Is this the beginning of the end for the hated tracking cookie consent pop-up? A flagship framework used by Google and scores of other advertisers for gathering claimed consent from web users for creepy ad targeting looks set to be found in breach of Europe’s General Data Protection Regulation (GDPR).
A year ago the IAB Europe’s self-styled Transparency and Consent Framework (TCF) was found to fail to comply with GDPR principles of transparency, fairness and accountability, and the lawfulness of processing in a preliminary report by the investigatory division of the Belgian data protection authority.
The complaint then moved to the litigation chamber of the DPA — and a whole year passed without a decision being issued, in keeping with the glacial pace of privacy enforcement against adtech in the region.
But the authority is now in the process of finalizing a draft ruling, according to a press statement put out by the IAB Europe today. And the verdict it’s expecting is that the TCF breaches the GDPR.
It will also find that the IAB Europe is itself in breach. Oopsy.
The online advertising industry body looks to be seeking to get ahead of a nuclear finding of non-compliance, writing that the DPA “will apparently identify infringements of the GDPR by IAB Europe,” and trying to further spin the finding as “fixable” within six months (it doesn’t say how, however) — while simultaneously implying the breach finding may not itself be fixed because other EU DPAs still need to weigh in on the decision as part of the GDPR’s standard cooperation procedure (which applies to cross-border complaints).
The preemptive statement (and its Friday afternoon timing) looks very much like the IAB Europe trying to both fuzz and bury bad news and thereby calm the nerves of the tracking industry ahead of looming headlines that a flagship tool is unlawful — something EU privacy campaigners have of course been saying for literally years.
In terms of timing, a final verdict on the investigation is still likely months off — and may not emerge ’til deep into 2022. Appeals are also almost inevitable. But the tracking industry’s problems are starting to look, well, appropriately sticky.
In the short term, the IAB says it expects a draft ruling to be shared by Belgium with other EU DPAs in the next two to three weeks — at which point they get 30 days to review it and potentially file objections.
If DPAs don’t agree with the lead authority’s finding and can’t agree among themselves, the European Data Protection Board may need to step in and take a binding decision — such as happened in another cross-border case against WhatsApp (which led to a $267 million fine, a larger penalty that the lead DPA in that case had originally proposed).
So this GDPR cooperation mechanism can spin procedures out for many more months yet.
Complainants against the IAB Europe and its TCF, meanwhile, told us they have not seen nor been given details of the draft ruling by the DPA.
So it looks pretty whiffy that the ad industry body has had sight of an incoming decision ahead of the other parties to the complaint.
But one of complainants, the Irish Council for Civil Liberties’ Johnny Ryan, quickly posted a press statement of his own, in which he writes: “We have won. The online advertising industry and its trade body, ‘IAB Europe’, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.
“IAB Europe designed the misleading ‘consent’ pop-ups…
