IAB Europe’s ad tracking consent framework found to fail GDPR standard

A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.

The Belgian DPA’s investigation follows complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising which contend that a system of high velocity personal data trading is inherently incompatible with data security requirements baked into EU law.

The IAB Europe’s Transparency and Consent Framework (TCF) can be seen popping up all over the regional web, asking users to accept (or reject) ad trackers — with the stated aim of helping publishers comply with the EU’s data protection rules.

It was the ad industry standard’s body’s response to a major update to the bloc’s data protection rules, after the General Data Protection Regulation (GDPR) came into application in May 2018 — tightening standards around consent to process personal data and introducing supersized penalties for non-compliance — thereby cranking up the legal risk for the ad tracking industry.

The IAB Europe introduced the TCF in April 2018, saying at the time that it would “help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive”.

The framework has been widely adopted, including by adtech giant, Google — which integrated it this August.

Beyond Europe, the IAB has also recently been pushing for a version of the same tool to be used for ‘compliance’ with California’s Consumer Privacy Act.

However the findings by the investigatory division of the Belgian data protection agency cast doubt on all that adoption — suggesting the framework is not fit for purpose.

The inspection service of the Belgium DPA makes a number of findings in a report reviewed by TechCrunch — including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.

It also finds that the TCF does not provide adequate rules for the processing of special category data (e.g. health information, political affiliation, sexual orientation etc) — yet does process that data.

There are further highly embarrassing findings for the IAB Europe, which the inspectorate found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.

Its own privacy policy was also found wanting.

We’ve reached out to the IAB Europe for comment on the inspectorate’s findings. Update: See the base of this article for a first response. Update 2: The ad standards body has now published a statement here in which it describes the TCF as a “voluntary standard” that contains “a minimal set of best practices”. It also says it “respectfully disagree[s] with the [Belgian DPA]’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF”, adding: “If upheld, the [Belgian DPA]’s interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers.”

A series of complaints against RTB have been filed across Europe over the past two years, starting in the UK and Ireland.

Dr Johnny Ryan, who filed the original RTB complaints — and is now a senior fellow at the Irish Council for Civil Liberties — told TechCrunch: “The TCF was an attempt by the tracking industry to put a veneer or quasi-legality over the massive data breach at the heart of the behavioral advertising and tracking industry and the Belgian DPA is now peeling that veneer off and exposing the illegality.”

Ryan has previously described the RTB issues as “the greatest data breach ever recorded”.

Last month he published another hair-raising dossier of evidence on how extensively and troublingly RTB leaks personal data — with findings including that a data broker used RTB to profile people with the aim of influencing the 2019 Polish Parliamentary Election by targeting LGBTQ+ people. Another data broker was found to be profiling and targeting Internet users in Ireland under categories including “Substance abuse”, “Diabetes,” “Chronic Pain” and “Sleep Disorders”.

In a statement, Ravi Naik, the solicitor who worked on the original RTB complaints, had this to say on the Belgian inspectorate’s findings: “These findings are damning and overdue. As the standard setters, the IAB is responsible for breaches of the GDPR. Their supervisory authority has rightly found that the IAB ‘neglects’ the risks to data subjects. The IAB’s responsibility now is to stop these breaches.”

Following the filing of RTB complaints, the UK’s data watchdog, the ICO, issued a warning about behavioural advertising in June 2019 — urging the industry to take note of the need to comply with data protection standards.

However the regulator has failed to follow up with any enforcement action — unless you count multiple mildly worded blog posts. Most recently it paused its (still ongoing) investigation into the issue because of the pandemic.

In another development last year, Ireland’s DPC opened an investigation into Google’s online Ad Exchange — looking into the lawful basis for its processing of personal data. But that investigation is one of scores that remain open on its desk. And the Irish regulator continues to face criticism over the length of time it’s taking to issue decisions on major cross-border GDPR cases pertaining to big tech.

Jef Ausloos, a postdoc researcher in data privacy at the University of Amsterdam — and one of the complainants in the Belgian case — told TechCrunch the move by the DPA puts pressure on other EU regulators to act, calling out what he described as “their complete, deer-in-the-headlights inaction“.

“I think we’ll see more of this in the coming months/year, i.e. other DPAs sick and tired, taking matters into their own hands — instead of waiting on the Irish,” he added.

“We are happy to finally see a data protection authority having the resolved to take on the online advertisement industry at its roots. This may be the first important step in taking down surveillance capitalism,” Ausloos also said in a statement.

There are still several steps to go before the Belgian DPA takes (any) action on the substance of its inspectorate’s report — with a number of steps outstanding in the regulatory process. We’ve reached out to the Belgian DPA for comment. Update: See below.

But, per the complainants, the inspectorate’s findings have been forwarded to the Litigation Chamber, and action is expected in early 2021. Which suggests privacy watchers in the EU might finally get to uphold their rights against the ad tracking industry/data industrial complex in the near future.

For publishers the message is a need to change how they monetize their content: Rights-respecting alternatives to creepy ads are possible (e.g. contextual ad targeting which does not use personal data). Some publishers have already found the switch to contextual ads to be a good news story for their revenues. Subscription business models are also available (even if not all VCs are fans).

Update I: Responding to questions about next steps and the likely timeline for reaching a decision, a spokeswoman for the Belgian DPA told us: “In terms of procedure, now that the report of the Investigation Service has been transferred to the Litigation Chamber of the BE DPA, the Litigation Chamber will examine the case on the merits.”

“At this time, we prefer not to provide an estimated timing for when the Litigation Chamber will reach a decision in this case,” she added.

Update II: Reached for her response to the report, the IAB Europe’s CEO, Townsend Feehan, told us the ad standards body would be issuing a statement in the coming hours. She also objected to the headline on this report, saying: “I find your headline to be misleading. It’s just factually incorrect.”

Asked what is factually incorrect about it she objected to the phrasing ‘found to fail GDPR standard’ — saying it “strongly suggests a ruling by an authority”.

When we pointed out our reporting makes it clear the procedure is ongoing — including an explanation and a quotation from the Belgian DPA to that effect — she said: “The observation I would like to make is that I find your headline to be misleading and I believe it would be a more faithful representation of the truth if the headline could convey that a preliminary investigation finds [the TCF fails the GDPR standard].”

On special category data she also claimed: “You can’t use the TCF to process special category data.”

“I don’t want to go through the whole report with you but you put out a headline that gives the market the impression that the TCF has been found by a DPA to breach the GDPR and that is not the case,” she also told us, adding: “We will have a further statement on the way probably in the next couple of hours.”

Update III: You can now read the full IAB Europe’s statement on the findings of the Belgian DPA’s investigation on its website, where it writes: “The APD’s report represents the preliminary views of the APD’s investigations unit and has no binding effect with regard to any breach of the law by IAB Europe.”