Vendor Compliance in the TCF: What It Is and What It Isn’t
In a note published last week, the Irish Council of Civil Liberties (ICCL) criticised IAB Europe’s efforts to monitor adtech vendors’ compliance with their commitments under the Transparency & Consent Framework (TCF). In particular, it called out IAB Europe’s “inability to audit what 1000+ companies that use TCF do with personal data”, and concluded that transparency and control “cannot be established”.
Presumably, the above reasoning explains why, according to the ICCL, data-driven advertising should be banned and any industry compliance initiative should itself be immediately discredited and prohibited. In other words, since it is impossible to guarantee absolute compliance, it would be better to do nothing. If one would, by analogy, apply the same reasoning to national data protection authorities (DPAs) – responsible for enforcing data protection rules – then these should all just close shop in light of their inability to continuously audit all data processing everywhere.
Luckily, both DPAs and IAB Europe take a somewhat less defeatist attitude to compliance and enforcement. And while IAB Europe is in no way a DPA, nor does it have the same powers as a DPA, it continuously strives to improve its monitoring and auditing capabilities in the context of the TCF.
As a reminder, the TCF is a voluntary standard that companies which serve, measure and manage digital, including personalised, advertising or content can use to assist with their GDPR compliance. It doesn’t guarantee compliance, nor does it seek to help companies shirk their legal responsibility. It’s just a step in the compliance process that every business that implements the Framework must undertake individually. Portraying it as anything else signals a misunderstanding of the instrument and its objectives.
As an integral part of the TCF, IAB Europe has been running a Consent Management Platform (CMP) compliance programme since 2019. That programme comprises a pre-implementation validation stage and a post-implementation enforcement stage.
In August 2021, the programme was improved and expanded to include monitoring of Vendor implementations for compliance with the TCF Policies and Technical Specifications. You can read more about the Vendor Compliance Programme here.
While it should be absolutely clear that the responsibility for correct implementation of the TCF, and ultimately compliance with the EU’s data protection framework, lies with the businesses that are subject to it, IAB Europe provides support and develops dedicated procedures to make sure the TCF is implemented properly. As managing organisation of the Framework, IAB Europe also imposes penalties in line with its prerogatives under the TCF Terms and Conditions to contractually sanction non-compliance.
The first iteration of the Vendor Compliance Programme launched in August last year falls within this objective. And while client-side vendor operations constitute the focus of what is only an initial phase, its scope includes systematic large-scale monitoring of vendor behaviour at the point of data collection and, thus, an assessment of compliance with critical TCF policies, directly rooted in requirements set out in the ePrivacy Directive and the GDPR.
Crucially, to ensure accuracy of results, the auditing relies on both automated crawls and manual testing of web pages. This precludes any bad players within the system from circumventing the programme and evading their commitments towards the user and the industry as a whole.
It’s worth noting that such compliance monitoring and auditing is possible precisely because of the standardised and open format for signaling user preferences established by the TCF. This would not be possible with any other consent structure in use today. Our hope is that DPAs in particular, will consider leveraging the compliance auditing opportunities it offers.
For more information on the TCF Vendor Compliance Programme, please see this dedicated notification.