The Drum Awards Festival - Official Deadline

-d -h -min -sec

GDPR IAB Data & Privacy

Do you really have ‘legitimate interest’ to use that data? It’s time for a consent audit

By Mark Andrews

February 23, 2022 | 5 min read

Another day, another GDPR ruling. Mark Andrews, senior consultant at ID Comms, outlines what advertisers can do to reduce risk and maximize the power of data for the future.


Advertisers running paid media activity through digital platforms need to start planning today

The Transparency Consent Framework, which is used by the majority of consent management platforms (CMP) and facilitates the collection and use of data gathered when consumers first visit websites, has been declared as non-compliant across the EU following a ruling by the Belgium data protection authority (DPA)

Its creator, trade body IAB Europe, now has a maximum of six months to upgrade the TCF, which is used by the likes of Google, Microsoft and Amazon, and help ensure that advertisers’ data consent and data usage complies with rules across the EU.

There are two main issues raised by the ruling:

  1. The IAB has been named as a data controller where advertisers use TCF, something it is appealing. If it stands, it would be legally responsible to European courts for all data processed under this joint controllership.

  2. TCF ID Strings can no longer be shared under the legitimate interest section of GDPR – instead, they need consent. A large proportion of the adtech ecosystem currently uses them in this way, without auditing them for use in programmatic.

Both elements of the ruling are a serious blow to the current ecosystem, given that TCF ID strings are the digital signals passed by CMPs or TCF participants to verify that consent has been given.

The fundamental problem identified by the Belgian DPA is that advertisers (and their tech partners) have relied too much on the legitimate interest section of the GDPR rules and have been processing data in a way that consumers wouldn’t necessarily expect.

In essence, this is the information that powers the advertising ecosystem and is used for targeting of media, dynamic messaging, measurement and analytics, to name just four common areas.

In response to the ruling, the IAB is working on an alternative solution (likely to allow for consent auditing in real-time bidding) and will have to present a plan of action within two months. The TCF will probably survive with increased governance requirements, but advertisers need to prepare for a world with more limited data now.

The key issue for marketers is not the technicalities, but how they can mitigate the risks. There will be two key areas where action needs to be taken.

First, for advertisers with brand websites now is the time for a data privacy audit. While the IAB has six months to design an upgraded TCF, that doesn’t mean you shouldn’t engage with IT, web and analytics teams, as well as your tech vendors, now. This will allow you to understand where you are controller and where you are joint controller.

Take steps to understand the data flow through your adtech stack and where your responsibilities to the consumer start and stop. Re-review your data collection and whether you need to rethink collecting some advertising data based on legitimate interest, and instead build in active consent.

Secondly, for advertisers running paid media activity through digital platforms there will be much more to do, but they also need to start planning today.

The ruling is likely to mean that the volume of (compliant) user-level data will be reduced. Many brands have already seen restrictions in data and tracking capabilities hit their ability to target, personalize, manage and measure campaign performance campaigns.

Nevertheless, there are things that you can do, principally testing alternative solutions:

  • For media targeting, you need to actively test methods that do not rely on personal data, such as contextual targeting

  • For content personalization, you need to consider users in groups – not individuals – and understand how content can work for broader segments

  • For campaign management, you need to enhance upfront planning of such dimensions as overlap and frequency, in the absence of real-time data signals

  • For measurement, you need to test the efficacy of probabilistic/modeled methods that don’t rely on individual user-level tracking. Now is the time to prove to the business that these methods can be as good as the current methods.

The direction of travel is clear. Under GDPR and the latest ruling, advertisers and the wider industry will need to increase governance on data collection and use. In short, they need to prepare for a world with increased consent thresholds and potentially less access to data from other sources. By preparing now, media managers can ensure they have alternatives in place and that they know their limitations before they have to use them.

Fail to prepare and not only do brands face hefty fines, but they will have to rush ineffective and untried solutions into their media mix, hitting both effectiveness and efficiency. This is one deadline that you can’t afford to ignore.

GDPR IAB Data & Privacy

More from GDPR

View all


Industry insights

View all
Add your own content +