On the legality of IAB consent banners

At the origin of this article

At the beginning of February, the European data protection authorities, led by the APD (the Belgian CNIL), ruled that IAB consent banners were illegal. As a reminder, the IAB (International Advertising Bureau) is the adtech lobby, and 80% of European websites use the protocol proposed by IAB Europe (the “Transparency & Consent Framework” or TCF) to make these famous consent banners work.

I had already been able to write about these banners of consent and their simulacra of legality:

Even the director of the UK ICO no longer seems to support them :

“I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organizations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.

However, these “cookie banners” are indeed the creation of intense lobbying by adtech, in order to avoid the creation of an “Opt-In” control mechanism at the browser level. Consent fatigue was planned and wanted by adtech. And the UK ICO is complicit in this fiasco, as recounted Alexander Hanff in the article "The truth behind cookie banners".

With the APD's decision, is this the end of the hated banners? Not necessarily, IAB Europe, having appealed the decision of the APD. As a reminder, here is a diagram representing the different personal data leaks:

brave

Via Johnny Ryan, from his days at Brave. Making the RTB (and the IAB TCF) compatible with the GDPR, mission impossible?

Also since last summer, I have had a long e-mail correspondence with Benoit Oberlé, CEO and co-founder of Sirdata, treasurer of IAB France and Vice-President of the steering committee of the “Transparency & Consent Framework”. Sirdata is an interesting company for several reasons: it offers a CMP (Consent Management Platform) to publishers, in a free or paid version. It is also a contextual data provider and behavioral.

The publishers who agree to share the personal data of Internet users do not pay the CMP Sirdata :

offer

A CMP that can be “financed by data”.

If we have disagreements, Benoit has always taken the time to answer my questions and explain Sirdata's choices, and for this, I thank him warmly. From our discussions, I wanted to write an article to illustrate the choices of a CMP using the IAB protocol, and the CMP Sirdata was the perfect example.

Sirdata on Psychologies.com

To study the CMP Sirdata, let's go to the site Psychologies.com with the Chrome browser. We are greeted by a seemingly fairly standard consent banner:

arrival

In your opinion, which button will the Internet user in a hurry click?

You will notice the emphasis on the option "Accept everything and move on", unlike the options "Configure your choices"and above all"continue without accepting". This is a "Dark Pattern" adopted by many French websites, having received the blessing of the CNIL.

If you don't take the time to read the text of the consent banner, you could nevertheless miss 2 crucial pieces of information:

Some adtech companies do not rely on your consent but on legitimate interest to process your personal data.
Your choices do not only apply to Psychologies.com but also to some 4000 other websites.

Legitimate interest as a legal basis for processing

Here is an extract from the consent banner proposed by Sirdata:

You can [...] make a more granular choice or object to processing based on legitimate interests via the settings screen.

Translation: If you just click "Continue without accepting", some adtech companies will continue to rely on legitimate interest to process your personal data. To object to this processing based on legitimate interests, you will need to go to the settings screen (option "Configure your choices").

So come back to the consent banner to check your choices after clicking on "Continue without accepting". To do this, you need to scroll to the footer of the Psychologies.com site, do not click on "Personal data & Cookies"but on"Consent" (the link does not seem clickable, although it is):

consent

The hidden link, however"it should be as easy to withdraw consent as to give it".

Note the appearance of the “Refuse all and continue” button:

return

Then, in order to check the effect of your previous choice ("Continue without accepting"), click on "Configure your choices". You will see that the different advertising processing operations are not unchecked, as if you had not already chosen:

checkmark

“Continue without accepting” does not mean “refuse”, why?

Then follow these steps:

Expand the option "Personalized advertising".
Expand the option "Create a personalized advertising profile".
Note that the option "For this activity, the following partners rely on their legitimate interest", is pre-checked. Expand the option.

You will see the partner appear "Sirdata Cookieless" :

cookieless

“Sirdata Cookieless” appears as “not refused”. You must therefore oppose the legitimate interest to refuse this processing.

This option, accessible via the Sirdata CMP, allows the behavioral data provider Sirdata to create advertising profiles even if the Internet user has not given their consent.

Besides, if you decide to develop the option "For this activity, the following partners request your consent", you would see the partner appear"Sirdata"with the mention"not accepted" :

consent

"Sirdata" appears as "not accepted". Sirdata cannot rely on your consent to create a personalized advertising profile.

