IAB Transparency & Consent Framework does not meet GDRP requirements for transparency or consent

Oliver Brown
— This upcoming video may not be available to view yet.

I posted a while ago about a technical standard that was being used for consent gathering on websites and in apps known as the “Transparency & Consent Framework” by IAB Europe.

Well, the Belgian Data Protection Agency (the Belgian organization responsible for enforcing the GDPR) has fined IAB Europe €250,000 because the TCF “fails to comply with a number of provisions of the GDPR”.

I don’t know whether fining IAB Europe is the correct choice, as they themselves claim they aren’t a data controller and only provide guidance (and a spec) for other companies to use. But the fine itself is not really what is going to be turn out important. The judgement requires:

all recipients of the personal data processed in the TCF . . . to permanently delete all TC Strings and other personal data already processed in the TCF from all IT systems, files and data carriers.

One piece of irony - if you search for articles about this you will find they are nearly all protected by consent dialogs based on TCF.

Here is the full judgement in English.