IAB UK FAQs: Understanding what the APD’s TCF ruling means

Earlier this month, the Belgian Data Protection Authority - the APD - published its ruling on IAB Europe and its role in the Transparency & Consent Framework (TCF). It stated that IAB Europe is a data controller of the TC String, which the APD considers to be personal data. The ruling means that IAB Europe is required to prepare and submit to the APD a remediation plan within two months from the date of the ruling. Upon approval by the APD, IAB Europe will then have six months to implement the plan.

IAB Europe has since decided to appeal the ruling to the Belgian Market Court, with CEO Townsend Feehan stating: “We believe the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law. This establishes an irrational legal precedent.” Read the full statement. 

To help IAB UK members that use the TCF understand the current situation, we have developed a set of UK-focused FAQs addressing key questions you might have. Please note, this is in addition to FAQs developed by IAB Europe. IAB UK’s FAQs cover questions including:

• Does the ruling only apply to Belgium?
• Does the ruling apply to my organisation that is based in the UK and processes only UK personal data?
• What are the views of the ICO? 
• How does this impact me as an IAB UK member using the TCF?