The Dutch Data Protection Authority (Dutch DPA) recommends that Dutch websites stop using the IAB framework and other similar tools for tracking users, reports a Dutch newspaper (only in Dutch). The recommendation of the Dutch DPA follows the recent enforcement decision of the Belgian DPA on IAB Europe, an association for the digital marketing and advertising ecosystem.

Decision of the Belgian DPA on IAB Europe

Before discussing the statement of the Dutch DPA, we will first provide a short summary of the Belgian's DPA decision. The Belgian DPA found that IAB Europe's Transparency and Consent Framework (TCF) does not comply with GDPR requirements. The TCF is used for online advertising that is based on real time bidding (RTB), an automated online auction of users' profiles for the sale and purchase of advertising space on the internet. The TCF plays an important role in the RTB system. When users visit a website, the TCF facilitates the capture of the users' preferences that users indicate via a Consent Management Platform (CMP). These preferences are shared with the organisations participating in the RTB system in a so called Transparency and Consent (TC) String to inform these organisations about what a user consented or objected to.

The Belgian DPA ruled that IAB Europe is acting as a data controller when registering individual users' preferences. The Belgian DPA found several violations of the GDPR, including in relation to:

  • Lawfulness - The Belgian DPA concluded that IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors were deemed inadequate; and
  • Transparency and information of the users - The Belgian DPA concluded that the information provided to users through the CMP interface was too generic and vague to allow users to understand the nature and scope of the processing.

The Belgian DPA imposed a ? 250,000 fine to IAB Europe and gave it two months to present an action plan to bring its activities into compliance.

Statement of the Dutch DPA

The Dutch DPA's recommendation was reported in a Dutch newspaper (only in Dutch). Different than the Belgian DPA, the Dutch DPA did not only focus on the TCF of IAB Europe, but also on websites using the TCF. In short, the Dutch DPA stated that:

  • the IAB framework used for online advertisements violates European privacy legislation;
  • it advises websites to immediately stop using the current method for tracking online visitors and advises publishers to look for an alternative immediately (the Dutch DPA suggests placing ads based on the target group of a website, instead of personalized to individual website users); and
  • it will not give any information on whether it will initiate enforcement actions against websites that use the IAB framework. Enforcement can however not be excluded.

Originally published Hogan Lovells Engage, 8 February 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.