The pop-up legal forms reportedly used by 80% of Europe’s internet to acquire tracking consent from users have fallen foul of the very GDPR rules they were designed to follow. This means far-reaching implications for advertisers, web users and publishers.
Digital advertising trade association IAB Europe has long guided the industry on the legalities of data capture, tracking and privacy. Many top advertisers use its system, the Transparency & Consent Framework (TCF), to distribute personalized ads to Europeans. Since 2019, it’s been fighting to defend against a complaint issued by the Irish Council for Civil Liberties (ICCL). Former Brave browser policy exec Johnny Ryan spearheaded the case.
A €250,000 sanction has been issued to IAB Europe as well as a series of demands. Advertisers will also have to delete a tonne of data gathered using this solution.
But what happened?
In plain English, the EU and EEA rolled out the General Data Protection Regulation (GRPR) in 2018 to protect the digital privacy of citizens, as the name suggests.
Among other things, this required advertisers to obtain permission to track people across the interest to serve them relevant ads. Almost overnight, legalese-styled pop-ups questioned Europeans on whether they wanted to share their data with hundreds of partners. The complainant called these pop-ups a “plague.” You probably filled out one to read this article.
This TCF has had several iterations since launch. And now there are a few court-ordered amendments to come.
To maximize revenue, websites share browsing data widely. More bidders for any given user’s attention should theoretically drive up prices. Consent pop-ups have been enabling that – although many have been found unfit for purpose. Friction is sometimes baked in to deter users from blocking scores of companies they’ll have never heard of – some of which, admittedly, are vital for paying for much of the web’s content. But that’s not the crux of today’s case.
On Wednesday (February 2), 28 EU data protection authorities, led by the Belgian Data Protection Authority, won a case finding that the TFC consent system fell short in multiple ways. The chamber found: “The approach taken so far does not meet the conditions of transparency and fairness required by the GDPR. Indeed, some of the stated processing purposes are expressed in too generic a manner for data subjects to be adequately informed about the exact scope and nature of the processing of their personal data.”
In short, even when reading the small print, even the most wizened adtech exec would struggle to determine what they are actually consenting to. The ruling also claims that the TCF “in its current set-up does not comply with the obligations arising from the transparency principle, notably Articles 12, 13 and 14 GDPR.”
The complainant, the ICCL, has condensed the shortcomings, although you are welcome to read the full ruling here.
Fails to ensure personal data is kept secure and confidential (Article 5(1)f, and 32 GDPR).
Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR).
Fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR).
Fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR).
Fails to respect the requirement for “data protection by design” (Article 25 GDPR).
The Belgian Data Protection Authority said IAB Europe “was aware of risks linked to non-compliance” and “was negligent.” And it went further: “[It] supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behavior and the ensuing surveillance of data subjects.”
Privacy attorney Cobun Zweifel-Keegan got into the long grass to explain the breach in this Twitter thread.
Thousands of advertisers will have to delete the data collected using the TFC, which ICCL pointed out includes Google’s, Amazon’s and Microsoft’s online advertising businesses.
“This has been a long battle,” said Ryan. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.”
IAB Europe issued a response to The Drum.
It pointed out that there is no prohibition of the TCF, which the complainants pursued. Instead, it has six months to remedy the noted issues. Meanwhile, it says it is considering a legal challenge.
“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”
Of course, meanwhile, the UK weighs up plans to diverge from GDPR.
Paul Thompson, country manager at Seedtag says the news isn't good for the industry.
“There has been a lot of chatter around this and the draft ruling initially found that the TCF fails to properly request consent, and also fails to provide transparency about what happens to consumer data.
"Companies have tried to hide behind 'legitimate Interest' – but it’s questionable when legitimate interest allows consumers to be tracked around the open web, tracking my location and stores my personal data without a clearly defined period for deleting it. Hopefully, this means a reboot of your personal data is collected, processed and stored - and importantly under what conditions do you give consent.”
Simon Spyer, chief executive of data driven Marketing at Iris, commented: “Although this news has the potential to have a dramatic effect on the online ad industry, it’s great news for consumer experience, and for marketers who are interested in building participation for their audience.
“Marketers need to get serious about the experience they're delivering for their consumers and the imperative to gather well-permissioned first party data as a pre-requisite to building any human relationship. Perhaps, the industry shouldn't be relying on the vested interests of the IAB to set the rules. The danger is that online advertisers may be tempted to pivot to a different set of guidelines to try to circumvent the legal challenge.”