IAB Europe's ad tracking consent framework found to fail GDPR standard
A flagship framework for obtaining the consent of Internet users for targeting with behavioral ads, which was developed by IAB Europe, a body in the advertising industry, does not comply with the required statutory data protection standards, according to the findings of its EU data protection officer.
The investigation by the Belgian Data Protection Agency follows complaints about the use of personal data in the real-time bidding component (RTB) of programmatic advertising, according to which a system of high-speed trading of personal data is inherently incompatible with the data protection requirements enshrined in EU law.
The IAB Europe's Transparency and Consent Framework (TCF) appears across the regional web, encouraging users to accept (or decline) ad trackers - with the stated aim of helping publishers comply with EU data protection regulations.
IAB Europe introduced the TCF in April 2018 when it stated that it would "help the digital advertising ecosystem to comply with the obligations under the GDPR and the data protection directive for electronic communications".
The framework has been largely adopted, including by the adtech giant Google, who integrated it in August.
Beyond Europe, the IAB recently pushed for a version of the same tool to be used to comply with California Consumer Law.
However, the results of the investigation department of the Belgian DPA cast doubts on all of this assumption - which suggests that the framework is inadequate.
The inspection service of the Belgian data protection authority found a number of findings in a report audited by TechCrunch - including that the TCF does not comply with the GDPR principles of transparency, fairness and accountability, as well as the legality of processing.
It is also noted that the TCF does not provide adequate rules for processing specific category data (e.g. health information, political affiliation, sexual orientation, etc.) - it does process that data.
There are other extremely embarrassing results for IAB Europe where the regulator has not appointed a data protection officer or kept a record of its own internal data processing activities.
We asked IAB Europe to comment on the results of the supervisory authority. Update: You can find an initial answer in the base of this article. Update 2: The Advertising Standards Board has now published a statement here describing the TCF as a "voluntary standard" that contains "a minimal number of best practices". It also states that it "respectfully contradicts the apparent interpretation of the law by the [Belgian Data Protection Agency] that IAB Europe is the data controller in the context of the implementation of the TCF by publishers," adding, "If so confirmed The interpretation of the [Belgian Data Protection Agency] would have a terrifying effect on the development of open source compliance standards designed to support industry players and protect consumers. "
A number of complaints have been filed against RTB across Europe in the past two years, starting in the UK and Ireland.
Dr. Johnny Ryan, who filed the original RTB complaints and is now a senior fellow with the Irish Council for Civil Liberties, told TechCrunch: "The TCF was an attempt by the tracking industry to put a veneer or quasi-legality over the one massive data breach at the heart of the behavioral advertising and tracking industry and the Belgian data protection authority are now peeling off that veneer and exposing the illegality. "
Ryan previously described the RTB problems as "the largest data breach ever recorded".
Last month he released another hair-raising evidence dossier about the extent and worrying amount of RTB's personal information disclosure. Findings included a data broker using RTB to profile people to influence the 2019 Polish parliamentary elections by targeting LGBTQ + people. Another data broker was found to profile and target Internet users in Ireland under the categories of 'substance abuse', 'diabetes', 'chronic pain' and 'sleep disorders'.
In a statement, Ravi Naik, the lawyer who worked on the original RTB complaints, said of the Belgian regulator's findings: “These findings are harmful and overdue. As the standard setter, the IAB is responsible for violations of the GDPR. Your supervisory authority has rightly determined that the IAB “neglects” the risks for data subjects. It is now the responsibility of the IAB to stop these violations. "
After filing RTB complaints, the UK data watchdog ICO warned against behavioral advertising in June 2019 and urged the industry to take note of the need to comply with data protection standards.
However, the regulator has not taken any enforcement action - unless you count several lightly worded blog posts. Most recently, it suspended its (ongoing) investigation into the problem because of the pandemic.
In another development last year, Ireland's DPC launched an investigation into Google's online advertising exchange looking into the lawful basis for processing personal data. But this investigation is one of the scores that remains open on the desk. And the Irish regulator continues to face criticism for how long it takes to make decisions on major cross-border GDPR cases related to big tech.
Jef Ausloos, a postdoctoral researcher in data protection at the University of Amsterdam - and one of the complainants in the Belgian case - told TechCrunch that the DPA's move is pressuring other EU regulators to act, calling for what it calls "their complete inactivity of the deer in the headlights".
"I think we'll see more of these in the months / years to come, i.e. other DPAs who are sick and tired and who take matters into their own hands - instead of waiting for the Irish," he added.
“We are pleased that a data protection authority has finally decided to take over the online advertising industry at its roots. This could be the first important step in the fight against surveillance capitalism, "Ausloos said in a statement.
There are still a few steps to be taken before the Belgian data protection authority takes (any) action on the content of their supervisory authority's report - with a number of steps that are pending in the regulatory process. We asked the Belgian data protection authority for a comment. Update: See below.
However, according to the complainants, the regulator's findings have been forwarded to the Trial Chamber and action is expected in early 2021. This suggests that EU data protection monitors may finally be able to safeguard their rights against the EU's ad tracking industry / data industry complex in the near future.
There is a need for publishers to change the way they monetize their content: alternatives to creepy ads that respect rights are possible (e.g., contextual ad targeting that doesn't use personally identifiable information). Some publishers have already found that moving to contextual ads is good news for their revenue. Subscription business models are also available (although not all VCs are fans).
Update I: In response to questions about the next steps and the likely schedule for a decision, a spokeswoman for the Belgian data protection authority answered us: "With regard to the procedure, the investigation service's report has now been sent to the trial chamber of the BE DPA, the trial chamber will handle the case in the Check thing. "
"At this time we prefer not to give an estimated time when the process chamber will make a decision on this case," she added.
Update II: When Townsend Feehan, CEO of IAB Europe reached for her response on the report, she informed us that the Ad Standards Board would be making a statement in the coming hours. She also contradicted the headline in that report, saying, "I find your headline misleading. It is just factually incorrect."
When asked what was factually wrong with it, she rejected the wording that the GDPR standard had failed and said that this "strongly indicates a decision by an authority".
When we pointed out that our reporting made it clear that the process was still ongoing - including a statement and a quote from the Belgian data protection authority - she said: "The point I want to make is that I consider your heading as misleading and I believe it would be a truer representation of the truth if the headline could convey that preliminary investigation shows [the TCF does not conform to GDPR standards]. "
With regard to special category data, she also claimed, "You cannot use the TCF to process special category data."
"I don't want to go through the entire report with you, but you published a headline that gives the market the impression that the TCF has been classified as a GDPR violation by a data protection authority and it is not," she said us, adding, "We'll probably have another statement on the way in the next few hours."
Update III: You can now read IAB Europe's full statement on the results of the Belgian Data Protection Agency's investigation on its website, which states: "The APD's report reflects the preliminary views of the APD's investigation unit and has no binding effect on Regarding a violation of the law by IAB Europe. "
How a small French data protection regulation could finally redesign Adtech
Click to receive the most important news as a notification!
Oman Dangles Bailout Card to Win Over Investors for Bond Sale
Inside Prince Philip's Complicated Relationships with Prince Andrew and Prince Harry
Azeri artillery in use against Armenian forces
Danger Lurks for These 3 High-Dividend Stocks
Lowe's kicks off holiday shopping with 'Season of Savings' sale Thursday amid COVID-19 with more online deals
Katie Holmes & Emilio Vitolo Jr. Take Suri Cruise For a Bike Ride in Trending Sneakers