Sirdata thus plays on 2 tables for its advertising processing operations (including the creation of a personalized advertising profile):

The partner "Sirdata" is based on your consent if you click on "Accept everything and move on".
The partner "Sirdata Cookieless" is based on its legitimate interest if you click on "Continue without accepting".

With consent, Sirdata uses cookies and may share identifiers and audience segments with advertising partners. Without consent and on the basis of a legitimate interest, Sirdata places itself upstream of the sales platform (adserver or SSP) so that it can sell targeted advertising campaigns with Sirdata data when the user belongs to the correct audience segment(s).

With his offer "Cookieless", Sirdata continues to profile you and use your profile for personalized advertising, but the sharing of information with third parties is more limited. The Sirdata offer is summarized here :

averee

If you click on “refuse all”, Sirdata offers contextual advertising. Overall, Sirdata considers its offer “respectful of privacy”.

In order to refuse the creation of a personalized Sirdata advertising profile (and more generally, the various advertising processing operations of adtech companies), you will therefore need during your first surfing:

Click "Configure your choices" on the consent banner.
Then click on "refuse everything".

Note that an option "Refuse everything and continue" is available at the first level, but only when you want to reconsider your choices (if you find the famous option "Privacy" at the bottom of the page Psychologies.com) :

footer

An option that we would have liked to see on the initial consent banner.

Only refuse the "Personalized advertising" is not obvious, a simple click on the option will constitute consent to the "Personalized advertising", but also to the "Standard advertising" :

A nice “Dark Pattern” spotted by @fourmeux, you will now need to uncheck the 2 options.

Targeted advertising without consent based on IP address, a way to avoid the ePrivacy directive?

Sirdata, the behavioral data provider, considers itself compliant with European regulations, ePrivacy (cookie directive) and GDPR. What is its argument?

First of all, Sirdata considers that the ePrivacy directive does not apply to its offer "Cookieless" (or "Consentless"). Its reasoning: ePrivacy applies to the storage of information on the user's terminal or access to information already stored on it. But to identify users without consent, Sirdata relies solely on the IP address, and this is not stored on the user's terminal.

Sirdata is not explicit about the fact that its “Cookieless” offer uses the user’s IP address. But it details the additional processing carried out on the IP address on its page “Personal data protection and privacy policy" Glossary section.

Sirdata considers that it applies a fingerprinting “passive” and not “active”. “Passive” fingerprinting would only consist of the IP address, it does not involve access to the terminal. “Active” fingerprinting would consist of terminal characteristics such as the user-agent, installed fonts or screen size.

address

Targeting via IP address, the latest tool for advertisers to target you without consent ?

This distinction between "passive" fingerprinting (for which ePrivacy would not apply) and "active" fingerprinting (for which ePrivacy would apply) is debatable. In article 7.2 of Opinion 9/2014 on the application of Directive 2002/58/EC to the capture of digital fingerprints, of the Article 29 working group on data protection, the need for consent for targeted advertising is clearly stated:

Capturing digital fingerprints for targeted advertising purposes therefore requires user consent.

Sirdata maintains its position: no access to the terminal therefore ePrivacy does not apply. Its offer does not fall within the definition of Opinion 9/2014, which is not a legal obligation.

Regarding the GDPR now, as Sirdata processes the user's IP address, and this is personal data, it must have a legal basis for each of its advertising processing operations. When the user has not given consent, Sirdata relies on legitimate interest.

Note that Sirdata has confidence in this argument, it reuses it in its promotional videos, for example with "retargeting without consent" :

party

Without consent, the party gets wilder for adtech!

Sirdata also offers a product to make transfers to Google Analytics compliant in the USA, the "Analytics Helper". As a reminder, the Austrian and French data protection authorities have deemed data transfers to Google Analytics in the USA illegal.

Sirdata takes precautions to prevent US intelligence services from identifying a user via a request to Google (anonymization of the IP before sending to Google, pseudonymization of the Customer ID at the Sirdata proxy level). Interesting in the context of this article, the “legal tracking model” for this “Analytics Helper” is similar to the CMP Sirdata model:

If consent, usual Google Analytics tracking via cookies.
If there is no consent, Google Analytics tracking via a fingerprint generated by Sirdata and "solely" based on your IP address, with legitimate interest as the legal basis.
If there is no consent and opposition to legitimate interest, no Google Analytics tracking.

The Sirdata Helper is an ingenious product, but will it be enough to make data transfers to Google Analytics in the USA compliant? The question remains open as I detail it on this thread.

