IAB Europe fined over GDPR ‘consent spam’

IAB Europe fined over GDPR ‘consent spam’

A leading European data authority has ruled IAB Europe’s consent framework breaks GDPR Rules and has imposed sanctions, including a fine.

The Belgian Data Protection Authority (APD) found the Transparency and Consent Framework (TCF) developed by IAB Europe does not comply with multiple GDPR regulations after an ongoing investigation since 2019.

This framework is widely used for online advertising to manage users’ preferences, including pop-ups asking for permission to use cookies for data tracking in online advertising, and real-time bidding in programmatic advertising.

The ICCL, one of the coordinators of the legal proceedings, said in a statement on their website that this consent popup system is on 80% of the European internet and that the ruling today has shown that this “consent spam” has “deprived hundreds of millions of Europeans of their fundamental rights.”

The APD found the TCF breached four elements of GDPR rules including lawfulness, transparency and information of the users, accountability, security and data protection by design/by default and other obligations pertaining to a controller processing personal data on a large-scale.

The Belgian Data authority is the “lead supervisory authority” under the GDPR “one-stop-shop” mechanism so it is assumed other EU countries would follow its lead.

The APD has handed IAB Europe a €250.000 fine and given them two months to show they are making the framework GDPR compliant.

In a statement on its website, IAB Europe said: “IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe.  We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.

“We reject the finding that we are a data controller in the context of the TCF.  We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry.  We are considering all options with respect to a legal challenge.

“Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.  As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”

Read our previous story on IAB Europe Transparency and Consent framework here:

Landmark ruling set to say GDPR consent pop-ups are ‘illegal’

Media Jobs