On the legality of IAB consent banners

At the origin of this article

At the beginning of February, the European data protection authorities, led by the APD (the Belgian CNIL), ruled that IAB consent banners were illegal. As a reminder, the IAB (International Advertising Bureau) is the adtech lobby, and 80% of European websites use the protocol proposed by IAB Europe (the “Transparency & Consent Framework” or TCF) to make these famous consent banners work.

I had already written about these consent banners and their pretense of legality:

• “Collecting consent on the internet: a widespread lie”.
• “Le Figaro, emblem of invasive advertising tracking on French media sites”.
• “The big sale of your personal data on Le Bon Coin”.
• “How publishers make fun of the CNIL”.

Even the director of the UK ICO no longer seems to support them:

“I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.

However, these “cookie banners” are indeed the creation of intense lobbying by adtech, in order to avoid the creation of an “Opt-In” control mechanism at the browser level. Consent fatigue was planned and wanted by adtech. And the UK ICO is complicit in this fiasco, as recounted by Alexander Hanff in the article "The truth behind cookie banners".

With the APD's decision, is this the end of the hated banners? Not necessarily, since IAB Europe has appealed the APD's decision. As a reminder, here is a diagram representing the various personal data leaks:

Via Johnny Ryan, from his days at Brave. Making the RTB (and the IAB TCF) compatible with the GDPR, mission impossible?

Also since last summer, I have had a long e-mail correspondence with Benoit Oberlé, CEO and co-founder of Sirdata, treasurer of IAB France and Vice-President of the steering committee of the “Transparency & Consent Framework”. Sirdata is an interesting company for several reasons: it offers a CMP (Consent Management Platform) to publishers, in a free or paid version. It is also a provider of contextual and behavioral data.

Publishers who agree to share users' personal data do not pay for the Sirdata CMP:

A CMP that can be “financed by data”.

Although we have our disagreements, Benoit has always taken the time to answer my questions and explain Sirdata's choices, and for that I thank him warmly. Out of these exchanges, I wanted to write an article illustrating the choices of a CMP using the IAB protocol, and the Sirdata CMP was the perfect example.

Sirdata on Psychologies.com

To study the Sirdata CMP, let's visit Psychologies.com with the Chrome browser. We are greeted by a consent banner that looks fairly standard:

In your opinion, which button will the Internet user in a hurry click?

You will notice the emphasis placed on the "Accept everything and continue" option, in contrast to the "Configure your choices" option and, above all, "continue without accepting". This is a "Dark Pattern" adopted by many French websites, which has received the CNIL's blessing.

If you don't take the time to read the text of the consent banner, you could nonetheless miss two crucial pieces of information:

• Some adtech companies do not rely on your consent but on legitimate interest to process your personal data.
• Your choices do not only apply to Psychologies.com but also to some 4000 other websites.

Legitimate interest as a legal basis for processing

Here is an extract from the consent banner proposed by Sirdata:

You can [...] make a more granular choice or object to processing based on legitimate interests via the settings screen.

Translation: If you just click "Continue without accepting", some adtech companies will continue to rely on legitimate interest to process your personal data. To object to this processing based on legitimate interests, you will need to go to the settings screen (option "Configure your choices").

So go back to the consent banner to check your choices after clicking "Continue without accepting". To do this, you need to scroll down to the footer of the Psychologies.com site and click not on "Personal data & Cookies" but on "Consent" (the link doesn't look clickable, but it is):

The hidden link, even though "it should be as easy to withdraw consent as to give it".

Note the appearance of the “Refuse all and continue” button:

Then, to check the effect of your previous choice ("Continue without accepting"), click "Configure your choices". You will see that the various advertising processing operations are not unchecked, as if you had not already made a choice:

“Continue without accepting” does not mean “refuse”, why?

Then follow these steps:

• Expand the option "Personalized advertising".
• Expand the option "Create a personalized advertising profile".
• Note that the option "For this activity, the following partners rely on their legitimate interest", is pre-checked. Expand the option.

The "Sirdata Cookieless" partner will appear:

“Sirdata Cookieless” appears as “not refused”. You must therefore oppose the legitimate interest to refuse this processing.

This option, accessible through the Sirdata CMP, lets the behavioral data provider Sirdata build advertising profiles even if the user has not given consent.

Incidentally, if you choose to expand the "For this activity, the following partners request your consent" option, you would see the "Sirdata" partner appear, marked "not accepted":

"Sirdata" appears as "not accepted". Sirdata cannot rely on your consent to create a personalized advertising profile.

