Europe’s New Ruling On Data Consent Pop-Ups Challenges Privacy Policies For Publishers And Advertisers

Officials in Belgium have found a top advertising trade organization to be in violation of European Union data privacy laws—a ruling that could have ripple effects across Europe and the U.S.

Belgium’s Data Protection Authority has declared the Interactive Advertising Bureau of Europe’s framework for how publishers get consent for collecting and use personal data doesn’t comply with EU privacy regulations. The ruling, issued today, could impact thousands of companies across the continent and beyond. 

The average person probably hasn’t heard of IAB Europe or its U.S. counterpart, the IAB. However, people are likely far more familiar with what Wednesday’s ruling concerns: The ubiquitous pop-ups asking Internet users for permissions around collecting and using data for advertising and other purposes. At the center of the debate is IAB Europe’s Transparency and Consent Framework, or TCF. The tool was created to help publishers and advertisers comply with the EU’s General Data Protection Regulation (GDPR), which was introduced in 2018 to provide additional privacy rights for EU citizens.

As part of the ruling, the DPA has fined IAB Europe €250,000 and given it two months to propose changes as well as six months to put them in place. The DPA is also ordering IAB Europe to permanently delete data that’s been processed using TCF’s current system “without undue delay.” That could affect data used by a wide range of publishers, ad-tech companies and advertisers including giants like Google and Amazon. Under GDPR’s “one-stop-mechanism,” the ruling is immediately enforceable across the European Union.

In many ways, IAB Europe’s consent system is somewhat of a linchpin for how publishers and advertisers collect online data from Europeans use it for ad-targeting. When a person gives a website their preferences for whether they want to be tracked online, TCF uses code to signal to advertising partners which preferences a person selected. The framework’s partners then use those preferences for automated ad auctions known as real-time bidding, where marketers can buy ads based on a wide range of available information and criteria.

Belgian regulators said IAB Europe breached GDPR laws in a number of ways including by “failing to establish a legal basis” for processing data, improperly requesting consent to having data collected, failing to properly secure that data, inadequately securing protecting data and also not providing transparency around how the data is collected and used. In a statement about the ruling, Belgium DPA Chairman of the Litigation Chamber Hielke Hijmans said IAB Europe’s current version of TCF is “is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.”

“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads,” Hijmans said. “Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”

When asked for a statement about the DPA’s ruling, an IAB Europe spokesperson emailed a statement to Forbes saying the trade group has “grave reservations” about the decision and that plans to work with the DPA to make changes.

“We reject the finding that we are a data controller in the context of the TCF,” according to IAB Europe’s statement. “We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”

Privacy advocates on Wednesday celebrated the ruling as a step toward what they see as stronger consumer data protections for hundreds of millions of European. Around 80% of Europe’s internet relies on TCF, according to the Irish Council for Civil Liberties, a non-profit organization that filed the complaint with the DPA last year. The ICCL argued that because there was a lack of security, the data used within the TCF also illegal.

“The tracking industry sought to cover the underlying huge data breach in online advertising,” Johnny Ryan, a veteran of the ad-tech industry who is now a senior fellow at the ICCL said in an interview with Forbes. “They tried to make that problem go away with ‘OK’ buttons, but the industry knew is not possible to ask for someone ‘OK’ a data breach. You have to know what you’re asking for.”

Ryan described TCF as “a legal fiction,” alleging that because data within open real-time-bidding isn’t actually secure, it creates a “massive data free-for-all” that doesn’t protect personal data.

“The cardinal sin is security,” Ryan said.