Blog Series: What you always wanted to know about the Transparency & Consent Framework (TCF) / Part 4
On September 25th, we held a 2.5-hour long webinar providing a Complete Overview of the IAB Europe Transparency & Consent Framework. As is usually the case, we had many interested attendees who were keen on learning more. While we usually do our best to make these as interactive as possible, we were simply overwhelmed with questions and had to skip over quite a few to be able to remain on schedule. For this reason, we have decided to answer the questions in a series of blogs. This is the fourth and penultimate blog in the series, dealing with questions about the policies of the IAB Europe Transparency & Consent Framework.
How does the IAB Europe Transparency & Consent Framework support cross-publisher consent? What happens when a user consents to a vendor on one publisher, but doesn’t give consent for that same vendor on another publisher’s site?
The IAB Europe Transparency & Consent Framework’s policies do allow for the gaining of support across multiple publishers, which is called ‘global consent’ in the policies of the Framework. Server-specific (meaning for a particular site) disclosures and consent take priority over global consent. If a user makes a global consent choice first, and then later makes a service-specific choice, the service-specific choice will determine a user’s consent status for that service.
This means that for the second question, the consent that hasn’t been given on the other publisher’s site would take precedence over the first publisher’s site, because it is both more recent and more specific. The Consent Management Provider (CMP) has a duty to resolve any conflicts of this kind.
Do the companies collecting data on the basis of a legitimate interest also have to be called by name, i.e. in the privacy policy?
We believe that in order for processing of personal data to be lawful, the user must know who is processing their data and for what purpose.
Putting this information only in a privacy policy that the user is not directed to in the first instance runs the risk of not being considered a proper disclosure by data protection authorities. It would be more appropriate to surface this information in a CMP interface.
I’d like to understand what are the 6 co-equal legal bases [of the GDPR]? It wasn’t clear in the presentation
The GDPR provides for six co-equal legal bases which are enumerated in Article 6(1). The six legal bases are, in order:
- The data subject gives their consent to the data processing.
- Processing that is necessary to perform a contract that the data subject is party to, or it is necessary to provide pre-contractual information requested by the data subject. For example, an online shop processing payment information and a home address of the data subject to receive payment and to deliver the goods.
- Processing that is necessary to comply with a legal obligation. For example, maintaining records of whether you have a legal basis to process personal data is in itself processing of personal data, but it is justified because the law requires this processing.
- Processing necessary to protect the vital interests of the data subject. The common example is processing medical data for an unconscious person – they are unable to give explicit consent, but it is in their vital interest that a doctor gets access to it.
- Processing necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller. This speaks to law enforcement.
- Processing necessary for the purposes of a legitimate interest pursued by the controller or a third party. This is the ‘legitimate interest’ legal basis, which requires a balancing test conducted by the controller. The legitimate interest must be balanced against the individual’s rights and freedoms, so it has to be justified by the controller. Any legal goal pursued by a controller could qualify according to case law (these interests may not be pre-defined) and the GDPR calls out direct marketing as an example of a legitimate interest.
Would you say consent to cookies provided by users using the IAB Europe Transparency & Consent Framework equals that provided by a user when using its web browser? E.g., yes to all cookies, no to third parties, etc.
The IAB Europe Transparency & Consent Framework allows users to express their consent, or lack thereof, granularly to (a) the setting of cookies under the rules of the ePrivacy Directive; (b) the processing of their personal data for each of the purposes standardized by the framework; by (c) specific Vendors setting cookies and/or processing personal data. It is therefore significantly more granular than an “all or nothing” approach. defined purposes
Is there a complete definition of how IAB Europe has interpreted the 5 purposes?
The current five data processing purposes are fully defined in the Transparency & Consent Framework Policies, and expanded on in the FAQs document. The descriptions used represent the standardized interpretation of the current processing purposes. These five purposes were defined by IAB Europe in conjunction with our members as part of the launch of the Framework.
As part of a large update to the Transparency & Consent Framework, we are working with our industry partners to define more granular and ‘user-friendly’ purposes.
There appear to be a few growing pains with the initiative. A fair percentage of “consents” are obtained via pre-checked boxes and/or are binary (i.e., yes/no without listing the types of parties). What do you see as the path towards raising the bar on consents overall? Timeline?
It is complicated to define where to ‘set the bar’ on gathering of consent, due to different approaches by different data protection authorities in Europe. While the GDPR is clear in what it requires for valid consent (an affirmative action, freely given, specific, and informed), there is still room for interpretation by data protection authorities on what each of these factors requires. An affirmative action may in some markets constitute scrolling down after being served a consent notice, whereas others require an obvious yes/no choice to be presented. Authorities may also have different interpretations of when consent is considered freely given, and what level of granularity is considered specific enough.
Due to these differences, the IAB Europe Transparency & Consent Framework leaves freedom for publishers and their CMPs to interpret how best to adapt their interface to their relevant market(s). In terms of specificity of purposes, the Framework draws a very clear baseline of requiring proper disclosure of the relevant defined purposes.
In future, it is foreseeable that a more precise legal understanding will be developed through interpretations from judicial bodies. An EU-wide understanding is only likely to arise from a judgment at the Court of Justice of the European Union. If a clear standard is developed, then the Framework will be adapted if necessary to uphold this.