Belgian regulator takes aim at cookie banner
This decision may have a significant impact on thousands of companies across Europe. This is because the Belgian data protection supervisory authority has taken aim at cookie banners and recently published a fine notice of 250,000 euros against IAB (Interactive Advertising Bureau) Europe.
But one after the other. IAB Europe has developed the Transparency & Consent Framework (TCF 2.0). This specifies how consent management platforms, which are visible to the user as cookie banners, must work on websites. This procedure ensures that the consents generated there are also implemented correctly. The whole process has now been deemed inadmissible by the Belgian regulator – IAB Europe is based in Brussels.
Procedure violates the GDPR in several respects
Belgian data protection officials believe that IAB’s TCF 2.0 violates the GDPR in several respects. Accordingly, there was initially a lack of a sufficient legal basis for data processing under TCF 2.0. In addition, the information about data processing in a consent management platform is not sufficiently transparent. The agency continues to cite accountability violations and has uncovered several internal deficiencies at the IAB.
Until now, IAB Europe assumed that there was no data protection responsibility for TCF 2.0, as only a process agreed with the members was specified. IAB Europe now has two months to submit a plan to address the identified deficiencies. In addition, those responsible are currently examining the legal options available to them in order to take action against this decision by the Belgian supervisory authority. At the same time, IAB Europe is cooperating with the Belgian supervisory authority to develop a solution that complies with data protection regulations.
Significant relevance for online marketing
Online marketing relies on reliable generation of consent to access information in the user’s device. However, the shortcomings identified by the Belgian data protection supervisory authority are not the only shortcomings of TCF 2.0. Just before Christmas, the Norwegian data protection supervisory authority also identified data protection violations in the use of TCF 2.0 for generating consent and imposed a fine of approximately 6.5 million euros. Also, not all online marketing stakeholders are adequately covered by TCF 2.0. Therefore, IAB Europe should make the necessary adjustments to TCF 2.0 as quickly as possible so that there is legal certainty for companies in online marketing. Without reliable framework conditions, online marketing cannot develop further. It is important for companies to continue to monitor these developments and to make any adjustments resulting from them in a timely manner.