On 2 February the Belgian Data Protection Authority dropped a bomb on the adtech industry. The vast majority of cookie consent popups Europeans face every day are so deeply flawed that not only have they been unlawfully deployed, the data they ‘permitted’ websites to collect must now be deleted.
Those popups were designed by the Internet Advertising Bureau (IAB), a trade body for the industry who have now been hauled over the coals in a damning ruling. But they have been utilised since 2018 by well over 1,000 companies, including Google and Amazon, representing an estimated 80% of the European internet.
Developed by the IAB as a means of demonstrating compliance with GDPR, this system, known as the Transparency & Consent Framework (TCF), was meant to allow businesses to track consumers while still meeting their obligations for user consent and to offer people ‘transparency and control’ over their data.
Following complaints co-ordinated by privacy advocates across a number of countries, the Belgian DPA found that IAB Europe committed multiple violations in its processing of personal data both in the context of TCF, and its real-time bidding (RTB) system.
Their systems were found to breach GDPR in fundamental ways: failing to properly request consent from individuals or giving them enough information to make an informed decision, let alone exercise control. In its ruling, the Belgian DPA condemned a clear lack of security and data protection by design. Little control was in place as to where the data captured could end up, relying instead on an international chain of self-certification by hundreds of individual actors.
So this ruling represents a comprehensive demolition of the TCF framework. Johnny Ryan, of the Irish Council for Civil Liberties, who brought the case in June last year, summed it up:
‘The tracking industry, which operates behind the scenes on virtually every website and app, it turns out it was continuing to take our data and share it among thousands of companies.
‘It covered this with a kind of a legal veneer, a note to you that asked you to say OK to this, without knowing what you were saying OK to.
‘Today's decision ends that regime and it means that you can no longer be subject to the kind of profiling that was happening behind your back.’
And because of GDPR’s one-stop-shop mechanism, this ruling applies right across the EU. As Ryan said:
‘Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.’
How did it come to this? On paper at least, the TCF offered a mechanism to cover GDPR requirements for transparency and control, and ticked the box for consent when storing and accessing information on a user device, required under the earlier ePrivacy Directive, or ‘cookie laws’.
But having a centralised body whose management and tech strategy is set in New York, with a small European presence but significant client numbers, both mirrors the current power structures of Web2 and shows this model of self-regulation is no longer viable to protect European citizens, if it ever was.
IAB argued in their defence they were merely following members’ instructions in running the systems. However, the Belgian DPA found that ‘IAB Europe has a decisive influence on the purposes and means of processing personal data’ in line with the role of controller. They have been given two months to respond with a data protection impact assessment and plan to get their house in order, to be delivered in six months. The IAB will appeal.
What does this mean for the tracking industry? It must truly mark the beginning of the end for the narrow model of GDPR compliance and self-regulated consent management. We were all to a certain extent complicit in preserving the status quo – the IAB served its own interests, we clicked on the banners and advertisers paid up. But this is now at odds with the expectations of an effective body of regulators (the EDPB) and increasingly the brand values of data consumers.
A new research project interviewing senior data buyers, commissioned by Pool from Wilsome, found them as uncertain and confused about the ‘spaghetti junction’ of data sources from web tracking as any concerned citizen or privacy activist. Contextual information that is transparent, consented and ethically sourced is now at a premium, either to access new audiences or hydrate existing data sets.
Which takes us back to the cookies. No one outside the IAB is arguing now that a better type of banner will solve the underlying problem, which is that consent notices are pivotal to the operation of real-time bidding (RTB) systems, automatically funnelling data to match adverts with people advertisers want to reach. It’s also unrealistic to expect individuals to control their data without new tools and an ecosystem to support them, and their builders.
This is why it’s great that a new package of evolved legislation (DMA, DSA, DGA and others) is now progressing through the European Parliament to address the key issue of data portability, mandate open APIs and create properly regulated intermediaries that legally enshrine the duty of care and best practice we deserve. At Pool we call these data unions.
These new regulations, structures and technologies adapted from Web3 such as smart contracts and zero knowledge proofs accelerate this shift from consent sleight-of-hand to a sustainable data ecosystem. Meanwhile, active policing by regulators shown in this IAB verdict could represent a tipping point for the whole system to flip to a new alignment, and the end of the road for web tracking. The perfect conditions to grow the new data economy are being created around us.