Following an investigation, the Belgian Data Protection Authority (DPA) has found that IAB Europe – the online advertising industry's trade body – tried to sidestep their way around their responsibilities under GDPR.
In fact, they found that IAB has committed multiple violations of GDPR legislation in the way it processes data collected through the "Transparency and Consent Framework" – which are the cookie banners that you see pop up on so many sites around the internet. As a result of the investigation, IAB Europe has been hit with a fine of €250,000.
"Legitimate interest" is not good enough
The Belgian DPA has determined that claiming legitimate interest is not a lawful basis for placing cookies on a device. It must be consent, using the new, revised, definition as set out under GDPR. Because of this, the Belgian DPA determined the IAB Europe was in fact a data controller under GDPR, not just a processor, as it was IAB that handled the design of the banners that companies were placing on their websites to get permission to set cookies.
That means that they were also required to abide by GDPR, something the Belgian DPA has ruled they were both entirely aware of and entirely failed to do. Specifically, they've found IAB Europe in breach of multiple articles, with failures including that they:
- Did not establish a legal basis for processing
- Failed to appoint a data protection officer (DPO)
- Failed to carry out a data protection impact assessment
- Failed to maintain a register of processing activities
The Belgian DPA also stated that the TCF system made it difficult for users to "maintain control over their personal data," as the information provided is "too generic and vague to allow users to understand the nature and scope of the processing".
IAB sanctioned
The size of the fine is due to the Belgian DPA's concern that "the TCF may lead to a loss of control of their personal information by large groups of citizens". IAB Europe has been given two months to come up with a plan that brings the Transparency and Consent Framework into compliance. IAB Europe has also been ordered to scrub their systems of all personal data already collected through the TCF system, but this directive doesn't just impact them. There are over 1,000 companies that use IAB Europe and the TCF and they are required to remove all this data from their systems, as well. The list of companies that collected data through the TCF includes Google, Amazon, and Microsoft's online advertising businesses.
Today's decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.
IAB Europe has, perhaps unsurprisingly, rejected the Belgian DPA's decision that they are a data controller, issuing a statement claiming that: "We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry" and that they are "considering all options with respect to a legal challenge". So, we can expect the legal wrangling on this one to go on for a while.
What this means for you
All of this follows a complaint about the insecurity of the online advertising "Real-Time Bidding" (RTB) system initiated by Dr. Ryan back in 2018. RTB is defined as a tool designed to "improve sales of pre-determined advertising space through real-time data-driven marketing and personalized (behavioral) advertising". RTB allowed online advertisers to look at the cookie info collected through the TCF banners and show ads to all those people.
The decision of the Belgian DPA now means all this information that was shared with these advertisers was collected illegally as the argument of "legitimate interest" does not apply and IAB Europe is going to have to come up with a better argument than "but we're not a data controller" to avoid further sanction. While this won't put an end to all those annoying "do you agree to cookies?" banners, it does hopefully mean an end to such overt tracking simply for marketing, and that our data won't be sold on to (who knows how many) third parties.