Demand to global brand CEOs: stop unlawful consent spam and delete the data

10 February 2022

Irish Council for Civil Liberties (ICCL) and Electronic Privacy Information Center (EPIC) write to the CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM, and Mastercard demanding they stop consent spam and delete data.

  1. The companies must immediately delete all personal data collected through consent popups that feature on 80% of the European internet. The online advertising industry’s consent popups (the “Transparency and Consent Framework” (TCF)) were declared unlawful in a major decision of European authorities on 2 February, following complaints coordinated by ICCL.
  2. They must also immediately refrain from “consent spam” in the United States based on the TCF. Consent spam plagued Europeans for years, and is now being expanded in the United States, too, as part of an industry initiative these companies support - called "Programme for Responsible Addressable Media".

See ICCL & EPIC letter to Mr. Jon Moeller, CEO of Procter & Gamble, below.
ICCL and EPIC also sent letters to: 
Mr. Alan Jope, CEO of Unilever;
Mr. John Stankey, CEO of AT&T;
Mr. Brian Moynihan, CEO of Bank of America;
Mr. Arvind Krishna, CEO of IBM;
Mr. Michael Miebach, CEO of Mastercard;
Mrs. Mary T. Barra, CEO of General Motors;
Mr. James D. Farley, Jr., CEO of Ford.

Liability
Following the 2 February decision, any person whose personal data has been unlawfully processed as a result of these companies’ reliance on these consent popups can take them to court under EU law. The companies may be held liable for “the entire damage” caused by advertising technology firms working on their behalf, under Article 82(4) of the General Data Protection Regulation (GDPR).

In addition, the companies can also be fined 4% of their total worldwide turnover by EU data protection supervisory authorities, under the GDPR.

Consent spam popups declared illegal
In a decision of 2 February 2022, 28 EU data protection authorities, led by the Belgian Data Protection Authority as the leading supervisory authority in the GDPR’s one-stop-mechanism, found that the online advertising industry’s trade body “IAB Europe”  commits multiple violations of the GDPR in its processing of personal data in the context of its “Transparency and Consent Framework” (TCF) and the Real-Time Bidding (RTB) system.

Read more about this decision at https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europes-consent-popups-are-unlawful/ 

For comment:
Dr Johnny Ryan, ICCL
johnny.ryan@iccl.ie
Calli Schroeder, EPIC
schroeder@epic.org

Mr Jon Moeller
CEO, Procter & Gamble
One Procter & Gamble Plaza
Cincinnati, OH 45202

10 February 2022

 Notice of default: delete all personal data collected through online advertising “TCF” system, and stop consent spam in US and elsewhere

Dear Mr Moeller,

  1. We write on behalf of the Irish Council for Civil Liberties (ICCL) and the Electronic Privacy Information Center (EPIC).
  1. We draw your attention to the landmark decision of European data protection authorities of 2 February, which we enclose herewith. Three matters arise.

Immediate cessation of use of TCF and deletion of data

  1. The decision requires that any personal data collected through the “Transparency and Consent Framework” (TCF) must be “no longer processed and removed accordingly”.
  1. This arises from the landmark decision[1] of European data protection authorities of 2 February that the TCF infringes the following articles of Regulation EU 2016/679 (the GDPR): Article 5, Article 6, Article 12, Article 13, Article 14, Article 24, Article 25, Article 32, Article 44, Article 45, Article 46, Article 47, Article 48, and Article 49.[2] The Belgian Data Protection Authority took this decision in agreement with no less than 27 other EU supervisory authorities. Their decision is immediately enforceable.
  1. Therefore, we hereby serve notice to your company of these violations and request that you immediately cease using the TCF and OpenRTB and take immediate steps to delete all personal data that your company collected or otherwise processed in the context thereof.

Liability  

  1. Second, and for the avoidance of doubt, the case law[3] of the European Court of Justice provides that a company that uses online advertising systems that process personal data to target advertising and to generate reports is a “data controller” in the meaning of Article 4(7) of the GDPR.
  1. Your company uses such systems in the European Economic Area (EEA). It is therefore a data controller, including for processing undertaken by diverse associated processors.
  1. In particular, your company makes extensive use of a system called “Real Time Bidding” (RTB) to buy web and mobile advertisement spaces. The 2 February decision describes that RTB system as follows:

a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects.[4]

  1. In addition, your company and associated processors make extensive use of the TCF in order to collect and process personal data in the RTB system described above. The 2 February decision found this is unlawful.[5]
  1. We draw to your attention two separate liabilities that arise from your use of RTB and the TCF in violation of the GDPR.

    i. Article 83(5) of the GDPR provides that supervisory authorities may impose administrative fines of 4% of total worldwide annual turnover for the preceding financial year on a group of undertakings that is active in the EEA.

    ii. In parallel and separate to administrative fines, Article 78 of the GDPR gives all individuals effected the right to a judicial remedy. Article 82(1) provides that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.

    Article 82(2) of the GDPR provides that “any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation”. Paragraph 4 of that same article provides that (emphasis added) “each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject”.

    These material risks arising from your company’s use of RTB, and from its use of the TCF, are on a scale that merits more detailed disclosure in upcoming 10-Ks.

“Consent spam”  

  1. In addition, your company is on the Board of a body called “Partnership for Responsible Addressable Media” (PRAM),[6] which has introduced and promoted a “Global Privacy Platform” derived from the TCF. This brings the nuisance of popup “consent spam” to the Unites States.
  1. However, mechanisms modelled on the TCF such as the “CCPA Framework” and “Global Privacy Platform” are unlawful in any jurisdiction that has analogous provisions to any Article cited above, in paragraph 4. Therefore, we request your company retires the Global Privacy Platform in particular, and reconsider PRAM as a whole.
  1. In view of the seriousness of the matters discussed above, please confirm you will take these actions no later than fourteen days hence.

Yours sincerely,

Dr Johnny Ryan FRHistS

Senior Fellow
ICCL

Alan Butler

Executive Director
EPIC

Notes

[1] The decision is available in English at www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf.
[2] See paragraph 490 of the decision regarding the infringements of Article 44 onward.
[3] Wirtschaftsakademie, etc.
[4] paragraph 545 of the decision.
[5] paragraphs 429, 440, 535.
[6] Governing Group members listed at https://www.responsibleaddressablemedia.com/participants