Sirdata thus plays both sides for its advertising processing operations (including the creation of a personalized advertising profile):

• The "Sirdata" partner relies on your consent if you click "Accept everything and continue".
• The "Sirdata Cookieless" partner relies on its legitimate interest if you click "Continue without accepting".

With consent, Sirdata uses cookies and can share identifiers and audience segments with advertising partners. Without consent and on the basis of legitimate interest, Sirdata positions itself upstream of the sales platform (ad server or SSP) so that it can sell targeted advertising campaigns using Sirdata data when the user belongs to the right audience segment(s).

With its "Cookieless" offering, Sirdata continues to profile you and exploit your profile for personalized advertising, but the sharing of information with third parties is more limited. The Sirdata offering is summarized here:

If you click on “refuse all”, Sirdata offers contextual advertising. Overall, Sirdata considers its offer “respectful of privacy”.

So, to refuse the creation of a personalized Sirdata advertising profile (and more generally the various advertising processing operations of adtech companies), you will need, on your first visit, to:

• Click "Configure your choices" on the consent banner.
• Then click "refuse everything".

Note that a "Refuse everything and continue" option is available at the first level, but only when you want to reconsider your choices (assuming you find the famous "Privacy" option in the footer of Psychologies.com):

An option that we would have liked to see on the initial consent banner.

Refusing only "Personalized advertising" is not straightforward: a single click on the option counts as consent to "Personalized advertising", but also to "Standard advertising":

A nice “Dark Pattern” spotted by @fourmeux, you will now need to uncheck the 2 options.

Targeted advertising without consent based on IP address, a way to avoid the ePrivacy directive?

Sirdata, the behavioral data provider, considers itself compliant with European regulations, ePrivacy (cookie directive) and GDPR. What is its argument?

First of all, Sirdata considers that the ePrivacy directive does not apply to its offer "Cookieless" (or "Consentless"). Its reasoning: ePrivacy applies to the storage of information on the user's terminal or access to information already stored on it. But to identify users without consent, Sirdata relies solely on the IP address, and this is not stored on the user's terminal.

Sirdata is not very explicit about the fact that its “Cookieless” offering uses the user’s IP address. But it details the additional processing carried out on the IP address in the “Glossary” section of its “Personal data and privacy protection policy” page.

Sirdata considers that it applies "passive" rather than "active" fingerprinting. "Passive" fingerprinting would consist only of the IP address and would not involve access to the terminal. "Active" fingerprinting would consist of terminal characteristics such as the user-agent, installed fonts or screen size.

Targeting via the IP address, advertisers' latest tool for targeting you without consent?

This distinction between "passive" fingerprinting (for which ePrivacy would not apply) and "active" fingerprinting (for which ePrivacy would apply) is debatable. In article 7.2 of Opinion 9/2014 on the application of Directive 2002/58/EC to the capture of digital fingerprints, by the Article 29 Working Group on data protection, the need for consent for targeted advertising is clearly stated:

Capturing digital fingerprints for targeted advertising purposes therefore requires user consent.

Sirdata maintains its position: no access to the terminal therefore ePrivacy does not apply. Its offer does not fall within the definition of Opinion 9/2014, which is not a legal obligation.

Regarding the GDPR now, as Sirdata processes the user's IP address, and this is personal data, it must have a legal basis for each of its advertising processing operations. When the user has not given consent, Sirdata relies on legitimate interest.

Note that Sirdata is confident in this argument, since it reuses it in its promotional videos, for example with "retargeting without consent":

Without consent, the party gets wilder for adtech!

Sirdata also offers a product to bring transfers to Google Analytics in the USA into compliance, the "Analytics Helper". As a reminder, the Austrian and French data protection authorities have deemed data transfers to Google Analytics in the USA illegal.

Sirdata takes precautions to prevent US intelligence services from identifying a user via a request to Google (anonymization of the IP before sending to Google, pseudonymization of the Client ID at the Sirdata proxy level). Of interest in the context of this article, the “legal tracking model” for this “Analytics Helper” is similar to that of the Sirdata CMP:

• If consent, usual Google Analytics tracking via cookies.
• If there is no consent, Google Analytics tracking via a fingerprint generated by Sirdata and "solely" based on your IP address, with legitimate interest as the legal basis.
• If there is no consent and opposition to legitimate interest, no Google Analytics tracking.

