Mechanism underlying cookie popups found in breach of GDPR

The mechanism used by IAB Europe – the online ad industry trade body – to establish consent from users to be tracked online has been found illegal and in violation of the General Data Protection Regulation (GDPR) across the European Union (EU).

The decision, handed down today by the Belgian Data Protection Authority (BE DPA) acting on behalf of the 27 EU states, effectively rules that cookie consent popups have deprived millions of Europeans of fundamental data rights, and spells trouble for the likes of Google, Amazon, and an entire industry that has sprung up around IAB Europe’s Transparency and Consent Framework (TCF) and the OpenRTB real-time bidding system.

Real-time bidding is the opaque process behind which the browsing and personal data of internet users is collected and shared through behind-the-scenes auctions, in which it is sold to advertisers to build profiles of web users which, in turn, are used to tailor the ads people see when browsing the internet.

This is the underlying cause of the phenomenon in which you may perceive that an advert is “following” you around the internet, even if you have never expressed any interest in what it is selling.

The TCF consent popup system underpinning real-time bidding is to be found on 80% of the European internet, and the tracking industry had claimed that it was a measure in place to comply with the GDPR. However, the authorities have now ruled that the system infringes the GDPR for several reasons:

• First, it does not ensure personal data is kept secure and confidential, a breach of Article 5(1)f and 32;
• Second, it fails to properly request consent to be tracked, relying on the basis of legitimate interest, which is not permissible because of the risk posed by online advertising tracking, a breach of Article 5(1)a and Article 6;
• Third, it is not transparent over what happens to people’s data, which breaches Articles 12, 13 and 14;
• Fourth, it fails to implement measures to ensure that data processing is done in accordance with GDPR, a breach of Article 24;
• And finally, it does not respect the requirement for data protection by design, which breaches Article 25.

Also, the BE DPA found that IAB Europe failed to honour its obligations to maintain records of data processing, to conduct a data protection impact assessment (DPIA), and to appoint a data protection officer (DPO) – all GDPR breaches themselves.

Hielke Hijmans, chair of the litigation chamber of the BE DPA, said: “The processing of personal data (such as capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.

“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real-time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”

The BE DPA said IAB Europe had been well aware of the risks linked to non-compliance with the GDPR and accused it of negligence. It cited “systematic deficiencies” in IAB Europe’s TCF and noted that it supported a system that ultimately posed “great risks” to fundamental data rights and freedoms, particularly when considering the sheer scale of the data involved, the profiling activities, the use of the data to predict how people will behave, and the ensuing surveillance of the data subjects.

The action against IAB Europe’s system was initiated by complainants to the BE DPA from various organisations in Belgium, the Netherlands, Poland and Ireland – the Irish Council for Civil Liberties (ICCL) coordinated the action. It stems from an initial complaint made in 2018 by Johnny Ryan of the ICCL.

“This has been a long battle,” said Ryan. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.”

BE DPA chair David Stevens added: “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online. Online privacy and the fight against too intrusive forms of advertising is an important priority for us.”

As a result of the ruling, all data collected through the TCF must now be deleted by every company – over 1,000 in total – that pays IAB Europe to use the system.

IAB Europe said it acknowledged the decision, but noted that it stops short of prohibiting the use of the TCF, and rejected its key finding that it is a data controller in the context of the TCF.

“We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry,” a spokesperson said. “We are considering all options with respect to a legal challenge.

“Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.

“As previously communicated, it has always been our intention to submit the framework for approval as a GDPR transnational code of conduct. Today’s decision would appear to clear the way for work on that to begin.”