Skip to main content
SpringerLink
Log in

Purposes in IAB Europe’s TCF: Which Legal Basis and How Are They Used by Advertisers?

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12121))

Included in the following conference series:

Abstract

The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) discuss purposes for data processing and the legal bases upon which data controllers can rely on: either “consent” or “legitimate interests”. We study the purposes defined in IAB Europe’s Transparency and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR .

C. Matte and C. Santos—Co-first authors listed in alphabetical order.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://support.google.com/admob/answer/9461778, accessed on 2020.02.05.

  2. 2.

    In our work, the denomination of “cookies” covers all tracking technologies.

  3. 3.

    We do not study the legal bases of purposes declared by publishers in this paper.

References

  1. AP (Dutch DPA), Standard explanation of the basis of the legitimate interest

    Google Scholar 

  2. Article 29 Working Party, EDPB opinion 4/2007 on the concept of personal data (WP136). Accessed 20 July 2007

    Google Scholar 

  3. Article 29 Working Party, Guidelines on automated individual decision-making and profiling for the purposes of regulation 2016/679 (WP251 rev.01)

    Google Scholar 

  4. Article 29 Working Party, Opinion 03/2013 on purpose limitation (WP203)

    Google Scholar 

  5. Article 29 Working Party, Opinion 04/2012 on cookie consent exemption (WP 194). Accessed 7 June 2012

    Google Scholar 

  6. Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under article 7 of directive 95/46/EC (WP217)

    Google Scholar 

  7. Article 29 Working Party, Working document 02/2013 providing guidance on obtaining consent for cookies

    Google Scholar 

  8. Article 29 Working Party, Opinion 13/2011 on Geolocation services on smart mobile devices (WP 185) (2011). Accessed 16 May 2011

    Google Scholar 

  9. Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (wp259rev.01) (2016)

    Google Scholar 

  10. Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01) (2018). Accessed 11 April 2018

    Google Scholar 

  11. Attachments to the paper (dropbox repository). https://www.dropbox.com/sh/0g1qlsaatc8yplz/AACAaFLJNrwRH3eWRmGm_zqsa?dl=0

  12. BfDI (German DPA), Guidance from German authorities for telemedia providers

    Google Scholar 

  13. Centre for Information Policy Leadership, CIPL examples of legitimate interest grounds for processing of personal data

    Google Scholar 

  14. CNIL, Décision n MED 2018–042 du 30 octobre 2018 mettant en demeure la société VECTAURY (2018)

    Google Scholar 

  15. Décision n MED 2018–042, Délibération n 2019–093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif) (2019)

    Google Scholar 

  16. Decision of the conference of independent data protection supervisors of the federal and state governments - 07.11.20191, Datenshutzkonferenz

    Google Scholar 

  17. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed System Security Symposium (NDSS) (2019)

    Google Scholar 

  18. Judgement of the court of justice of the EU, Case c-673/17

    Google Scholar 

  19. Directive 2009/136/ec of the european parliament and of the council of 25 november 2009 amending directive 2002/22/ec on universal service and users’ rights relating to electronic communications networks and services

    Google Scholar 

  20. Judgment of the court (second chamber) of 4 May 2017, Case C-13/16

    Google Scholar 

  21. European Data Protection Board (EDPB), Guidelines 2/2019 on the processing of personal data under article 6(1)(b) gdpr in the context of the provision of online services to data subjects

    Google Scholar 

  22. European Data Protection Board (EDPB), Guidelines on consent under regulation 2016/679 (wp259 rev.01). Accessed 10 April 2018

    Google Scholar 

  23. European Parliament, the Council and the Commission, Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, 18 December 2000 (2000/C 364/01)

    Google Scholar 

  24. Forbrukerrådet, Out of control - how consumers are exploited by the online advertising industry (2020)

    Google Scholar 

  25. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (2016)

    Google Scholar 

  26. IAB Europe, IAB europe transparency & consent framework policies. https://iabeurope.eu/wp-content/uploads/2019/08/IABEurope_TransparencyConsentFramework_v1-1_policy_FINAL.pdf. Accessed 20 Nov 2019

  27. IAB Europe transparency & consent framework policies, IAB Europe transparency & consent framework policies. https://iabeurope.eu/wp-content/uploads/2019/08/TransparencyConsentFramework_PoliciesVersion_TCFv2-0_2019-08-21.3_FINAL-1-1.pdf. Accessed 21 Jan 2020

  28. IAB Europe transparency & consent framework policies, Transparency and consent framework (2018). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework

  29. IAB Europe transparency & consent framework policies, Transparency and consent framework (v2), August 2019. https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/tree/master/TCFv2

  30. IAB Europe transparency & consent framework policies, Dates you need to know for the TCF V2.0 switchover (2020). https://iabeurope.eu/tcf-2/dates-you-need-to-know-for-the-tcf-v2-0-switchover/

  31. IAB Europe and IAB Tech Lab, Global vendor list (GVL, v1.1, version 183), January 2020. https://vendorlist.consensu.org/v-183/vendorlist.json

  32. IAB Europe and IAB Tech Lab, Global vendor list (GVL, v2.0, version 20), January 2020 .https://vendorlist.consensu.org/v2/archives/vendor-list-v20.json

  33. IAB Tech Lab and IAB Europe, Transparency and consent string with global vendor & CMP list formats, December 2019. https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#the-core-string