Legitimate interest in targeted advertising

It seems complicated for Sirdata, a behavioral data provider, to rely on legitimate interest for targeted advertising. And in particular regarding the balancing criterion: the question is whether the interests pursued by adtech suppliers outweigh the fundamental rights and freedoms of the persons concerned.

The APD mentions in particular opinion 03/2013 of Article 29 Working Group, the former name of the EDPB (“European Data Protection Board”), pre-GDPR :

Furthermore, the EDPB indicates that legitimate interest does not constitute a sufficient legal basis in the context of direct marketing implementing behavioral advertising [...] (460)

Article 29 Working Group - Opinion 03/2013 on purpose limitation (WP 203), April 2, 2013 : “consent should be required, for example, for tracking and profiling for the purposes of direct marketing, behavioral advertising, data brokering, location-based advertising or tracking-based digital market research.”

For more details, you can also read La Quadrature du Net's complaint against Amazon for violation of the GDPR, namely for the absence of a legal basis concerning targeted advertising.

After consent and the contract, La Quadrature du Net ruthlessly studies legitimate interest as a potential legal basis (points 36 to 50). For the association for the defense and promotion of rights and freedoms on the Internet, this legal basis cannot work for targeted advertising (62). The Luxembourg CNIL validated its analysis, with a record fine of €746 million against Amazon.

gafam

La Quadrature du Net against GAFAM, unfortunately the CNIL is nowhere to be found.

Some extracts from La Quadrature’s complaint:

This is the path that the G29 is taking in Annex II of its opinion 03/2013, on Big Data and Open Data : “a prior consent free, specific, informed and unmistakable should almost always be required" whenever an "organization specifically wishes analyze or predict the personal preferences, behavior and attitudes of individual customers, which will then be used to guide “actions or decisions” taken with respect to those customers. (47)

He gives as an example of such “measures and decisions” the dissemination of “personalized discounts, special offers and targeted advertisements from the customer profile. (49)

The G29 clearly concludes that the “ consent should especially be required, for example, for the tracking and profiling for direct prospecting and behavioral advertising purposes, information brokerage, location-based advertising or tracking-based digital market research.” (50)

With Benoit, we therefore asked the question of legitimate interest for targeted advertising to the CNIL last summer (2021), without response.

Your choices apply to a cooperative of 4000 sites

Here is another extract from the consent banner proposed by Sirdata (on Chrome at least, because on Safari, due to the blocking of third-party cookies, the site cooperative is disabled):

Your choices will apply to these sites and in their emails for 6 months, and we will not ask you again until tomorrow.

When you click "sites", you land on a new information page, directly on the Sirdata site. You still need to click on "Click here" at the bottom of the page to discover the Sirdata cooperative sites:

framework

You will then find all of the Sirdata cooperative sites, 130 paginated pages, without export option:

list

These sites have chosen to participate in the Sirdata consent cooperative (whether they use the Sirdata CMP in a free or paid version).

So, is it legal? According to Sirdata, yes because the Internet user receives information at the first level. He is free to dig in, and consult the complete list of websites. Sirdata also relies on this CNIL FAQ :

faq

It is nevertheless probable that the CNIL had not foreseen this case, question 21 probably referring to the data controllers of the website consulted by the user (the advertising partners), and not to other websites that the user does not consult. Sirdata argues that this choice is beneficial to the user in that it reduces consent banner fatigue. This choice still needs to be informed.

With Benoit, we also asked the question of the legality of this “group choice” to the CNIL last summer (2021), without response.

The Sirdata cooperative, a CMP under constraints

The participation of a website in the Sirdata cooperative imposes certain constraints on the consent banners:

For users located on French territory, Sirdata requires the famous “Dark Pattern” validated by the CNIL.
When the user reconsiders their choices, a button "Refuse everything and continue" is available.
The option "Refuse everything" is however not available on the initial consent banner.
The number of advertising partners cannot exceed 200 (there are more than 1000 advertising companies in the TCF, not counting advertising partners which are not part of TCF and which Google decides to integrate via its “Additional Consent Mode”).

If it is not on Safari, the user's choices are therefore applied to all of the Sirdata cooperative sites. Note that unlike some of its competitors, display a "refusal" mechanism at the first level ("Continue without accepting" or "Refuse everything") is systematic if the user is based in France. This is valid for all Sirdata customers, paying or not and whether or not they are members of the cooperative.

