IAB Europe refutes latest GDPR complaint as 'PR campaign'

IAB Europe has guided the continent through GDPR, yet it faces privacy hurdles of its own

IAB Europe – the body tasked with setting industry-wide privacy standards – has been hit with another complaint alleging it is violating General Data Protection Regulation (GDPR).

Brave Software, the maker of adblocking web browser Brave, has lodged a complaint with the Irish Data Protection Commissioner over IAB Europe's 'cookie wall'.

Brave claims visitors of iabeurope.eu are confronted with a cookie wall that requires them to accept tracking by Google, Facebook and others, which may then monitor them across the internet. Below is what visitors see when they first hit the site.

Brave filed another complaint in February that scrutinised consumer protections afforded by the IAB Tech Lab's OpenRTB system.

IAB Europe called last February's claims false and "intentionally damaging to the digital advertising industry".

Brave's chief policy and industry officer Johnny Ryan formally filed the latest complaint, which directly challenges IAB Europe's approach to consent.

"IAB Europe does not provide information about what data are collected for what purpose, and what legal basis is relied on for that purpose," the complaint reads. "IAB Europe’s policy notice says, 'we may rely on one or more of the following legal bases, depending on the circumstances'.

"It is therefore not possible to for a visitor to the website to know what legal basis is used for what purpose. Nor does IAB Europe provide information about which data are collected for what specific purpose," the complaint reads.

In a statement responding to the claims, IAB Europe said: "It is regrettable that Johnny Ryan’s ongoing PR campaign against the digital advertising industry and in particular his unfounded and inaccurate accusations against IAB Europe are becoming ever more desperate".

"His claims only distract from the work regional and national regulators, alongside not-for-profits such as our own, are doing together to create a more transparent, trusted and safe online experience, for consumers, brands and publishers."

IAB Europe claims Ryan's assertion that the standards group is unlawfuly tracking cookies is not only incorrect, but it is also being leveraged for "his ongoing, more general allegation regarding the guidance we provide to support the entire digital advertising industry".

The complaint also says that IAB Europe has "provided inadequate information about what is being consented to, what data will be processed for which purpose, and how data rights can be exercised".

The issue with the cookie wall, according to the filing, is it does not meet GDPR's requirement of "freely given, specific, informed and unambiguous indication of the data subject’s wishes".

Ryan said: “One should not be forced to accept web-wide profiling by unknown companies as a condition of access to a website. This would be like Facebook preventing you from accessing the Newsfeed until you have clicked a button permitting it to share your data with Cambridge Analytica.”

The complaint goes on to allege that as a leader in privacy discussions, IAB Europe through its actions has told others in the ad world that they can sidestep GDPR and rely instead on the ePrivacy Directive, "which IAB Europe has interpreted as more lax in protecting personal data".

In its defence, IAB Europe has alleged a conflict of interest for Ryan and Brave.

"Their current model blocks ads served transparently by the partners a publisher chooses to monetise their content and instead injects their own ads, coercing a publisher to give up a share of their revenue in the process. As a result, it is in Ryan’s interest to position himself as an arbiter of privacy standards," IAB Europe wrote in a statement.

In response, Ryan said he raised similar concerns over data protection with the IAB in 2017 before joining Brave.

IAB Europe added that the ePrivacy Directive covers consent to use cookies for analytics, advertising and social media sharing buttons.

"It is these uses we ask users’ consent for. Neither the GDPR or ePrivacy Directive prohibit a website operator from making access to their website conditional on consent for cookies and/or any data processing associated with it," said the standards body.

IAB Europe said it will issue a full rebuttal to the accusations "in due course".

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.