The Sirdata Helper is an ingenious product, but will it be enough to make data transfers to Google Analytics in the USA compliant? The question remains open as I detail it on this thread.

Legitimate interest in targeted advertising

It seems difficult for Sirdata, a behavioral data provider, to rely on legitimate interest for targeted advertising, in particular as regards the balancing test: the question is whether the interests pursued by adtech players outweigh the fundamental rights and freedoms of the people concerned.

The APD mentions in particular opinion 03/2013 of Article 29 Working Group, the former name of the EDPB (“European Data Protection Board”), pre-GDPR:

Furthermore, the EDPB indicates that legitimate interest does not constitute a sufficient legal basis in the context of direct marketing implementing behavioral advertising [...] (460)

Article 29 Working Group - Opinion 03/2013 on purpose limitation (WP 203), April 2, 2013: “consent should be required, for example, for tracking and profiling for the purposes of direct marketing, behavioral advertising, data brokering, location-based advertising or tracking-based digital market research.”

For more details, you can also read La Quadrature du Net's complaint against Amazon for violation of the GDPR, namely for the absence of a legal basis concerning targeted advertising.

After consent and the contract, La Quadrature du Net ruthlessly studies legitimate interest as a potential legal basis (points 36 to 50). For the association for the defense and promotion of rights and freedoms on the Internet, this legal basis cannot work for targeted advertising (62). The Luxembourg CNIL validated its analysis, with a record fine of €746 million against Amazon.

La Quadrature du Net against GAFAM, unfortunately the CNIL is nowhere to be found.

Some extracts from La Quadrature’s complaint:

This is the path the G29 takes in Annex II of its opinion 03/2013, on Big Data and Open Data: "a free, specific, informed and unambiguous prior consent should almost always be required" whenever an "organization specifically wishes to analyze or predict the personal preferences, behavior and attitudes of individual customers, which will then be used to guide 'measures or decisions' taken with regard to those customers". (47)

It gives as an example of such "measures and decisions" the delivery of "personalized discounts, special offers and targeted advertisements based on the customer's profile". (49)

The G29 clearly concludes that "consent should above all be required, for example, for tracking and profiling for the purposes of direct marketing, behavioral advertising, data brokering, location-based advertising or tracking-based digital market research". (50)

Together with Benoit, we therefore put the question of legitimate interest for targeted advertising to the CNIL last summer (2021), with no response.

Your choices apply to a cooperative of 4000 sites

Here is another extract from the consent banner proposed by Sirdata (on Chrome at least, because on Safari, due to the blocking of third-party cookies, the site cooperative is disabled):

Your choices will apply to these sites and in their emails for 6 months, and we will not ask you again until tomorrow.

When you click "sites", you land on a new information page, directly on the Sirdata site. You still need to click on "Click here" at the bottom of the page to discover the Sirdata cooperative sites:

You will then find all of the Sirdata cooperative sites, across 130 paginated pages, with no export option:

These sites have chosen to participate in the Sirdata consent cooperative (whether they use the Sirdata CMP in a free or paid version).

So, is it legal? According to Sirdata, yes, because the user receives information at the first level. They are free to dig deeper and consult the full list of websites. Sirdata also relies on this CNIL FAQ:

It is nevertheless probable that the CNIL had not foreseen this case, question 21 probably referring to the data controllers of the website consulted by the user (the advertising partners), and not to other websites that the user does not consult. Sirdata argues that this choice benefits the user in that it reduces consent banner fatigue. Provided, of course, that the choice is an informed one.

Together with Benoit, we also put the question of the legality of this “group choice” to the CNIL last summer (2021), with no response.

The Sirdata cooperative, a CMP under constraints

A website's participation in the Sirdata cooperative imposes certain constraints on its consent banners:

• For users located on French territory, Sirdata requires the famous “Dark Pattern” validated by the CNIL.
• When the user reconsiders their choices, a "Refuse everything and continue" button is available.
• The "Refuse everything" option, however, is not available on the initial consent banner.
• The number of advertising partners cannot exceed 200 (there are more than 1000 advertising companies in the TCF, not counting the advertising partners that are not part of the TCF and that Google decides to integrate via its “Additional Consent Mode”).

Unless they are on Safari, the user's choices are therefore applied to all of the Sirdata cooperative sites. Note that, unlike some of its competitors, Sirdata systematically displays a "refusal" mechanism at the first level ("Continue without accepting" or "Refuse everything") when the user is based in France. This holds for all Sirdata customers, whether they pay or not and whether or not they belong to the cooperative.

