Is this the beginning of the end for the hated tracking cookie consent pop-up? A flagship framework used by Google and many other advertisers to collect internet users’ claimed consent for spooky ad targeting appears to violate the European General Data Protection Regulation (GDPR).
A year ago, the self-proclaimed Transparency and Consent Framework (TCF) of the IAB Europe was found not to comply with the principles of transparency, fairness and accountability of the GDPR and the lawfulness of the processing in a preliminary report by the Belgian data protection investigation division. authority.
The complaint was then transferred to the DPA’s litigation chamber – and an entire year went by without a decision being made, in keeping with the freezing pace of privacy enforcement against adtechs in the region. .
But the authority is now in the process of finalizing a draft decision, according to a press release issued today by IAB Europe. And the verdict he’s waiting for is that the TCF is in breach of the GDPR.
He will also find that the IAB Europe is itself in breach. Oopsy.
The online advertising industry body seeks to preempt a nuclear finding of non-compliance, writing that the DPA will “apparently identify GDPR breaches by IAB Europe”, and attempt to pass the finding as ” repairable “within six months (however, that does not say how) – while simultaneously involving the finding of violation may not itself be corrected, as other EU DPAs have yet to weigh in on the decision in the part of the standard GDPR cooperation procedure (which applies to complaints at the border).
The preemptive statement (and its Friday afternoon schedule) is a lot like IAB Europe trying to both scramble and bury bad news and so calm the nerves of the tracking industry ahead of impending headlines. that a flagship tool is illegal – something EU privacy activists have been saying of course for literally years.
In terms of timing, a final verdict on the investigation is still likely in months – and may not come out until 2022. Calls are also almost inevitable. But the issues in the tracking industry are starting to seem, well, thorny enough.
In the short term, the IAB says it expects a draft decision to be shared by Belgium with other EU DPAs within the next two to three weeks – they then have 30 days. to examine it and possibly file objections.
If DPAs disagree with the lead authority’s conclusion and fail to come to an agreement among themselves, the European Data Protection Board may need to step in and make a binding decision, such as this happened in another cross-border case against WhatsApp (which resulted in a fine of $ 267 million, a larger penalty than that originally proposed by the main DPA in this case).
This GDPR cooperation mechanism can therefore make the procedures last for several more months.
The plaintiffs against IAB Europe and its TCF, meanwhile, told us they had neither seen nor received details of the DPA’s draft ruling.
It therefore seems rather insignificant that the advertising industry body had knowledge of an incoming decision before the other parties to the complaint.
But one of the plaintiffs, Johnny Ryan of the Irish Council for Civil Liberties, quickly issued his own press release, in which he wrote: “We won. It has been found that the online advertising industry and its professional body, “IAB Europe”, have deprived hundreds of millions of Europeans of their fundamental rights.
“IAB Europe designed the deceptive ‘consent’ pop-ups that appear on almost all European websites and apps (over 80%). This system is known as the “Transparency & Consent Framework” (TCF) of the IAB Europe. These popups claim to give people control over how their data is used by the online advertising industry. But in fact, it doesn’t matter what people click on.
The impending conclusion of illegality comes at an interesting time for the follow-up advertising industry with action underway in the European Parliament to push for an outright ban on behavioral advertising to be incorporated into incoming pan-European regulations for digital services – in favor of alternative privacy protection such as contextual advertising.
The discovery that the flagship tool used by the tracking industry to claim “consent” to behavioral ads does not work legally under EU law will surely amplify calls for cleanups by banning the practice entirely.
According to IAB Europe, the Belgian DPA’s draft decision will find that this is a data controller for the TCF “TC Strings”, aka “the digital signals created on websites to capture choices of data subjects regarding the processing of their personal data for digital advertising, content and measurement ”, as he puts it.
(Or – in Ryan’s words – “the identification code created about a person, based on the apps they use and websites they visit, and what they click on in pop-ups from consent ”.)
He will also find out that IAB Europe is a “joint controller” for the TC chains used in OpenRTB (Real Time Bidding) – meaning that the industry body will have a series of risky new responsibilities attached to data processing. around programmatic behavioral advertising (with abundant legal liability and the risk of hefty fines if they don’t meet GDPR requirements such as privacy by design and by default; consent is specific, informed and freely given; and appropriate security encompassing personal data).
Here’s Ryan again, briefly outlining the side case against RTB:
“For nearly four years, websites and apps plagued Europeans with this ‘consent’ spam. But our evidence shows that IAB Europe knew that conventional tracking-based advertising was “incompatible with consent under GDPR” before launching the consent system.
“This is because the leading tracking-based advertising system called ‘Real-Time Bidding’ (RTB) broadcasts the behavior of internet users and their real locations to thousands of businesses, billions of times a day. RTB is the biggest data breach on record. There is no way to protect the data in this self-service. (We are also arguing against RTB in Hamburg.)
“In a procedure initiated by a group of complainants coordinated by the Irish Civil Liberties Council, the Belgian Data Protection Authority is about to adopt a draft decision according to which the system of pop- up of IAB Europe’s “consent” violates the GDPR, confirming our arguments over several years. “
The IAB Europe twist in trying to shirk responsibility for protecting people’s data is to try and spread the blame elsewhere – claiming it didn’t see itself as a data controller “based on directives from other DPAs so far, “among other apologies.
“As a result, it naturally failed to fulfill certain obligations incumbent on data controllers under the regulation,” continues IAB Europe – carefully avoiding offering any kind of apology.
(Here is Ryan’s quote: “IAB Europe is jointly responsible and liable with thousands of online advertising companies when personal data is released for free in RTB data. IAB Europe has attempted to deny it.”)
Instead of apologizing, IAB Europe is devoting its energy to suggesting that there will be an easy way to resolve the tracking industry’s legality issue, by writing:. “
Making more soothing noises in the market, he also describes himself as “optimistic” that the TCF can be corrected.
But hey, that would say not?
The online advertising industry body has previously denied that there have been any prosecutions against TCF or RTB’s use of people’s data.
So, well, his record here shouldn’t inspire confidence.
“Google and the entire tracking industry rely on IAB Europe’s consent system, which will now be deemed illegal,” Ryan added in a statement. “IAB Europe has created a bogus consent system that spams everyone, every day, and does no more than give thin legal cover to the massive data breach at the heart of online advertising. We hope that the decision of the Belgian Data Protection Authority will finally force the online advertising sector to reform.
Another plaintiff in the case, Jef Ausloos, postdoctoral researcher in data privacy at the University of Amsterdam, suggests that the IAB Europe statement is an attempt to sow doubt among other EU DPAs – and called his assertion that the identification codes used for targeted advertising are not “grotesque” personal data.
He also described the Belgian discovery as “only the very beginning of the process as I see it”, adding: “We have come a long way already but, anyway, it will still take some time”.
At the time of writing, Belgian ODA had not responded to our request for confirmation of an imminent draft decision.
A spokesperson for IAB Europe said she had “only been informed of the main conclusions of the draft decision”. She did not specify how she obtained the information before the complainants.