Sirdata thus avoids “non-compliant” interfaces, without button "Refuse" or "Continue without accepting".

Sirdata and the illegality of TCF

In its communication, Sirdata indicates that the publishers who are part of its cooperative are not affected by the APD decision. For publishers who pay Sirdata's CMP, it would be enough not to activate all advertising partners to not be affected by the decision. Here is Sirdata's message to its customers:

Generally speaking, publishers who have followed our advice are not at risk due to this judgment and do not have data to delete, nor do their partners, nor the obligation to “pop” again to obtain new consent.

Let's take a look at some elements of the decision of the APD. First of all, the APD considers that the character string allowing the storage and transmission of user preferences (TC String) is personal data. It is in fact associated with the user's IP address (to which the CMPs have access), this character string also determines the future advertising processing operations of multiple adtech companies. Sirdata explains it very well:

The APD therefore confirms that the choice – the TC String — in itself does not directly identify people or devices but, once the choice is stored on the user's device, a CMP has the possibility of assigning a unique identifier to this TC String, that is to say the IP address of the device on which it is stored. The possibility of combining the TC String and the IP address implies that it is information about an identifiable user.

The APD thus distinguishes 2 types of treatment:

Capturing and disseminating the consent signal and objections to the legitimate interest of users (via the character string TC String).
The capture, dissemination and processing of personal data by adtech companies.

With regard to the lawfulness and fairness of the processing, the Litigation Chamber distinguishes between two processing activities: on the one hand, the actual entry of the consent signal, objections and user preferences in the TC String by the CMPs (a), and, on the other hand, the collection and dissemination of users' personal data by the participating organizations (b). (403)

Another important point, the APD considers that the CMPs are indeed joint controllers for these two types of processing:

This leads the Litigation Chamber to conclude that the defendant together with the participating CMPs, publishers and adtech providers must be considered joint controllers with regard to the collection and dissemination of users' preferences, objections and consent, as well as the further processing of their personal data. (402)

On the CMP Sirdata, what legal basis for the capture and dissemination of the TC String signal?

Let’s start with a clarification from Benoit:

When Sirdata acts as a CMP, it captures the TC String and sends it to its database for storing proof of consent and its validity. She does not send it to anyone else, and only these processing operations are based on legal obligation. The CMP does not transmit the string to Third Party Vendors: Vendors can actively access it via an API exposed on the page but the CMP does not "disseminate" it.

If there is no "dissemination" of the TC String by CMP Sirdata, exposing the character string via an API effectively allows its subsequent dissemination.

For the first type of processing (capturing and exposing the consent signal and objections to the legitimate interest of users), Sirdata as CMP has not indicated on which legal basis it wishes to rely. Indeed, before the APD decision, the IAB Europe considered that the TC String was not personal data. However, we saw that the TC String was indeed personal data, but also that the CMPs were co-responsible for processing.

Therefore, CMPs must declare a legal basis for this processing of personal data. If we study Sirdata:

Consent is currently not a valid legal basis. Sirdata stores consent string TC String in the local storage as soon as the consent banner is displayed, and therefore does not ask the user for their opinion. After refusal of consent, the TC String is stored in the cookie euconsent-v2.
Legitimate interest is currently not valid either according to the DPA, because the user has no way of objecting to the storage of this personal data: "In this regard, the Litigation Chamber finds it remarkable that no option is offered to users to completely oppose the processing of their preferences within the framework of the TCF. Whatever their choice, the CMP will generate a TC String before linking it to the user's unique User ID, via a cookie euconsent-v2 placed on the device of the person concerned." (421). The APD notes that this processing would not pass the “balancing” test given the considerable number of adtech companies recovering this data, and the little control given to the user (423).

tcstring

Before any interaction with the Sirdata consent banner, the channel TC String is stored with the key sddan:cmp on my browser's local storage.

According to the APD decision, CMP Sirdata does not appear to have a legal basis for capturing and exposing the consent signal and objections to the legitimate interest of users. But after discussions with Benoit, I understand that Sirdata actually relies on another legal basis for the capture and exposure of the signal TC String, the legal obligation.

Legal obligation as a legal basis for processing?