Sirdata thus avoids “non-compliant” interfaces with no "Refuse" or "Continue without accepting" button.

Sirdata and the illegality of the TCF

In its communications, Sirdata indicates that publishers who are part of its cooperative are not affected by the APD decision. For publishers who pay for Sirdata's CMP, it would be enough not to activate all the advertising partners in order to fall outside the decision. Here is Sirdata's message to its customers:

Generally speaking, publishers who have followed our advice are not at risk due to this judgment and do not have data to delete, nor do their partners, nor the obligation to “pop” again to obtain new consent.

Let's revisit a few elements of the APD's decision. First of all, the APD considers that the character string used to store and transmit user preferences (the TC String) is personal data. It is indeed associated with the user's IP address (to which CMPs have access), and this character string also determines the future advertising processing operations of multiple adtech companies. Sirdata explains it very well:

The APD therefore confirms that the choice – the TC String — in itself does not directly identify people or devices but, once the choice is stored on the user's device, a CMP has the possibility of assigning a unique identifier to this TC String, that is to say the IP address of the device on which it is stored. The possibility of combining the TC String and the IP address implies, in its view, that this is information relating to an identifiable user.

The APD thus distinguishes two types of processing:

• Capturing and disseminating the consent signal and users' objections to legitimate interest (via the TC String character string).
• The capture, dissemination and processing of personal data by adtech companies.

With regard to the lawfulness and fairness of the processing, the Litigation Chamber distinguishes between two processing activities: on the one hand, the actual entry of the consent signal, objections and user preferences in the TC String by the CMPs (a), and, on the other hand, the collection and dissemination of users' personal data by the participating organizations (b). (403)

Another important point: the APD considers that CMPs are indeed joint controllers for these two types of processing:

This leads the Litigation Chamber to conclude that the defendant together with the participating CMPs, publishers and adtech providers must be considered joint controllers with regard to the collection and dissemination of users' preferences, objections and consent, as well as the further processing of their personal data. (402)

On the Sirdata CMP, what is the legal basis for the capture and dissemination of the TC String signal?

Let’s start with a clarification from Benoit:

When Sirdata acts as a CMP, it captures the TC String and sends it to its database for storing proof of consent and its validity. It does not send it to anyone else, and only these processing operations rely on legal obligation. The CMP does not transmit the string to third-party Vendors: Vendors can actively access it via an API exposed on the page, but the CMP does not "disseminate" it.

While there may be no "dissemination" of the TC String by the Sirdata CMP, exposing the character string via an API does in fact allow its subsequent dissemination.

For the first type of processing (capturing and exposing the consent signal and users' objections to legitimate interest), Sirdata as a CMP has not indicated which legal basis it intends to rely on. Indeed, before the APD's decision, IAB Europe considered that the TC String was not personal data. We have seen, however, that the TC String is indeed personal data, and also that CMPs are joint controllers.

Therefore, CMPs must declare a legal basis for this processing of personal data. If we study Sirdata:

• Consent is currently not a valid legal basis. Sirdata stores the TC String consent string in local storage as soon as the consent banner is displayed, and therefore does not ask the user for their opinion. After a refusal of consent, the TC String is stored in the euconsent-v2 cookie.
• Legitimate interest is currently not valid either, according to the APD, because the user has no way of objecting to the storage of this personal data: "In this regard, the Litigation Chamber finds it remarkable that no option is offered to users to completely oppose the processing of their preferences within the framework of the TCF. Whatever their choice, the CMP will generate a TC String before linking it to the user's unique User ID, via a cookie euconsent-v2 placed on the device of the person concerned." (421). The APD notes that this processing would not pass the “balancing” test given the considerable number of adtech companies collecting this data and the limited control given to the user (423).

Before any interaction with the Sirdata consent banner, the TC String is already stored under the key sddan:cmp in my browser's local storage.

According to the APD's decision, the Sirdata CMP does not appear to have a legal basis for capturing and exposing the consent signal and users' objections to legitimate interest. But after my discussions with Benoit, I understand that Sirdata in fact relies on another legal basis for capturing and exposing the TC String signal: legal obligation.

Legal obligation as a legal basis for processing?

