An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?
22 Pages Posted: 29 Mar 2022
Date Written: March 23, 2022
The majority of Internet advertising is served using a system called Real-Time Bidding (RTB). RTB exposes the personal data of Internet users to large numbers of companies without any means of control over what happens to that data. This is a security problem and is irreconcilable with the European legal requirement that processing of personal data must be secure, accountable, and transparent. For several years the RTB industry used the “Transparency & Consent Framework” (TCF) to provide legal cover. However, in February 2022 European authorities made a landmark decision declaring the use of the TCF for RTB illegal. The TCF’s creator, IAB Europe, was ordered to bring the TCF into compliance with the GDPR by demonstrating that it can account for what happens to TCF data, including in RTB. IAB Europe claims two new initiatives enable it to do so: the “Vendor Compliance Programme” and the “Global Accountability Platform”. We examine both in this paper. Our conclusion is that the use of the TCF for RTB is impossible to monitor, audit, or secure.
Keywords: IAB Europe TCF, Personal data, Real-Time Bidding, GDPR, Compliance, Security, online advertising and tracking
JEL Classification: K29
Suggested Citation: Suggested Citation