IAB Europe says it’s expecting to be found in breach of GDPR

Is this the beginning of the end for the hated tracking cookie consent pop-up? A flagship framework used by Google and scores of other advertisers for gathering claimed consent from web users for creepy ad targeting looks set to be found in breach of Europe’s General Data Protection Regulation (GDPR).

A year ago the IAB Europe’s self-styled Transparency and Consent Framework (TCF) was found to fail to comply with GDPR principles of transparency, fairness and accountability, and the lawfulness of processing in a preliminary report by the investigatory division of the Belgian data protection authority.

The complaint then moved to the litigation chamber of the DPA — and a whole year passed without a decision being issued, in keeping with the glacial pace of privacy enforcement against adtech in the region.

But the authority is now in the process of finalizing a draft ruling, according to a press statement put out by the IAB Europe today. And the verdict it’s expecting is that the TCF breaches the GDPR.

It will also find that the IAB Europe is itself in breach. Oopsy.

The online advertising industry body looks to be seeking to get ahead of a nuclear finding of non-compliance, writing that the DPA “will apparently identify infringements of the GDPR by IAB Europe,” and trying to further spin the finding as “fixable” within six months (it doesn’t say how, however) — while simultaneously implying the breach finding may not itself be fixed because other EU DPAs still need to weigh in on the decision as part of the GDPR’s standard cooperation procedure (which applies to cross-border complaints).

The preemptive statement (and its Friday afternoon timing) looks very much like the IAB Europe trying to both fuzz and bury bad news and thereby calm the nerves of the tracking industry ahead of looming headlines that a flagship tool is unlawful — something EU privacy campaigners have of course been saying for literally years.

In terms of timing, a final verdict on the investigation is still likely months off — and may not emerge ’til deep into 2022. Appeals are also almost inevitable. But the tracking industry’s problems are starting to look, well, appropriately sticky. 

In the short term, the IAB says it expects a draft ruling to be shared by Belgium with other EU DPAs in the next two to three weeks — at which point they get 30 days to review it and potentially file objections.

If DPAs don’t agree with the lead authority’s finding and can’t agree among themselves, the European Data Protection Board may need to step in and take a binding decision — such as happened in another cross-border case against WhatsApp (which led to a $267 million fine, a larger penalty that the lead DPA in that case had originally proposed).

So this GDPR cooperation mechanism can spin procedures out for many more months yet.

Complainants against the IAB Europe and its TCF, meanwhile, told us they have not seen nor been given details of the draft ruling by the DPA.

So it looks pretty whiffy that the ad industry body has had sight of an incoming decision ahead of the other parties to the complaint.

But one of complainants, the Irish Council for Civil Liberties’ Johnny Ryan, quickly posted a press statement of his own, in which he writes: “We have won. The online advertising industry and its trade body, ‘IAB Europe’, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.

“IAB Europe designed the misleading ‘consent’ pop-ups that feature on almost all (80%+) European websites and apps. That system is known as IAB Europe’s ‘Transparency & Consent Framework’ (TCF). These popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.”

The looming finding of unlawfulness comes at an interesting time for the tracking ads industry with moves afoot in the European Parliament to push for an outright ban on behavioral advertising to be incorporated into incoming pan-EU regulations for digital services — in favor of privacy-safe alternatives like contextual advertising.

A finding that the flagship tool used by the tracking industry to claim “consent” to behavioral ads isn’t actually operating lawfully under EU law will surely amplify calls to clean house by outlawing the practice entirely.

According to the IAB Europe, the draft ruling by the Belgian DPA will find that it is a data controller for TCF “TC Strings,” aka “the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement,” as it puts it.

(Or — in Ryan’s words — “the identification code created about a person, based on which apps they use and which websites they visit, and what they click in consent popups.”)

It will also find the IAB Europe is a “joint controller” for TC Strings that are used in OpenRTB (Real-Time Bidding) — meaning the industry body will have a string of risky new responsibilities attached to the data processing around programatic behavioral advertising (with legal liability aplenty and the risk of big fines if they fail to live up to requirements in the GDPR such as privacy by design and default; consent that’s specific, informed and freely given; and appropriate security wrapping people’s data).

Here’s Ryan again, laying out the parallel case against RTB in brief:

For almost four years, websites and apps have plagued Europeans with this “consent” spam. But our evidence reveals that IAB Europe knew that conventional tracking-based advertising was “incompatible with consent under GDPR” before it launched the consent system.

This is because the primary tracking-based ad system, called “Real-Time Bidding” (RTB), broadcasts internet users’ behaviour and real-world locations to thousands of companies, billions of times a day. RTB is the biggest data breach ever recorded. There is no way to protect data in this free-for-all. (We are litigating against RTB in Hamburg, too.)

In proceedings initiated by a group of complainants coordinated by the Irish Council for Civil Liberties, the Belgian Data Protection Authority is close to adopting a draft decision that will find IAB Europe’s its “consent” pop-up system infringes the GDPR, vindicating our arguments over several years.

The IAB Europe’s spin for trying to eschew responsibility for protecting people’s data is to try to spread blame elsewhere — claiming it has not considered itself a data controller “based on guidance from other DPAs up to now,” among other excuses.

“Therefore, it has naturally not fulfilled certain obligations that accrue to data controllers under the Regulation,” the IAB Europe goes on in studiously avoiding making any kind of apology.

(Here’s Ryan’s take again: “IAB Europe is jointly responsible and liable with thousands of online advertising firms when personal data are broadcast in to the RTB data free-for-all. IAB Europe had tried to deny this.”)

Instead of apologizing, the IAB Europe directs its energy toward suggesting there will be an easy way to fix the tracking industry’s lawfulness problem, writing: “The draft ruling will require IAB Europe to work with the APD to ensure that these obligations are met going forward.”

Making more market calming noises, it also describes itself as “optimistic” that the TCF can be fixed.

But, well, it would say that wouldn’t it?

The online ad industry body has previously denied there was any case to bring against the TCF or RTB’s use of people’s data.

So, well, its record here shouldn’t inspire confidence.

“Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal,” added Ryan in a statement. “IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach in at the heart of online advertising. We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform.”

Another complainant in the case, Jef Ausloos, a postdoc researcher in data privacy at the University of Amsterdam, suggests the IAB Europe’s statement is an attempt to sow doubt among other EU DPAs — and called its claim that identification codes used for targeted advertising aren’t personal data “preposterous.”

He also described the Belgian finding as “only the very start of the process as I see it,” adding: “We’ve come a long way already but, regardless, this will still take a while.”

At the time of writing the Belgian DPA had not responded to our request for confirmation of an impending draft ruling.

A spokeswoman for the IAB Europe claimed it has “only been informed about the headline findings of the draft ruling.” She did not specify how it had obtained the information ahead of the complainants. (Update: We asked if the information came from the Belgian DPA and she said “yes, that’s correct.”)