The fact that the Sirdata CMP relies on legal obligation as a processing basis for capturing and exposing the TC String signal is absent from the Sirdata consent banner and is not mentioned in the Sirdata article discussing the APD's decision. It is, however, indicated in the Sirdata CMP's terms of use:

9.5. The TC String and strictly necessary data, such as the date of the last prompt used to limit subsequent prompts, will be stored on the user's device, in local storage, in a cookie named euconsent-v2 which can be used as a first party cookie or a third party cookie linked to the domain name consentframework.com. The Parties agree that, in accordance with CNIL Deliberation n°2020-092 of September 17, 2020 adopting a recommendation proposing practical modalities of compliance in the event of recourse to "cookies and other tracers" the storage of or access to this data in the terminal is not subject to prior consent, and if the TC String and the necessary data are considered personal data, the processing will be carried out by Sirdata as a data processor acting on behalf of You, data controller on the basis of the legal obligation under GDPR.

According to the APD, Sirdata is not a mere processor but a joint controller. That said, this does not affect the legal basis invoked by Sirdata, legal obligation. Sirdata's argument for relying on legal obligation is as follows: the publisher and its partners are legally required to prove consent, to remember a refusal or withdrawal of consent, and to record an objection so as not to "harass" the user.

It is a shame that IAB Europe and the APD did not discuss this legal basis for processing; we lack a legal ruling to know whether it really holds up.

Sirdata invokes the CNIL's deliberation n°2020-092 of September 17, 2020 (practical arrangements for compliance when using “cookies and other trackers”), but this only suggests a name for the tracker that stores users' choices:

54. Finally, the Commission encourages professionals to name the tracker allowing users' choices to be stored eu-consent, by attaching to each purpose a Boolean value “true” or “false” memorizing the choices made.

Deliberation No. 2020-091 of September 17, 2020 (“cookies and other trackers” guidelines) concerns the consent exemption for the choice expressed by users on the placing of trackers:

49. In view of the practices brought to its attention, the Commission considers that the following tracers may, in particular, be considered exempt:
    • trackers retaining the choice expressed by users on the deposit of tracers
    • [...]

But the CNIL does not speak of a legal basis for processing under the GDPR, let alone of any legal obligation as a legal basis. A careful reading of the CNIL's text on legal obligation raises further questions:

• The legal obligation must be provided for in the national or European legal framework. What legal text can Sirdata then rely on?
• The controller wishing to rely on this legal basis must not have the choice of whether or not to comply with the obligation (necessity).
• In particular, the organization must ensure that there is no less intrusive means of achieving this objective.

Yet Sirdata could very well add an opt-in parameter to the calls made to its CMP. With a call to https://sirdata...?opt-in=0, there would be no creation of the TC String, and therefore no call to adtech partners. Legal obligation therefore does not seem necessary.

The Sirdata CMP could rely on legitimate interest as a legal basis for processing the TC String (via the opt-in parameter, the user could object to the storage of the TC String). It would still need to pass the balancing test given the considerable number of partners collecting this data (423). Here, Sirdata will argue that by limiting the number of partners in its cooperative to a maximum of 200, the APD's judgment does not apply.

For Sirdata as an advertising partner, what is the legal basis for the capture and dissemination of the TC String signal?

Remember, Sirdata operates as a CMP, but it also operates as a provider of contextual and behavioral data. In this role, Sirdata captures and disseminates the TC String. Let’s revisit Benoit’s explanations:

When Sirdata acts as a consent-based Vendor (“Sirdata” Vendor), we may capture and transfer the TC String and other personal data on the basis of consent and we check whether the entity to whom we are about to send it has the right to receive it. When Sirdata acts as a Vendor relying on legitimate interest ("Sirdata cookieless" Vendor), we may capture and transfer the TC String and other personal data on the basis of legitimate interest and we do not pass this data on.

For the future, and precisely because of the APD decision, we are going to change the legal basis for processing TC String as a Vendor, in order to be able to transmit a withdrawal of consent: we will soon rely only on legitimate interest (but only for the TC String used in this context).

The same comment seems to apply here: it will be necessary to pass the balancing test given the considerable number of partners collecting this data (423). Sirdata will probably be able to argue that when it acts as an advertising partner ("Vendor"), it transmits the TC String to a limited number of partners.

We have studied above the potential legal bases for the first type of processing identified by the APD: the capture and dissemination of the consent signal and users' objections to legitimate interest (on the Sirdata CMP side, but also on the Sirdata "Vendor" side). Let's now turn to the second type of processing: the capture, dissemination and processing of personal data by adtech companies.

