It’s been over two years since a key piece of the tracking-ads’ industry’s consent collection apparatus was found to breach European Union’s data protection laws. Today the surveillance data complex suffered another body blow: The bloc’s top court flicked away arguments made by the ad industry body responsible for the tool — confirming the strings of data it generates in response to users’ privacy choices are personal data, within the meaning of the bloc’s General Data Protection Regulation (GDPR), as they contain a personal identifier.
The Court of Justice of the EU (CJEU) also held that the ad industry association responsible for devising the consent management tool, IAB Europe, is what’s known as a “joint controller”, with its advertiser members — meaning it can’t eschew responsibility for ensuring the data processing complies with the GDPR. (Though the court did not find the IAB to be a controller for data processing operations that occur after the consent preferences of users are recorded — but it left the door open to that possibility should evidence of influence over follow-on data operations be found.)
The CJEU ruling follows a referral of questions from a court in Belgian where the IAB Europe challenged the February 2022 decision by the local data protection authority which found its “Transparency and Consent Framework” (TCF) breached the GDPR.
The Belgian DPA’s decision was — and still is — a big deal for web users in Europe where consent spam has proliferated since the GDPR came into force in May 2018 — littering websites with never-ending pop-ups soliciting consent for “sharing” user data with long lists of ad “partners”.
The problem is these spammy pop-ups never looked GDPR compliant. A simple ‘yes or no’ to ad tracking is as much friction web users should get. But the adtech industry, well aware most people vote in favor of privacy when given a chance, opted to do everything possible to avoid offering people an easy way to deny tracking. Hence tracking opt-outs tend to be far less prominent, often buried in submenus of pop-ups (if they’re even offered at all) — vs eye-catching ‘accept’ buttons easily within users’ reach that make it super-simple to dismiss an annoying pop-up, but with a high, hidden cost to privacy.
Other tactics the adtech industry has deployed since GDPR came into application include pre-checking sharing options and requiring web users to manually click through and uncheck multiple boxes — making it really tedious and time-consuming to try to reclaim your privacy.
There’s even worse, too: Independent research has shown evidence of some adtech vendors plugged into the IAB’s TCF continuing to track and profile Internet users even when they explicitly said don’t want tracking-based ads.
Critics dub the whole cynical approach compliance theatre: An attempt by the ad industry to evade data protection law and keep tracking and profiling web users en masse by packaging systematic non-compliance inside an industry standard framework.
The IAB doesn’t share that view, of course. Its legal challenge to the Belgian decision finding the TCF breaches the GDPR remains ongoing — but now the CJEU’s ruling will be handed back to the court to factor in to that proceeding.
The ad association had sought to overturn the Belgian decision by arguing TCF strings are not personal data. It also challenged the authority’s classification of it as a joint controller. On both counts the CJEU found otherwise. So it’s not looking too rosy for the IAB’s appeal.
In a press release today, the IAB acknowledged the court’s ruling — saying it welcomes the “well-needed clarity over the concepts of personal data and (joint) controllership, which will allow a serene completion of the remaining legal proceedings”. Which is one way of spinning totally losing the argument.
It also said it would be posting “a more in-depth commentary of the ruling and of its consequences shortly”.
“The Belgian Market Court will now resume its examination of IAB Europe’s substantive arguments in line with the answers provided by the CJEU,” it added. “Pending the conclusion of the proceedings before the Market Court which can take several months, the suspension of the execution of the APD [Belgian DPA’s] decision (i.e. the implementation of IAB Europe’s action plan following its validation) continues to apply.”
Translation: The IAB expects to get a few more months’ grace before the Belgium court rules on the fate of the TCF.
In an updated FAQ on the saga, the ad association seeks to deny the CJEU ruling is a blow to its chances of overturning the Belgian DPA’s finding the TCF breaches the GDPR — claiming there is “nothing in the CJEU ruling that could be viewed as even remotely questioning the legality of consent prompts or prohibiting their use by the digital ecosystem to comply with legal requirements under the EU’s data protection framework”.
Which, again, is some nice spin — given the CJEU’s role is specifically to respond to the points of law raised. It’s for the referring court to take the next steps, factoring in the top court’s guidance on how to interpret key points of law pertaining to the case.
As a refresher, the Belgian authority’s February 2022 decision on the long-running complaint against the IAB’s TCF found breaches of Articles 5.1.a and 6 (lawfulness of processing; fairness and transparency); Articles 12, 13 and 14 (transparency); Articles 24, 25, 5.1.f and 32 (security of processing; integrity of personal data; data protection by design and default); Articles 30 (register of processing activities); Article 35 (data impact assessment); and Article 37 (appointment of a data protection officer).
The authority also issued a fine, of a quarter of a million Euros, on the IAB at that point — and gave it six months to bring the TCF into compliance. However action requiring reform of the framework was suspended pending a final court ruling on the IAB’s appeal. Hence why pop-up consent spam persists to this day in the EU.
This zombie consent spam may — finally, finally! — be on its last legs with this decision, though. In a statement following the CJEU’s ruling, the Irish Council for Civil Liberties’ senior fellow and Enforce director, Johnny Ryan, one of the individuals who filed the GDPR complaints against the TCF, and prior to that, complaints against real-time bidding (such as this one against Google’s adtech which still hasn’t been decided by Ireland’s DPA), predicted the end of this epic struggle is in sight.
“People across Europe have been plagued by fake ‘consent’ popups every day on almost every website and app since the GDPR was introduced almost six years ago. IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight. This decision will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry,” Ryan wrote.
Still, it’s possible IAB’s PR today is projecting “serene” legal proceedings ahead, despite the CJEU batting away its arguments, as it may have spied an alternative strategy for strong-arming consent-to-track from European web users — given the increasing creep of ‘consent or pay’ models, driven by Meta’s adoption of the tactic last fall. (Here the consent choice is even more blatantly manipulative and abusive: Literally pay money for your privacy, by signing up for an ad-free subscription, or agree to tracking and get zero privacy.)
That said, the controversial ‘consent or pay’ model is already facing a swathe of privacy and consumer protection challenges. Plus the European Data Protection Board is due to weigh in with guidance soon. The European Commission is also looking into Meta’s use of the tactic, as part of its oversight of very large online platforms under the Digital Services Act — which requires platforms to obtain consent for use of people’s data for ads, as well as setting some conditions on how consent can be collected, in addition to the GDPR’s informed, specific and freely given baseline.
How much longer the surveillance ads industry can scratch out operational runway in the EU — given shrinking legal avenues as privacy complaints and enforcements grind through the system; and with new compliance attacks opening up on multiple fronts — is unclear. It may be a matter of months. Or it may require the CJEU to weigh in on ‘consent or pay’ too (so, maybe max, a couple more years). But the only real choice left for the industry looks simple: Reform or die.