Landmark ruling set to say GDPR consent pop-ups are ‘illegal’

Landmark ruling set to say GDPR consent pop-ups are ‘illegal’

The entire system for getting user consent for data tracking in online advertising – including pop-ups asking for permission to use cookies, is about to be ruled as illegal by a key European regulator, according to campaigners.

IAB Europe has been found to have breached GDPR, Europe’s data privacy law, with its Transparency & Consent Framework by the Belgian Data Authority (the APD), according to a statement by the Irish Council for Civil Liberties (ICCL).

The TCF is a technical standard for encoding user preferences about their personal data, and effectively makes up a set of best-practice guidelines for collecting and processing data for ad targetting.

The ICCL, one of the coordinators of the legal proceedings, said in a statement on their website: “The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.”

It added: “These [consent] popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.

“For almost four years, websites and apps have plagued Europeans with this ‘consent’ spam. But our evidence reveals that IAB Europe knew that conventional tracking-based advertising was ‘incompatible with consent under GDPR’ before it launched the consent system.”

However, Filip Sedefov, legal director, privacy at IAB Europe, told Mediatel News: “There is no ruling nor decision by any DPA [Data Protection Authority] at this point.”

Such a ruling could have wide-ranging implications for many companies and publishers as well as online advertisers, including Google, that has used IAB Europe’s Transparency & Consent Framework (TCF) for years.

Each European Union member state has a national data protection authority, as does the UK, which had chosen to adopt the GDPR into UK law after Brexit. But Belgium is the “lead supervisory authority” under the GDPR “one-stop-shop” mechanism and it is assumed other EU countries would follow its lead.

If IAB Europe is found to have breached GDPR regulations, this could effectively invalidate every Consent Management Platform that uses the framework by making cookies collected by publishers unconsented which in turn could mean advertisers are unable to use cookie attributes to target consumers with their campaigns.

The group of complainants across Europe include: Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, Dr Pierre Dewitte, and Dr Johnny Ryan.

The IAB Europe had released a statement earlier today that the Belgian data protection authority was close to finalising a draft ruling that would conclude the long-running investigation.

The statement added:  “The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) in the coming two-three weeks under the Cooperation Procedure laid down in the GDPR.  Those DPAs will have 30 days to review it. Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.”


Media Jobs