The information that CMP Sirdata relies on the legal obligation as a processing basis for signal capture and exposure TC String is absent from the Sirdata consent banner and is not mentioned in the Sirdata article which reviews the APD decision. However, it is indicated in the CGU of CMP Sirdata :

9.5. The TC String and strictly necessary data, such as the date of the last prompt used to limit subsequent prompts, will be stored on the user's device, in local storage, in a cookie named euconsent-v2 which can be used as a first party cookie or a third party cookie linked to the domain name consentframework.com. The Parties agree that, in accordance with CNIL Deliberation n°2020-092 of September 17, 2020 adopting a recommendation proposing practical modalities of compliance in the event of recourse to "cookies and other tracers" the storage of or access to this data in the terminal is not subject to prior consent, and if the TC String and the necessary data are considered personal data, the processing will be carried out by Sirdata as a data processor acting on behalf of You, data controller on the basis of the legal obligation under GDPR.

According to the APD, Sirdata is not a simple subcontractor but rather a co-controller. That said, this does not impact the legal basis invoked by Sirdata, the legal obligation. Sirdata's argument for relying on the legal obligation is as follows: the publisher and its partners must legally prove consent, remember a refusal/withdrawal of consent and memorize the opposition so as not to "harass" the user.

It is a shame that IAB Europe and the APD have not discussed this legal basis for processing, we are missing a legal decision to know whether this legal basis really holds.

Sirdata summons deliberation n°2020-092 of September 17, 2020 of the CNIL (practical arrangements for compliance in the event of use of “cookies and other tracers”), but this only offers a naming of the tracker allowing users' choices to be stored:

Finally, the Commission encourages professionals to name the tracker allowing users' choices to be stored eu-consent, by attaching to each purpose a Boolean value “true” or “false” memorizing the choices made.

Deliberation No. 2020-091 of September 17, 2020 (“cookies and other tracers” guidelines) concerns the exemption from consent concerning the choice expressed by users on the deposit of trackers:

In view of the practices brought to its attention, the Commission considers that the following tracers may, in particular, be considered exempt:

trackers retaining the choice expressed by users on the deposit of tracers

[...]

But the CNIL does not speak of a legal basis for processing for the GDPR, even less of any legal obligation as a legal basis. A careful reading of the CNIL text on legal obligation asks other questions:

The legal obligation must be provided for in the national or European legal framework. What legal text can Sirdata then rely on?
The controller wishing to rely on this legal basis must not have the choice of whether or not to comply with the obligation (necessity).
In particular, the organization must ensure that there is no less intrusive means of achieving this objective.

However, Sirdata could very well add a parameter opt-in to calls to his CMP. If call to https://sirdata...?opt-in=0, then no creation of the TC String, and therefore no call to adtech partners. The legal obligation therefore does not seem necessary.

CMP Sirdata could rely on legitimate interest as a legal basis for processing the TC String (via the parameter opt-in, the user could object to the storage of the TC String). It would still be necessary to pass the balancing test given the considerable number of partners recovering this data (423). Here, Sirdata will argue that by limiting the number of partners in its cooperative to a maximum of 200, the APD's judgment does not apply.

For the advertising partner Sirdata, what legal basis for the capture and dissemination of the TC String signal?

Remember, Sirdata operates as a CMP, but it also operates as a provider of contextual and behavioral data. In this role, Sirdata captures and disseminates TC String. Let’s take a look at Benoit’s explanations:

When Sirdata acts as a consent-based Vendor (“Sirdata” Vendor), we may capture and transfer the TC String and other personal data on the basis of consent and we check whether the entity to whom we are about to send it has the right to receive it. When Sirdata acts as a Vendor relying on legitimate interest ("Sirdata cookieless" Vendor), we may capture and transfer the TC String and other personal data on the basis of legitimate interest and we do not pass this data on.

For the future, and precisely because of the APD decision, we are going to change the legal basis for processing TC String as a Vendor, in order to be able to transmit a withdrawal of consent: we will soon rely only on legitimate interest (but only for the TC String used in this context).

The same comment seems to apply here: it will be necessary to pass the balancing test given the considerable number of partners recovering this data (423). Sirdata will probably be able to argue that when it acts as an advertising partner ("Vendor"), it transmits the TC String to a limited number of partners.

We have previously studied the potential legal bases for the first type of processing identified by the APD: the capture and dissemination of the consent signal and objections to the legitimate interest of users (on the Sirdata CMP side, but also on the Sirdata "Vendor" side). Let's now move on to the second type of processing: the capture, dissemination and processing of personal data by adtech companies.

Legitimate interest as a legal basis for the capture, dissemination and processing of personal data by adtech companies?