Legitimate interest as a legal basis for the capture, dissemination and processing of personal data by adtech companies?

As a reminder, here we are no longer talking about the capture or dissemination of the TC String but rather about the many different advertising processing operations carried out with your personal data:

The purposes as defined in v2 of the TCF, note the exception of the purpose “Store and/or access information on a device”, which can only be based on your consent.

Let's study the APD's decision regarding legitimate interest for advertising processing within the framework of the TCF. This processing includes targeted advertising, but is not limited to it. The use of legitimate interest as a legal basis for processing is subject to three conditions:

• It must be "legitimate": the APD has no opinion on whether the economic interest of an adtech player in carrying out advertising processing is legitimate. But this condition is already not met because the APD considers that advertising processing is not described specifically enough within the framework of the TCF (452).
• It must satisfy the “necessity” condition: the APD considers that this condition is not met because within the framework of RTB (Real-Time Bidding), there is no protection against the dissemination of personal information (456).
• It must not harm the rights and interests of the people whose data is processed: according to the APD, the large number of advertising players is problematic, as is the large amount of information transmitted as part of an advertising auction. The APD also cites the EDBP (the European Data Protection Board) and the ICO (the UK ICO), both of which find that legitimate interest is not a valid legal basis for processing for targeted advertising, particularly within the framework of the RTB (460).

Let's read for example the opinion of the EDBP:

Consent should be required, for example, for tracking and profiling for the purposes of direct marketing, behavioral advertising, data brokering, location-based advertising or tracking-based digital market research.

And here is the decision of the APD:

In light of the above-mentioned considerations, the Litigation Chamber considers that the legitimate interest of the participating organizations cannot be considered as an adequate legal basis for processing activities carried out according to the OpenRTB protocol, in accordance with user preferences and choices entered under the TCF.

Now Sirdata's analysis: this judgment does not apply to the TCF as a whole, but only to processing operations linked to RTB. For example, it does not concern the profiling carried out by Sirdata via its "Cookieless" offering, which takes place upstream of RTB exchanges and does not result in the sharing of identifiers and audience segments with advertising partners. And so the Sirdata CMP can continue to offer its partners legitimate interest as a legal basis for processing.

We can note here that without even talking about RTB, legitimate interest already does not pass the legitimacy test. To learn more, you can read the paper by Célestin Matte, Cristiana Santos and Nataliia Bielova, "Purposes in IAB Europe's TCF: which legal basis and how are they used by advertisers?". It studies each purpose independently of any processing linked to RTB, but the conclusion remains the same for legitimate interest: this legal basis does not hold up:

The new version of the TCF describes the purposes better, but legitimate interest would still not be valid.

Even though this paper is very solid, Sirdata will be able to argue that a legal ruling on the validity of legitimate interest via the TCF, outside the OpenRTB protocol, is missing. The TCF is certainly linked to the OpenRTB protocol, as the APD notes:

The Litigation Chamber notes that the defendant's argument cannot be followed, given that the defendant indicates several times in its conclusions that the raison d'être of the TCF is precisely to bring the processing of personal data based on the OpenRTB protocol, among others, into compliance with the applicable regulations, including the GDPR and the ePrivacy directive. Although the Litigation Chamber understands that the TCF can also be used by publishers for other applications, in collaboration or not with the CMPs, it is also certain that the TCF was never designed to be an autonomous and independent ecosystem. (368)

But the TCF is also used outside of OpenRTB, an argument Sirdata can put forward to maintain the "legitimate interest" legal basis in its CMP. With its own example, then: in the absence of consent, the use of legitimate interest for targeted advertising based on the IP address, technically outside RTB (upstream of it).

Consent as a legal basis for the capture, dissemination and processing of personal data by adtech companies?

We saw earlier that legitimate interest is not a valid legal basis for the processing of personal data in OpenRTB as facilitated by the TCF, especially for processing relating to targeted advertising. The APD also details why consent is not a valid legal basis for processing personal data.

Sirdata's argument for escaping this decision is then as follows (whether for legitimate interest or for consent). As part of its cooperative, the Sirdata CMP goes further than a bare-minimum TCF implementation, with, in particular, better prioritization of data, better information and, above all, a cap on the number of partners.

Sirdata is, however, perfectly aware that the TCF was never intended to guarantee compliance with the GDPR on its own. Sirdata CMP therefore implements this standard like others, and also provides additional measures and specific rules allowing compliance with local and regional regulations well beyond what the TCF requires.

