Google and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal.
5 November 2021. We have won. The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.
IAB Europe designed the misleading “consent” pop-ups that feature on almost all (80%+) European websites and apps. That system is known as IAB Europe’s “Transparency & Consent Framework” (TCF). These popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.
For almost four years, websites and apps have plagued Europeans with this “consent” spam. But our evidence reveals that IAB Europe knew that conventional tracking-based advertising was “incompatible with consent under GDPR” before it launched the consent system.
This is because the primary tracking-based ad system, called “Real-Time Bidding” (RTB), broadcasts internet users’ behaviour and real-world locations to thousands of companies, billions of times a day. RTB is the biggest data breach ever recorded. There is no way to protect data in this free-for-all. (We are litigating against RTB in Hamburg, too.)
In proceedings initiated by a group of complainants coordinated by the Irish Council for Civil Liberties, the Belgian Data Protection Authority is close to adopting a draft decision that will find IAB Europe’s “consent” pop-up system infringes the GDPR, vindicating our arguments over several years.
Specifically
- The identification code created about a person, based on which apps they use and which websites they visit, and what they click in consent popups, is to be considered “personal data” and is thus protected by European data protection law. IAB Europe tried to deny this.
- IAB Europe is to be considered the “data controller” and thus has responsibility for protecting people’s personal data. IAB Europe tried to deny any responsibility for protecting people’s data.
- IAB Europe is jointly responsible and liable with thousands of online advertising firms when personal data are broadcast in to the RTB data free-for-all. IAB Europe had tried to deny this.
- In addition, IAB Europe’s “consent” pop-up system violates the GDPR and is thus illegal.
The group of complainants across Europe include: Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, Dr Pierre Dewitte, and Dr Johnny Ryan. This has been a long process. The Belgian procedure builds on the campaign to end the vast data breach at the heart of online advertising that Dr Johnny Ryan (of ICCL) initiated in 2018.
“Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal”, said Dr Johnny Ryan of ICCL. “IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach in at the heart of online advertising. We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform”.
We thank our legal team at Timelex. We also thank the Belgian Data Protection Authority.
The Belgian Data Protection Authority’s decision is a draft decision under the GDPR’s “one stop shop” mechanism. It will now be shared with some other European data protection authorities so that it can be finalised and enforced.
Note: we are awaiting details from the Belgian Data Protection Authority, and will add to this statement as we receive it.