IAB EU's TCF Troubles Mount

I don't have earth-shattering news to bring you this week, which in some ways is disappointing because I'm a Scorpio, and I love the drama. I've come to terms with that. But there are a couple of news stories I think you should pay attention to this week because of the potential long-term implications. 

First, the Belgian data protection authority's fine levied at IAB Europe (story below). It was a decision we knew was coming, but now that the DPA says the organization's Transparency and Consent Framework doesn't fly under the GDPR, we can all look toward what has to happen for it to remain a viable framework. 

Second, the states are starting to get moving this legislative session, and it's anyone's guess how many make it through.

First, on the IAB Europe decision: It isn't the news that the regulator deemed the TCF illegal that's significant this week. We knew the regulator was planning to come down this way based on news from 2021. The DPA gave the IAB a head's-up that it had concluded its findings and would share it with the other DPAs before its final ruling. 

But now we have the DPA on record that: 

• IAB Europe failed to establish a legal basis for processing the data in its TCF and offered an insufficient basis for third-party ad tech vendors that were doing the same thing. 
• IAB Europe failed to implement organizational and technical measures to keep the data safe. 
• IAB Europe failed to keep a register of processing activities. 
• IAB Europe failed to appoint a data protection officer. 
• IAB Europe failed to conduct a data protection impact assessment. 
  
  

In this Twitter thread, privacy attorney (and my good friend) Cobun Zweifel-Keegan noted that IAB Europe argued it had a legitimate interest in processing the data, and the DPA didn't necessarily disagree. But the DPA did say that the interests of the data subject are stronger. Remember, under the GDPR, you must balance your interests against the individual's. If they wouldn't "reasonably expect" the processing, their interests override the company's interests. In this case, the users can't consent to the cookies deployed under the TCF because they aren't aware it's happening. 

The question is: What does that mean for the future of the TCF? Companies relying on it for consent wanna know! The good news: The DPA has also ordered IAB Europe to present an action plan that would bring its framework into compliance within two months. 

For those of you using TCF: IAB Europe responded to the DPA's findings that the decision "contains no prohibition of the TCF," and rejected part of the DPA's findings. While it will work on a remediation plan, it will also challenge part of the decision. So it could be some time before this fine and agreement are finalized. 

Second, if you're watching Twitter, states have started to push forward with privacy legislation now that many of their legislative sessions have resumed. Just this week, there was movement on bills in Washington, Massachusetts and Illinois. 

I'll keep you posted when something is close enough to pass that you need to start looking at what you need to do to comply. But for now, know that there are wagers being made that we'll see anywhere from 1-5 new state laws in 2022. 

Buckle up! 

In the meantime, enjoy this round-up of the big privacy news, and I'll see you next week! 

This week's big privacy news 

Belgian DPA fines IAB Europe over its consent framework

Bloomberg reports that the Belgian data protection authority (DPA) has fined IAB Europe 250,000 euros for violating the EU GDPR. The DPA said IAB Europe's Transparency and Consent Framework could "for a large group of citizens, lead to a loss of control over their personal data." Along with the penalty, the DPA ordered IAB Europe to put in mechanisms to make the TCF comply with EU rules. 
Read Story

UK gov't publishes standard forms to export data from UK to third countries

The U.K. government has finally published the U.K.'s standard form international data transfer agreement, writes Laura White and Marcus Evans for Data Protection Report. The standard form agreement allows companies to transfer personal data outside of the U.K. to countries not deemed to have adequate data protection laws. It also published a standard form "international data transfer addendum," which allows companies to use the revised EU Standard Contractual Clauses to export data from the U.K. The documents come into force in March 2022.
Read Story

Colorado attorney general ready to start making rules under new privacy law

The Colorado Attorney General's Office is set to begin the rulemaking process for the Colorado Privacy Act, Wilson Sonsini reports. The Colorado law doesn't come into effect until July 1, 2023, but the attorney general said he expects to adopt final rules "around a year from now." Under the law, the attorney general is charged with creating rules to operationalize the law for businesses. The attorney general's office will conduct chats among the state's consumers, businesses and other stakeholders in the coming months, ahead of publishing the final rules. 
Read Story

Apple's privacy changes hit Facebook's wallet hard 

Last week's earnings report from Meta, also known as Facebook, said the privacy changes Apple implemented in the previous year could cost Meta $10 million in lost sales, reports The New York Times. The news dropped Meta's stock price by 26 percent on Thursday. "And the tech industry received a clear notice that a long-planned shift in how people's information may be used online was having a dramatic impact on Madison Avenue and internet companies that have spent years building businesses around selling ads," the report states.
Read Story

Pret A Manger settles class-action over fingerprint scanning its workers

Sandwich chain Pret A Manger has agreed to pay more than $677,000 to resolve a class-action lawsuit in Illinois alleging the company collected and stored nearly 800 employees' fingerprints to track their work hours. The suit contends Pret A Manger violated Illinois' Biometric Information Privacy Act of 2008 by failing to obtain written consent from workers before requiring them to use the fingerprint time clock. It also alleges the shop failed to provide workers and the public with notices about why it was collecting the scans and what it would do with the data, SHRM reports. 
Read Story

Leaked draft introduces European Commission's forthcoming 'Data Act'

EURACTIV reports on a leaked European Commission proposal that would create rules around non-personal data for certain manufacturers and digital service providers. The Data Act makes new rules for manufacturers of smart devices and digital service providers and users. The Data Act posits that every user or organization should have access to the data they or it contributed to amassing. It aims to "unleash the potential of data-driven innovation by creating legal obligations for data-sharing when connected devices are starting to be widespread," the report states.
Read Story