We could emphasize that the absence of a legal basis for processing is far from being the only violation of the GDPR pointed out by the APD, and that it is not enough to better address one of the problems to be compliant.

To which Sirdata will respond that it is not necessarily compliant, but that a new analysis by a Data Protection Authority would be required to determine the validity, which is assessed on a case-by-case basis. It may cite in particular this passage from the APD decision:

It should also be noted that CMPs have a lot of discretion when it comes to the interface they provide to users. Indeed, the TCF Policies only impose minimum interface requirements on participating CMPs, with the consequence that in practice, interfaces and respect for the principles of fairness and transparency can vary considerably depending on the CMP with which website and application publishers collaborate. (381)

This passage of the APD's analysis pointed to the joint responsibility of CMPs regarding the purposes and means of processing personal data. Let's instead look at some of the "additional measures" and "specific rules" put forward by Sirdata.

Group purposes together so as not to be affected by the APD decision?

For the APD, consent is not a valid legal basis:

Consent is not a valid basis for processing operations in the OpenRTB as facilitated by the TCF. (428) The Litigation Chamber considers that the consent collected by the CMPs and publishers in the current version of the TCF is insufficiently free, specific, informed and unambiguous. (432)

The APD notes in particular that the proposed processing purposes are not described sufficiently clearly, and in certain cases, are even misleading:

For example, the Litigation Chamber notes that purposes 8 (“Measure content performance”) and 9 (“Apply market research to generate audience insights”) provide little or no indication on the scope of the processing, the nature of the personal data processed, or the duration of retention of the personal data collected until the user withdraws their consent. (433)

To which Sirdata indicates that it has already responded, in particular by grouping these two purposes under the heading “Audience measurement”:

Sirdata specifies on its blog:

To allow informed consent, at the second level the “purposes” of the TCF are grouped under “cap” purposes defined by the CNIL in its tracker recommendation of September 17, 2021, such as “targeted advertising” or “audience measurement”.

Except that these advertising purposes are in reality very different from measuring a site's audience and traffic, as a tool such as Google Analytics, AT Internet or Matomo can do. In general, this rather involves processing carried out by panel and market-analysis tools such as Nielsen or Comscore. So, through this grouping, Sirdata brings confusion to purposes that already exist.

Different ways of accessing partners' privacy pages to avoid being affected by the APD decision?

Another point on which Sirdata declares to go “further than the TCF”, and thus escape the APD decision, is access to information on the specific processing operations of each adtech supplier. Here is a passage from the APD decision:

Additionally, the information CMPs provide to users remains too general to reflect the specific processing operations of each adtech provider, preventing the necessary granularity of consent. (436)

So what does Sirdata do? Here is what it says:

The mandatory information within the framework of the TCF is in fact an insufficient raw common base: Sirdata and its clients go well beyond.

In addition to reflecting the mandatory information in the TCF, the Sirdata CMP UI provides additional insight into the data processed and the purpose of this processing, and prioritizes the information for easier understanding and user control.

Part of the information is available at the first level, another, such as the list of recipients, is easily available at the second level, and access to additional information such as the conditions for exercising rights is accessible via links to the Privacy pages.

In practice, when you zoom in on a purpose via the consent banner, you can display the list of partners. If you click on one of the partners, you will then have a link to their privacy policy:

The “Sirdata Cookieless” partner, which uses legitimate interest to create a personalized advertising profile.

It can be noted that this link to the privacy policy is already imposed by the IAB TCF:

When making use of a so-called layered approach, a secondary layer must be provided that allows the user to: review the list of named Vendors, their Purposes, Special Purposes, Features, Special Features, associated Legal Bases, and a link to each Vendor’s privacy policy.

But Sirdata indicates that it goes further than certain CMPs, which do not require the ability to list partners from a given purpose. We can see the difference with the L’Express website, which uses Didomi’s CMP:

I cannot expand "Legitimate interest", so I cannot see that Sirdata relies on this legal basis to "Create a personalized advertising profile".

But the "Partners" view does let you list the various partners and provides a link to each partner's privacy page:

To “Create a personalized advertising profile” on L’Express with Didomi’s CMP, Sirdata also relies on legitimate interest, via the famous partner “Sirdata Cookieless”.

For Sirdata, the “better” prioritization of information in its CMP does not necessarily make it lawful, but would require a new decision from the APD to assess its lawfulness.

