The Belgian data protection authority (APD) has determined IAB Europe violated the GDPR with its pop-up consent system which is used by companies to make ads and online tracking compliant with the GDPR. The decision has huge implications for the online ad industry, as not only has IAB Europe’s Transparency & Consent Framework (TCF) been determined to be non-compliant with several articles of the GDPR, data collected through the system must now be deleted.
The GDPR took effect on May 25, 2018, and gave EU citizens new rights regarding their personal data. Companies were required to obtain consent before processing personal data and implement safeguards to ensure personal data are protected. Interactive Advertising Bureau (IAB) Europe, a digital advertising trade association, created the TCF to allow companies engaging in online advertising to comply with the consent requirements of the GDPR.
More than 1,000 companies, including the likes of Microsoft, Google, and Amazon rely on the TCF for obtaining consent from Internet users to collect and process their personal data, track them as they traverse the Internet, and display adverts through retargeting. Consent comes from IAB Europe’s popup system which is used on websites to obtain consent to collect, process, and share visitors’ personal data.
Shortly after the GDPR took effect, a complaint was filed with the APD by Dr. Johnny Ryan of the Irish Council for Civil Liberties, and many other individuals also took issue with IAB Europe over its TCF. The APD has now issued its final decision in the long-running case against IAB Europe and has determined the TCF system that is used to ensure GDPR compliance does nothing of the sort – in fact, the system, and IAB Europe, have violated multiple aspects of the GDPR, which means the consent and data collection has been illegal. This is very bad news for IAB Europe and the companies that rely on the system to obtain consent to display ads and track Internet users.
The TCF is used on around 80% of websites available to EU visitors and contains the decisions made by EU citizens about whether they want their data to be shared and with whom. The content is shared along with the collected, which is shared by publishers with ad technology vendors prior to ads being displayed. The consent tells other companies whether they can use the data but the system does not block the use of personal data, regardless of whether a person has given their permission for their data to be shared. The system was determined not to be secure and failed to ensure the confidentiality of personal data, IAB Europe had not tested whether it was protecting people’s rights and freedoms, and the consent obtained was too general and there was a lack of transparency about how data were collected and used.
APD determined IAB Europe is a data controller, which puts it on the hook for any consent fraud and illegal data transmission, even though IAB Europe does not actually collect and process any personal data. IAB Europe is considering mounting a legal challenge, as it does not consider itself to be a data controller.
IAB Europe has been fined €250,000, and while Dr. Ryan and the other complainants were pushing for the use of the TCF to be banned, the APD has instead given IAB Europe 6 months to fix the GDPR violations or face a €5,000-a-day penalty until the issues are resolved. IAB Europe has also been ordered to delete all data it holds that has been collected illegally through the system. Since the data collected through the system is passed on to many companies, they too could now face the very difficult task of having to identify and delete the data. It is fair to say that the decision is the biggest shakeup to the online advertising industry in Europe since the GDPR was introduced in 2018.
IAB Europe was found to have violated the following aspects of the GDPR:
- The TCF system does not ensure personal data are kept private and confidential (Articles 5(1)f and 32)
- The TCF system does not properly request consent as the ‘legitimate interest’ basis for processing data is not permitted as there is a severe risk associated with online tracking RTB advertising (Articles 5(1)a and 6)
- IAB Europe was not transparent about what happens to EU citizens’ personal data (Articles 12, 13, and 14)
- IAB Europe did not implement measures to ensure data processing is performed in a GDPR-compliant manner (Article 24)
- IAB Europe did not ensure data protection by design (Article 25)
- IAB Europe did not maintain records of data processing (Article 30)
- IAB Europe did not conduct a data protection impact assessment (Article 35)
- IAB Europe did not appoint a Data Protection Officer (Article 37)
“Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies,” said Dr. Ryan.
“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge,” said IAB Europe. “Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”