Is this the end of the awful cookie consent pop-up? Google and a slew of other marketers’ main architecture for obtaining purported agreement from online users for creepy ad targeting appears to be in violation of Europe’s General Data Protection Regulation (GDPR). In a preliminary report issued a year ago, the Belgian data protection authority’s investigatory division found that the IAB Europe’s self-styled Transparency and Consent Framework (TCF) failed to comply with GDPR principles of transparency, fairness, and accountability, as well as the lawfulness of the processing.
The complaint was then sent to the DPA’s litigation chamber, where it sat for a year without a ruling, in keeping with the region’s slow pace of privacy enforcement against adtech. According to a news release issued today by the IAB Europe, the authority is currently in the process of completing a draft judgement. In addition, it expects the TCF to be found in violation of the GDPR. It will also discover that the IAB Europe is in violation of its own rules. Oopsy.
The online advertising industry appears to be moving toward a nuclear probe into non-compliance, with the DPA writing that “the IAB will apparently identify violations of the GDPR by IAB Europe.” In addition, in the next six months, it will try to make the investigation more “stable” (but how can that not be said)? (Which applies to cross-border complaints)?
The preemptive statement (and its Friday afternoon timing) appears to be the IAB Europe’s attempt to both fuzz and bury bad news in order to calm the tracking industry’s nerves ahead of looming headlines that a flagship tool is illegal — something EU privacy campaigners have, of course, been saying for years. In terms of timeliness, a definitive conclusion on the probe is still months away — and might come as late as 2022. Appeals are nearly always necessary. However, the tracking industry’s issues are beginning to become, well, sticky.
In the immediate term, the IAB anticipates Belgium sharing a draft judgement with other EU DPAs in the next two to three weeks, after which they will have 30 days to study it and perhaps register objections. If the DPAs disagree with the lead authority’s findings and are unable to reach an agreement among themselves, the European Data Protection Board may be forced to intervene and make a binding decision, as it did in another cross-border case against WhatsApp (which resulted in a $267 million fine, which was higher than the lead DPA’s initial proposal).
As a result, this GDPR collaboration mechanism can continue to spin procedures for many more months. Meanwhile, complainants against the IAB Europe and its TCF claim they have not seen or been provided specifics of the DPA’s proposed judgement.
Therefore, it appears that the advertising industry association has seen an impending decision before the other parties to the lawsuit. However, one of the complainants, Johnny Ryan of the Irish Council for Civil Liberties, promptly issued his own press release, writing: “We have won.” Hundreds of millions of Europeans have had their fundamental rights violated by the internet advertising business and its trade group, ‘IAB Europe.’
“The deceptive ‘permission’ pop-ups that appear on virtually all (80 %+) European websites and applications were devised by IAB Europe. The ‘Transparency & Consent Framework’ of IAB Europe is the name of this system (TCF). These popups claim to give users control over how the online advertising business uses their data. However, it makes no difference what people click.”
The impending finding of unlawfulness comes at an interesting time for the tracking ad industry, with moves afoot in the European Parliament to include an outright ban on behavioral advertising in upcoming pan-EU regulations for digital services, in favor of privacy-safe alternatives like contextual advertising.
The discovery that the tracking industry’s hallmark tool for claiming “permission” to behavioral advertisements isn’t really working legitimately under EU legislation will undoubtedly fuel calls to clean house by prohibiting the practice outright.