Limit the number of partners so as not to be affected by the APD decision?

Sirdata's main argument: the APD decision would not apply to Sirdata, because it imposes a choice of partners on its customers, with a limit of 200 partners for its cooperative (outside the cooperative, there is no limit).

As part of the cooperative of choice that it manages, Sirdata even goes so far as to impose a ceiling of 200 partners, very far from the 2000 potential partners of the TCF and the consent network managed by Google in addition — “AC Mode” —.

Such safeguards make it possible to avoid large-scale processing of user preferences — collected under the TCF — within the framework of the open RTB protocol: according to the APD, the interests of the persons concerned only prevail over the legitimate interest of the organizations participating in the TCF when the latter are all selected.

But in the APD decision, there is no mention of a legitimate interest of the organizations that would prevail over the interests of the persons concerned when not all of them are selected... Sirdata nevertheless says it relies on this extract:

Although the TCF Policies prohibit CMPs from granting preference to certain adtech vendors on the Global Vendors List, and they are therefore in principle required to present all vendors registered with the TCF to users, unless otherwise instructed by publishers, some authors note that a number of CMPs do not comply with this requirement. Either because the CMPs impose pre-selected vendors on publishers, or because they deny them the possibility of departing from the complete list of adtech vendors offered by default. (380)

This passage is there to explain why CMPs must be considered joint controllers, not to point to any problem with too many partners. Moreover, IAB Europe does not require presenting the complete list, only that no particular partner be discriminated against:

In any interaction with the Framework, a CMP may not exclude, discriminate against, or give preferential treatment to a Vendor except pursuant to explicit instructions from the Publisher involved in that interaction and in accordance with the Specifications and the Policies.

Sirdata's reasoning is as follows:

• Under the TCF, we are required to present all vendors by default (this is not an "obligation", as IAB Europe's document shows).
• This presentation is not valid according to the APD (Sirdata interprets the APD's "in principle" as an obligation).
• We do not comply with this TCF "obligation", because we require customers to choose their partners (200 maximum, on pain of not being able to join the cooperative; around thirty by default).
• And so the APD decision does not concern us.

But Sirdata does follow IAB Europe's recommendations, since it does not discriminate against any particular partner. We can nevertheless find another argument linked to the number of partners in the APD decision:

In particular, the recipients for whom consent is collected are so numerous that users would need a disproportionate amount of time to read this information, meaning that their consent can rarely be sufficiently informed. (435)

For Sirdata, imposing partner selection (with a ceiling of 200 partners) does not necessarily make its CMP lawful, but another assessment by a regulatory authority would be required.

The illegality of IAB consent banners does not only concern the legal basis of processing

In this article, we have only been able to scratch the surface of the problems posed by IAB consent banners. Sirdata indicates that going “further” than the “minimum” TCF implementation would allow its customers to continue “business as usual” with its CMP. However, the illegality of the TCF is systemic, and continuing to rely on it is legally risky. Making the TCF lawful will not be easy either, as the very mechanism of RTB appears irreconcilable with the GDPR, particularly with regard to the security of personal data.

Here is a summary of GDPR violations, in this article from the ICCL (Irish Council for Civil Liberties, the organization where Johnny Ryan now works) on the APD decision:

Could a few adaptations make the TCF legal?

You can delve deeper into the subject by reading these papers:

• “An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?”, by Johnny Ryan and Cristiana Santos.
• “Impossible Asks: Can the Transparency and Consent Framework Ever Authorise Real-Time Bidding After the Belgian DPA Decision?”, by Michael Veale, Midas Nouwens and Cristiana Santos.

And by watching this presentation by Robin Berjon, "Consent of the Governed".

Towards an internet without imposed surveillance, and without consent banners

It is up to the European data protection authorities to rely on this important decision of the APD to properly sanction the various stakeholders (CMP, publishers, advertising partners) and prohibit the massive leak of personal data via the RTB. A ban on targeted advertising would be appreciated, and not just for minors, as the DSA proposes. At a minimum, the CNIL could rule more clearly on targeted advertising based on legitimate interest.

What's more, these consent banners should not exist: the user should be able to accept or refuse tracking by the advertising industry directly through their browser settings (opt-in), on the model of what Apple already offers via its ATT system. To that end, initiatives like the Global Privacy Control (GPC) or the Advanced Data Protection Control (ADPC) deserve to be developed and backed by law.