As a reminder, here we are no longer talking about capture or dissemination of the TC String but many different advertising processing operations carried out with your personal data:

finalities

The purposes as defined in v2 of the TCF, note the exception of the purpose “Store and/or access information on a device”, which can only be based on your consent.

Let's study the decision of the APD concerning the legitimate interest in advertising processing within the framework of the TCF. These processing operations therefore include targeted advertising, but not only. The use of legitimate interest as a legal basis for processing is subject to 3 conditions :

It must be "legitimate": the APD has no opinion on whether the economic interest of an adtech player in carrying out advertising processing is legitimate. But this condition is already not met because the APD considers that advertising processing is not described specifically enough within the framework of the TCF (452).
It must satisfy the “necessity” condition: the APD considers that this condition is not met because within the framework of RTB (Real-Time Bidding), there is no protection against the dissemination of personal information (456).
It must not harm the rights and interests of the people whose data is processed: according to the APD, the large number of advertising players is problematic, as well as the numerous information transmitted as part of an advertising auction. The APD also cites theEDBP (the European Data Protection Board) and theICO (the UK ICO), both judging that legitimate interest is not a valid legal basis for processing for targeted advertising, particularly within the framework of the RTB (460).

Let's read for example the opinion of the EDBP :

Consent should be required, for example, for tracking and profiling for the purposes of direct marketing, behavioral advertising, data brokering, location-based advertising or tracking-based digital market research.

And here is the decision of the APD:

In light of the above-mentioned considerations, the Litigation Chamber considers that the legitimate interest of the participating organizations cannot be considered as an adequate legal basis for processing activities carried out according to the OpenRTB protocol, in accordance with user preferences and choices entered under the TCF.

Sirdata's analysis now: this judgment does not apply to TCF as a whole, but only to processing operations linked to RTB. For example, this does not concern the profiling carried out by Sirdata via its "Cookieless" offer, which takes place upstream of RTB exchanges, and does not result in the sharing of identifiers and audience segments with advertising partners. And therefore CMP Sirdata can continue to offer its partners legitimate interest as a legal basis for processing.

We can note here that without even talking about RTB, legitimate interest already does not pass the legitimacy test. To learn more, you can read the paper by Célestin Matte, Cristiana Santos and Nataliia Bielova, "Purposes in IAB Europe's TCF: which legal basis and how are they used by advertisers?". This studies each purpose, independently of any processing linked to RTB, but the conclusion remains the same for legitimate interest, this legal basis does not hold:

study

The new version of the TCF better details the purposes, but the legitimate interest would still not be valid.

Even if this paper is very solid, Sirdata will be able to argue that a legal decision on the validity of legitimate interest via the TCF, outside the OpenRTB protocol, is missing. The TCF is certainly linked to the OpenRTB protocol as indicated in the APD:

The Litigation Chamber notes that the defendant's argument cannot be followed, given that the defendant indicates several times in its conclusions that the raison d'être of the TCF is precisely to bring the processing of personal data based on the OpenRTB protocol, among others, into compliance with the applicable regulations, including the GDPR and the ePrivacy directive. Although the Litigation Chamber understands that the TCF can also be used by publishers for other applications, in collaboration or not with the CMPs, it is also certain that the TCF was never designed to be an autonomous and independent ecosystem. (368)

But TCF is also used outside of OpenRTB, an argument that Sirdata can bring forward to maintain the legal basis "legitimate interest" in its CMP. With therefore its own example: in the absence of consent, the use of legitimate interest for targeted advertising based on the IP address, technically outside RTB (upstream of it).

Consent as a legal basis for the capture, dissemination and processing of personal data by adtech companies?

We have seen previously that legitimate interest is not a valid legal basis for the processing of personal data in OpenRTB as facilitated by the TCF, especially for processing relating to targeted advertising. The APD also details why consent is not a valid legal basis for processing personal data.

Sirdata's argument for escaping this decision is then as follows (whether for legitimate interest or for consent). As part of its cooperative, the CMP Sirdata goes further than the TCF when it is implemented at a minimum, with in particular better prioritization of data, better information and above all a limitation of the number of partners.

Sirdata is, however, perfectly aware that the TCF was never intended to guarantee compliance with the GDPR on its own. Sirdata CMP therefore implements this standard like others, and also provides additional measures and specific rules allowing compliance with local and regional regulations well beyond what the TCF requires.

