Introduction
Legitimate interest is one of the six legal bases for processing personal data. In this sense, Article 6.1.(f) of the General Data Protection Regulations, states:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Legitimate interest differs from other legal bases in that it does not focus on a specific purpose (e.g., fulfilling a contract with the individual, fulfilling a legal obligation, protecting vital interests, or performing a public task), and it does not rely on processing data for which the individual has specifically consented. Legitimate interest is more flexible and, in principle, could apply to any type of processing for any reasonable purpose.
Marfeel Solutions, S.L. (hereinafter “Marfeel” or “the Company”) desires to conduct a Legitimate Interest Assessment Report for the purpose of determining if Marfeel has a legitimate interest to save and communicate to the Vendors the Users’ privacy choices in the form of the “TCF String” on the web pages where the CMP managed by Marfeel Solutions, S.L. is used.
A three-part assessment should be conducted to determine if Marfeel has a legitimate interest, this requires evaluating: Part 1: The purpose of the processing. Part 2: The necessity of the processing. Part 3: The balance of interests.
PART 1: The purpose of the processing.
The International Advertising Bureau (hereinafter “IAB”) is the European-level association for the digital marketing and advertising ecosystem, whose mission is to lead political representation and promote industry collaboration to provide frameworks, standards, and programs that enable companies to thrive in the European market while complying with privacy laws.
This association enacted the Transparency Consent Framework (hereinafter TCF), which establishes a series of mandatory privacy rules for vendors registered with it.
On June 3, 2024, the IAB updated the TCF to align with Court Judgment C‑604/22 (IAB Europe vs APD) of the European Court. This judgment ruled that the TCF String constitutes personal data and therefore those processing this data must have a legitimate basis for doing so. It should be noted that the TCF String is an alphanumeric string that stores the user’s privacy choice made through a Consent Management Platform (CMP).
Marfeel is registered with the IAB under vendor number 270, providing its Consent Management Platform services (CMP) in its Touch business line (programmatic advertising).
For the provision of its CMP services, Marfeel must necessarily retain in its records and communicate the TCF String to various vendors for the following reasons:
i) Ensure and be able to demonstrate that the user has accepted or rejected the processing of their personal data for different purposes and vendors. It is clarified that throughout this report, the term “user” refers to readers or users of the websites where Marfeel’s CMP operates.
ii) Ensure that the user’s privacy choice is respected, and that they do not have to make a choice every time they access a website covered by Marfeel’s CMP.
iii) Facilitate the Company in demonstrating compliance with the principle of proactive responsibility under Article 5(2) of the General Data Protection Regulation.
iv) Assist data protection authorities in conducting their investigations and audits of TCF vendors.
PART 2: The necessity of the processing
Firstly, it is important to analyze whether all the information included in the TCF String is strictly necessary to achieve the processing purposes outlined above. Below is a breakdown of the components of the TCF String:
- General metadata: standard markers indicating details about the implementation of the TCF by the publisher (e.g., CMP ID used, language of user interfaces, use of non-standard texts in interfaces like custom stacks or illustrations), and a daily timestamp of when users have made/updated their choices.
- User consent per purpose and per vendor when consent is the legal basis (“1” signifies user consent and “0” signifies user refusal or withdrawal of consent).
- User right to object per purpose and per vendor when legitimate interest is the legal basis (“1” indicates user was informed and “0” indicates user was not informed or objected to processing).
- Publisher restrictions: specific metadata regarding the publisher’s implementation of the TCF, such as indicating a general prohibition for certain providers pursuing specific data processing purposes.
- Where applicable, user choices for purposes not covered by the TCF or for vendors not participating in the TCF (“1” indicates user agreement and “0” indicates no agreement).
