An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?

Ryan, Johnny; Santos, Cristiana

doi:10.2139/ssrn.4064729

Download This Paper

Open PDF in Browser

Add Paper to My Library

An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?

22 Pages Posted: 29 Mar 2022

See all articles by Johnny Ryan

Johnny Ryan

Irish Council for Civil Liberties; Open Markets Institute

Cristiana Santos

Utrecht University

Date Written: March 23, 2022

Abstract

The majority of Internet advertising is served using a system called Real-Time Bidding (RTB). RTB exposes the personal data of Internet users to large numbers of companies without any means of control over what happens to that data. This is a security problem and is irreconcilable with the European legal requirement that processing of personal data must be secure, accountable, and transparent. For several years the RTB industry used the “Transparency & Consent Framework” (TCF) to provide legal cover. However, in February 2022 European authorities made a landmark decision declaring the use of the TCF for RTB illegal. The TCF’s creator, IAB Europe, was ordered to bring the TCF into compliance with the GDPR by demonstrating that it can account for what happens to TCF data, including in RTB. IAB Europe claims two new initiatives enable it to do so: the “Vendor Compliance Programme” and the “Global Accountability Platform”. We examine both in this paper. Our conclusion is that the use of the TCF for RTB is impossible to monitor, audit, or secure.

Keywords: IAB Europe TCF, Personal data, Real-Time Bidding, GDPR, Compliance, Security, online advertising and tracking

JEL Classification: K29

Suggested Citation: Suggested Citation

Ryan, Johnny and Santos, Cristiana, An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR? (March 23, 2022). Available at SSRN: https://ssrn.com/abstract=4064729 or http://dx.doi.org/10.2139/ssrn.4064729