We could emphasize that the absence of a legal basis for processing is far from being the only violation of the GDPR pointed out by the APD, and that it is not enough to better address one of the problems to be compliant.

To which Sirdata will respond that it is not necessarily compliant, but that a new analysis by a Data Protection Authority would be required to determine the validity, which is assessed on a case-by-case basis. It may cite in particular this passage from the APD decision:

It should also be noted that CMPs have a lot of discretion when it comes to the interface they provide to users. Indeed, the TCF Policies only impose minimum interface requirements on participating CMPs, with the consequence that in practice, interfaces and respect for the principles of fairness and transparency can vary considerably depending on the CMP with which website and application publishers collaborate. (381)

This passage of the APD analysis raised the joint responsibility of the CMPs regarding the purposes and means of processing personal data. Instead, let's study some of the "additional measures" and "specific rules" put forward by Sirdata.

Group purposes together so as not to be affected by the APD decision?

For the APD, consent is not a valid legal basis:

Consent is not a valid basis for processing operations in the OpenRTB as facilitated by the TCF. (428) The Litigation Chamber considers that the consent collected by the CMPs and publishers in the current version of the TCF is insufficiently free, specific, informed and unambiguous. (432)

The APD notes in particular that the proposed processing purposes are not described sufficiently clearly, and in certain cases, are even misleading:

For example, the Litigation Chamber notes that purposes 8 (“Measure content performance”) and 9 (“Apply market research to generate audience insights”) provide little or no indication on the scope of the processing, the nature of the personal data processed, or the duration of retention of the personal data collected until the user withdraws their consent. (433)

To which Sirdata indicates that it has already responded, notably through the grouping of these 2 purposes under the heading “Audience measurement”:

hearing

Sirdata specifies on its blog :

To allow informed consent, at the second level the “purposes” of the TCF are grouped under “cap” purposes defined by the CNIL in its tracker recommendation of September 17, 2021, such as “targeted advertising” or “audience measurement”.

Except that these advertising purposes are in reality very different from the measurement of audience and traffic to a site, as can be done by a tool such as Google Analytics, AT Internet or Matomo. In general, this involves processing carried out by panel and market analysis tools such as Nielsen or others Comscore. Thus through this grouping, Sirdata brings confusion to already existing purposes.

Different ways of accessing partners' privacy pages to avoid being affected by the APD decision?

Another point on which Sirdata declares to go “further than the TCF”, and thus escape the APD decision, is access to information on the specific processing operations of each adtech supplier. Here is a passage from the APD decision:

Additionally, the information CMPs provide to users remains too general to reflect the specific processing operations of each adtech provider, preventing the necessary granularity of consent. (436)

So what does Sirdata do? Here is what he says:

The mandatory information within the framework of the TCF is in fact an insufficient raw common base: Sirdata and its clients go well beyond.

In addition to reflecting the mandatory information in the TCF, the Sirdata CMP UI provides additional insight into the data processed and the purpose of this processing, and prioritizes the information for easier understanding and user control.

Part of the information is available at the first level, another, such as the list of recipients, is easily available at the second level, and access to additional information such as the conditions for exercising rights is accessible via links to the Privacy pages.

In practice, when you zoom in on a purpose via the consent banner, you can display the list of partners. If you click on one of the partners, you will then have a link to their privacy policy:

privacy

The “Sirdata Cookieless” partner, which uses legitimate interest to create a personalized advertising profile.

It can be noted that this link to the privacy policy is already imposed by the IAB TCF :

When making use of a so-called layered approach, a secondary layer must be provided that allows the user to: review the list of named Vendors, their Purposes, Special Purposes, Features, Special Features, associated Legal Bases, and a link to each Vendor’s privacy policy.

But Sirdata indicates that it goes further than certain CMPs, which do not require the ability to list partners based on a given purpose. We can see the difference with the L’Express website, which uses the CMP of Didomi :

nolink

I cannot expand on "Legitimate interest", I cannot see that Sirdata relies on this legal basis to "Create a personalized advertising profile".

But the viewPartners" allows you to list the different partners and present a link to each partner's privacy policy:

partner

To “Create a personalized advertising profile” on L’Express with Didomi’s CMP, Sirdata also relies on legitimate interest, via the famous partner “Sirdata Cookieless”.

For Sirdata, the “better” prioritization of information in its CMP does not necessarily make it lawful, but requires a new decision from the APD in order to judge its legality.

Limit the number of partners so as not to be affected by the APD decision?

Sirdata's main argument, the APD decision would not apply to Sirdata, because it imposes a choice of partners on its customers, with a limit of 200 partners for its cooperative (excluding cooperatives, there is no limit).

As part of the cooperative of choice that it manages, Sirdata even goes so far as to impose a ceiling of 200 partners, very far from the 2000 potential partners of the TCF and the consent network managed by Google in addition — “AC Mode” —.

Such safeguards make it possible to avoid large-scale processing of user preferences — collected under the TCF — within the framework of the open RTB protocol: according to the APD, the interests of the persons concerned only prevail over the legitimate interest of the organizations participating in the TCF when the latter are all selected.

But in the APD decision, there is no mention of a legitimate interest of the organizations which would prevail over the interests of the persons concerned if the latter are not all selected... Sirdata nevertheless declares to rely on this extract:

Although the TCF Policies prohibit CMPs from granting preference to certain adtech suppliers on the Global Vendors List, and that they are therefore in principle required to present to users all the suppliers registered with the TCF, unless otherwise instructed by publishers, some authors note that a number of CMPs do not respect this requirement. Either because the CMPs impose pre-selected suppliers on publishers, or because they refuse them the possibility of deviating from the complete list of adtech suppliers, offered by default. (380)

This passage is there to explain why CMPs must be considered co-responsible for processing, and not to indicate any problem with too many partners. Also, the IAB Europe does not require presenting the complete list, but only do not discriminate against a particular partner :

In any interaction with the Framework, a CMP may not exclude, discriminate against, or give preferential treatment to a Vendor except pursuant to explicit instructions from the Publisher involved in that interaction and in accordance with the Specifications and the Policies.

Sirdata's reasoning is as follows:

Under the TCF, we are required to present all suppliers by default (this is not an "obligation", as the IAB Europe document shows).
This presentation is not valid according to the APD (Sirdata interprets the "in principle" of the APD as an obligation).
We do not respect this "obligation" of the TCF, because we require customers to choose their partners (200 maximum under penalty of not being able to be part of the cooperative, around thirty by default).
And so the APD decision does not concern us.

But Sirdata follows the recommendations of the IAB Europe because it does not discriminate against any particular partner. We can nevertheless find another argument linked to the number of partners in the APD decision:

In particular, the recipients for whom consent is collected are so numerous that users would need a disproportionate amount of time to read this information, meaning that their consent can rarely be sufficiently informed. (435)

For Sirdata, imposing partner selection (with a ceiling of 200 partners) does not necessarily make its CMP lawful, but another assessment by a regulatory authority would be required.

The illegality of IAB consent banners does not only concern the legal basis of processing

Via this article, we have only been able to scratch the surface of the problems posed by the IAB consent banners. Sirdata indicates that going “further” than the “minimum” implementation of the TCF would allow its customers to continue “business as usual” with its CMP. However, the illegality of TCF is systemic, continuing to rely on it is legally risky. Also, evolving the TCF to make it legal will not be easy, the very mechanism of the RTB appearing irreconcilable with the GDPR, particularly with regard to the security of personal data.

Here is a summary of GDPR violations, in this article from the ICCL (Irish Council for Civil Liberties, the organization where Johnny Ryan now works) on the DPA decision :

iccl

Could a few adaptations make the TCF legal?

You can delve deeper into the subject by reading these papers:

“An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?”, by Johnny Ryan and Cristiana Santos.
“Impossible Asks: Can the Transparency and Consent Framework Ever Authorize Real-Time Bidding After the Belgian DPA Decision?”, by Michael Veale, Midas Nouwens and Cristiana Santos.

And looking this presentation by Robin Berjon, "Consent of the Governed".

Towards an internet without imposed surveillance, and without consent banner

It is up to the European data protection authorities to rely on this important decision of the APD to properly sanction the various stakeholders (CMP, publishers, advertising partners) and prohibit the massive leak of personal data via the RTB. A ban on targeted advertising would be appreciated, and not just for minors, as the DSA proposes. At a minimum, the CNIL could rule more clearly on targeted advertising based on legitimate interest.

Also, these consent banners should not exist, the user should be able to accept or refuse tracking from the advertising industry directly via their browser settings (opt-in), based on the model of what Apple already offers via its ATT system. And as such, initiatives like the Global Privacy Control (GPC) or the Advanced Data Protection Control (ADPC) deserve to be developed and supported by law.