In accordance with paragraphs 416, 417, and 418 of the decision of the Belgian Data Protection Authority dated February 2022, it is noted that:
“The Dispute Chamber notes that the information processed in the TCF String is limited to data that is strictly necessary to achieve the intended purpose. Furthermore, based on the documents in this file and the defenses of the parties, the Dispute Chamber has not been able to establish that the TCF String is kept indefinitely.”
Therefore, it is observed that the processing of the components of the TCF String, and hence the TCF String itself, is strictly necessary to achieve the aforementioned purposes.
Finally, in compliance with the principle of limitation of storage period for personal data, Marfeel clarifies that the TCF String is retained for a period not exceeding 1 year. This period is considered appropriate by Marfeel to reflect the privacy choice made by a user. After this time, the Company proceeds with its deletion and requests the user once again to indicate their acceptance or refusal regarding the processing of their personal data.
PART 3: The balance of interests.
The TCF String is an alphanumeric string that abstractly represents a user’s privacy choice, without directly attributing that choice to a specific user.
Additionally, the combined state of these various privacy choices is not unique, as millions of users visit digital properties on the same day and may express the exact same preferences. Therefore, it cannot be considered that these choices constitute particularly private data, nor are they related to the personal or professional sphere of the individuals concerned.
The TCF String does not involve any special categories of personal data or personal data related to criminal convictions and offenses, nor is it intended to facilitate the processing of special categories of personal data or data related to criminal convictions in any case. The nature of the personal data in question is therefore not sensitive in any way.
The TCF requires vendors to undertake certain actions to ensure transparency, so that users of websites are aware of the data processing activities taking place. For example, vendors must indicate in the second layer whether they process personal data under legitimate interest.
Regardless of the information provided to users, it is reasonable for them to expect the processing of the TCF String, as without this processing, the proper functioning of the CMP would not be possible, users could not express their consent, and vendors could not respect their privacy choices.
As stated in the “Practical guide to carrying out a Legitimate Interest Assessment (LIA) in connection with Special Purpose 3” by the IAB:
The processing of the TCF String significantly ensures that users’ privacy choices can be respected (i.e., granting, refusing, or withdrawing consent and exercising their right to object), and that they do not have to make these decisions again with each subsequent use of the relevant digital property. Therefore, it is evident that stakeholders benefit positively from this processing.
Secondly, it is important to identify the likelihood of any risk that could materialize as a result of the processing, as well as the severity of its consequences. In the context of Special Purpose 3, the TCF String itself does not pose any particular privacy risk to stakeholders, as it simply reflects their privacy choices.
Furthermore, it generally represents a specific data point of the service and is not unique (since it is entirely possible for a multitude of users to make the same decisions on a given day). Consequently, it does not introduce new vectors for cross-site tracking (such as fingerprinting). Therefore, the processing does not entail any high privacy risk for stakeholders; instead, it embodies the principle of data minimization, as confirmed by the APD decision of February 2022.
As has been stated throughout this report, it is not possible to offer an “opt-out” to users because:
i) It is the only way to ensure adequate preservation of users’ privacy choices. Without creating a TCF String, users would have to be asked their privacy choice each time they visit a website;
ii) It allows Marfeel to demonstrate compliance with data protection regulations in accordance with the principle of proactive responsibility; and,
iii) The use of the TCF String does not create privacy risks since its design incorporates the principle of minimization, and it is technically impossible to modify it.
CONCLUSIONS:
Marfeel has a legitimate interest to save and communicate to the Vendors the Users’ privacy choices in the form of the “TCF String” on the web pages where the CMP managed by Marfeel Solutions, S.L. is used.
As stated throughout this report, processing the TCF String is strictly necessary to collect and communicate users’ privacy choices. Without this processing, it would not be possible to respect these choices, causing undue inconvenience to users by having to consent to the use of their personal data each time they visit the same website.
Similarly, processing the TCF String allows for demonstrating compliance with the TCF and acting in accordance with the principle of proactive responsibility, which is an interest of any company to comply with the current legal framework.
Date: June 24, 2024