Liberties (ICCL), who brought the case, have stated that, “All data collected through the TCF must now be deleted …

All companies will now need to react, update their DPIAs going forward or face very significant compliance risk.


The full finding is here:

And the ICCL has written an excellent summary, here:


Back to News
Back to News