  34. ICO, ICO report into adtech and real time bidding. Accessed 20 June 2019

    Google Scholar 

  35. ICO report into adtech and real time bidding, Lawful basis for processing legitimate interests (2018)

    Google Scholar 

  36. ICO report into adtech and real time bidding, Guidance on the use of cookies and similar technologies, July 2019

    Google Scholar 

  37. Koops, B.-J.: The (in) flexibility of techno-regulation and the case of purpose-binding. Legisprudence 5(2), 171–194 (2011)

    Article  Google Scholar 

  38. Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)

    Google Scholar 

  39. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: Conference on Human Factors in Computing Systems (CHI 2020) (2020)

    Google Scholar 

  40. Panoptykon Foundation, Panoptykon files complaints against Google and IAB Europe (2019). https://en.panoptykon.org/complaints-Google-IAB

  41. Ryan, J.: French regulator shows deep flaws in IAB’s consent framework and RTB (2018). https://brave.com/cnil-consent-rtb/. Accessed 28 Mar 2019

  42. French regulator shows deep flaws in IAB’s consent framework and RTB, Regulatory complaint concerning massive, web-wide data breach by google and other “ad tech” companies under europe’s gdpr (2018). https://brave.com/adtech-data-breach-complaint/. Accessed 02 May 2020

  43. French regulator shows deep flaws in IAB’s consent framework and RTB, Brave answers us senators questions on privacy and antitrust (2019). https://brave.com/senate-qrfs-june2019/. Accessed 02 May 2020

  44. Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? deciphering eu legal requirements on consent and technical means to verify compliance of cookie banners, ArXiv, vol. abs/1912.07144 (2019)

    Google Scholar 

  45. von Grafenstein, M.: The Principle of Purpose Limitation in Data Protection Laws: The Risk-Based Approach, Principles, and Private Standards as Elements for Regulating Innovation, 1st edn. Nomos Verlagsgesellschaft mbH (2018)

    Google Scholar 

Download references

Acknowledgements

We thank Johnny Ryan for his comments on the analysis of the purposes. We thank anonymous reviewers of APF 2020 for their useful feedback. This work has been partially supported by ANR JCJC project PrivaWeb (ANR-18-CE39-0008), ANSWER project PIA FSN2 No. P159564-2661789/DOS0060094 between Inria and Qwant, and by the Inria DATA4US Exploratory Action project.

Author information

Authors and Affiliations

  1. Inria, Paris, France

    Célestin Matte, Cristiana Santos & Nataliia Bielova

  2. Université Côte d’Azur, Nice, France

    Cristiana Santos

Authors
  1. Célestin Matte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cristiana Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nataliia Bielova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Célestin Matte .

Editor information

Editors and Affiliations

  1. University of Porto, Porto, Portugal

    Luís Antunes

  2. LUMSA University, Rome, Italy

    Maurizio Naldi

  3. LUISS, Rome, Italy

    Giuseppe F. Italiano

  4. Goethe University Frankfurt, Frankfurt am Main, Germany

    Kai Rannenberg

  5. ENISA, Athens, Greece

    Prokopios Drogkaris

Appendices

A Evolution of the Number of Advertisers

We leverage the fact that all versions of the Global Vendor List of the TCF are public and dated – we can therefore display the evolution of the number of registered advertisers (vendors) in Fig. 4. We observe a fast increase in the first three months following the release of IAB Europe’s TCF in April 2018 (one month before GDPR came in force in the EU), followed by a slow increase until March 2020. Version 2.0 was announced in August 2019 and is supposed to operate alongside version 1.1 until the end of March 2020. The increase in registered advertisers is far from being as fast as for the release of version 1.1, and as of January 16\(^\mathrm{th}\) 2020, only 92 advertisers are registered, compared to 574 for version 1.1. This is surprising if we consider that advertisers do not have to pay the registration fee a second time to register for version 2.0.

Fig. 4.
figure 4

Evolution of the number of registered advertisers in the IAB Europe’s Global Vendor List between May 2018 and March 2020.

Full size image

B Attachments

We report several lists of advertisers collected in this work in a publicly available repository  [11]:

  • the list of 377 advertisers declaring that they use features,

  • the list of 118 advertisers declaring that they use all features,

  • the list of 267 advertisers declaring that they use legitimate interests,

  • the list of 111 advertisers using only legitimate interests,

  • the list of 308 advertisers using consent only.

This analysis has been done for the Global Vendor List for TCF v1.1 (version 183)  [31].

C Purposes, Features, Special Purposes and Special Features of TCF v2

We present definitions of the following notions as quotations from the TCF v2’s policy  [27]:

  • “Purpose means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is given choice, i.e. to consent or to object depending on the Legal Basis for the processing, by a CMP”

  • “Special Purpose means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is not given choice by a CMP.”

  • “Feature means one of the features of processing personal data used by participants in the Framework that are defined in the Policies or the Specifications used in pursuit of one or several Purposes for which the user is not given choice separately to the choice afforded regarding the Purposes for which they are used”

  • “Special Feature means one of the features of processing personal data used by participants in the Framework that are defined in the Policies or the Specifications used in pursuit of one or several Purposes for which the user is given the choice to opt-in separately from the choice afforded regarding the Purposes which they support.”

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Matte, C., Santos, C., Bielova, N. (2020). Purposes in IAB Europe’s TCF: Which Legal Basis and How Are They Used by Advertisers?. In: Antunes, L., Naldi, M., Italiano, G., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2020. Lecture Notes in Computer Science(), vol 12121. Springer, Cham. https://doi.org/10.1007/978-3-030-55196-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-55196-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-55195-7

  • Online ISBN: 978-3-030-55196-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation