IAB’s TCF ruled not GDPR compliant! Here’s what to do.

Last week the IAB’s Transparency and Consent Framework (TCF) was ruled non-compliant with the GDPR. If your business relies on the TCF for collecting consent to cookies, you should look for a GDPR compliant Consent Management Platform. Here’s why.

From TCF to a compliant CMP!

The IAB’s Transparency and Consent Framework (TCF) has been ruled non-compliant with the GDPR.

If your business relies on the TCF for collecting consent to cookies, you should look for a GDPR compliant Consent Management Platform. 

Book a meeting with us to learn more about what you can do now to be compliant with the GDPR.

IAB TCF ruled non-compliant with the GDPR

For years the IAB has positioned its Transparency and Consent Framework as a cross-industry best practice for publishers to track and target European internet users while being in compliance with Europe’s strict privacy regulations. 

Last week, the Belgian Data Protection Authority (DSB) declared this framework not to be in compliance with the GDPR!

The decision leaves an entire advertising industry in dire straits as the IAB Europe is given only 6 months to bring the TCF into compliance with European standards for data protection. Data Protection Agencies have already issued instructions that all websites should move away from the TCF.

And the risk is that the Belgian DPA will not halt their enforcement or that the IAB can not make the TCF compliant with the GDPR.  We’re now 4 years into the GDPR and trusting that the IAB can solve the issue within another 6 months might be a bit of a legal gamble. 

We therefore recommend that ad vendors switch from the IAB’s TCF framework to a compliant Consent Management Platform.

What’s the current problem with the TCF?

The crux of the case is actually four-fold.

1) Unlawful data collection

First, it concerns the way the IAB justifies the legal basis for data collection. 

The TCF relies partly on legitimate interest to collect and share internet users’ personal data. 

This is according to the Belgian authorities inadequate and a violation of article 6 of the GDPR. 

Ad vendors’ claim to use legitimate interest cannot be used to collect and process users’ personal information under the GDPR – and consent is not a valid basis for the processing operations in the OpenRTB facilitated by the TCF.

2) Transparency and information about data collection and processing

Second, the information provided to the users is simply too complicated for the users to ever understand. 

Why and what data is being collected and processed by the ad vendors is buried under jargon and pages upon pages of cookie policies. 

Therefore it becomes difficult for the users to gain control over which personal data is being processed and by whom. 

3) TC String and real time bidding

Third, the TCF creates IDs tied to each website user as a string (TC String) with information on whether the user has given consent or not.

The data is passed on to the advertising vendors containing information about the consent, which categories of data collection the user has consented to (statistics, marketing etc.) and which vendors the user has allowed to process data. 


And here comes the tricky part. 

It is the responsibility of the vendors to determine what kind of information they are allowed to use and it is the vendors’ responsibility to comply with this request. 

The TC string is important for the Real Time Bidding system because it passes the consent information along with a range of other data to different ad platforms.

Here, the vendors bid on it in real time to tailor ads to specific users. 

4) Consent Management Platforms relying on TCF

Fourth, some of the most prolific Consent Management Platforms (CMP) in the world rely heavily on IAB’s Transparency and Consent Framework. 

This is a major problem not only for publishers following IAB standards, but also for ordinary businesses believing to be GDPR compliant. 

The Consent Management Platform from Cookie Information does not depend on the IAB Transparency and Consent Framework.  

Therefore we recommend that companies using the TCF – or a CMP that relies on it – to change to Cookie Information’s CMP to become GDPR compliant. 

If you are unsure whether your website is GDPR compliant, get a free compliance check here!

What’s the Transparency & Consent Framework (TCF)?

The Transparency and Consent Framework (TCF) is developed by the IAB to meet the requirements for data processing in the GDPR. 

It’s a set of guidelines that dictates how to collect consent from website visitors and how to share this information with the ad-tech industry. 

The standards are integrated into certified Consent Management Platforms (CMPs), which then display the IAB standards in a specific IAB cookie consent pop-up chosen by the publishers who wish to follow the standards.

The framework is used by publishers and ad agencies that rely on the OpenRTB protocol when doing real time bidding in programmatic advertising. RTB allows advertisers to bid for ad space in order to show ads tailored to internet users visiting specific websites and apps.

How does the TCF works?

When a user visits a website or app for the first time, a consent pop-up usually prompts the user to give or not to give consent to cookies and data collection. 

Under the TCF, the website owner uses a Consent Management Platform to collect the user’s consent for various purposes like statistics, advertising and which vendor can process the user’s data. 

Under the TCF protocol, the user’s consent preferences are embedded into a TC string that shares this information with the ad vendors.

The TCF furthermore places a cookie (euconsent-v2) on the user’s device (computer/phone) and together with the TC string, allows the user’s preferences to be linked to their IP address thereby making it possible to identify the individual user. 

A high number of European publishers and ad vendors rely on the TCF integration in their Consent Management Platform.

And likely, these publishers and vendors must find alternative – and GDPR compliant – ways for collecting consent from their website users. 

This involves choosing a CMP that:

  • Relies on consent instead of legitimate interest for collecting and processing personal information.
  • Offers high transparency in terms of what data is collected; how it is processed; and by whom (third parties). 
  • Enables you – the data controller – to control what data is sent to third parties based on the consent given by the user (as required by the GDPR). 

It is worth noticing that the Belgian Data Protection Authority does not make Consent Management Platforms or cookie consents illegal per se. Only the TCF standards used by some CMP’s.

How can Cookie Information help you?

Cookie Information is a Consent Management Platform not dependent on the TCF. 

We offer consent collection that is transparent and in 100% compliance with the General Data Protection Regulation (GDPR) and the European ePrivacy Directive. 

Using Cookie Information to collect valid consent to cookies and any other tracking technologies gives your business the security in knowing that everything is done by the books and you are in compliance with both national and international privacy laws. 

All your consent records are stored securely within the EU/EEA and we use consent as the lawful basis for data collection (and processing). 

If you use IAB’s Transparency and Consent Framework, don’t hesitate to give us a call. 

We’ll show you how you can bring your business’ website into compliance without waiting for the TCF to be suspended. 

From TCF to a compliant CMP?

The TCF is ruled non-GDPR compliant. 

If your business relies on the TCF, you should look for a GDPR compliant CMP. 

Book a meeting with us to learn more about what you can do to become GDPR compliant.


The best Consent Management Platform for businesses and brands

250,000 websites already trust us with their GDPR compliance