IAB’s Consent Mechanism Illegal

Whether you regularly click on the ‘accept all’, or you carefully go through the permissions to ‘save preferences’; the truth is that those marketing consent pop-ups don’t pass muster with European GDPR regulations.

In fact, the Belgian DPA ruled, in February 2022, that the IAB’s Transparency and Consent Framework (TCF) violates GDPR and European law. (press release)

The underlying claims are that the TCF does not process personal data securely, as required by GDPR. Alongside these claims, the Litigation Chamber of the DPA found that the definition of ‘legitimate interest’ has not been properly defined and that data is routinely sold ‘hundreds of times a day’ which contravenes the law in Europe.

As a result of this finding, the Litigation Chamber of the Belgian DPA has imposed a fine of €250,000 on IAB Europe. The IAB have also been ordered to bring their data collection framework into alignment with the European laws within six months. 

The DPA has also informed IAB Europe that it needs to delete all information collected as part of the TCF ‘without undue delay’. In short, the raw materials for ad targeting used by Google, Facebook, Amazon and the ad platforms have been ruled illegal and need to be deleted for European Union users.

How we got here…

The Interactive Advertising Bureau (IAB) is an American based business whose aim is to maintain digital standards online. This includes helping advertising platforms and publishers to stay on the right side of the law with regards to data processing – such as collecting third party cookies.

However, the Irish Council for Civil Liberties (ICCL) brought a lawsuit against the IAB alleging that the European framework, the TCF, does not meet the standards of European law and violates privacy rights, despite its intention to protect them.

Johnny Ryan of the ICCL, previously an ad-tech professional, said in an interview with Forbes, “The tracking industry sought to cover the underlying huge data breach in online advertising.

“They tried to make that problem go away with ‘OK’ buttons, but the industry knew is not possible to ask for someone ‘OK’ a data breach. You have to know what you’re asking for.”(sic)

What does this mean for digital marketing?

Essentially, those pop-ups asking for your consent have been ruled illegal in Europe. By extension, this ruling will likely also be applicable to other regional data protection laws such as California’s CCPA. It may be a matter of time before a similar lawsuit is brought against the IAB in different territories.

For digital marketers using real-time bidding ads anywhere online, such as Google Ads, the consequences will translate to less targeted ads within Europe.

However, although the ruling says that ad-tech platforms information on consumers needs to be deleted, it’s likely that we’ll see a legal counter from the IAB, which will mean the ruling is not acted on immediately.

In fact, despite this ruling, the IAB Europe have released a statement that the ruling is: “…wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”

This announcement also comes after Google’s attempt to change the way data is collected online was rejected. The 2021 announcement around moving to ‘cohorts’ was designed to help keep online users anonymous. However, the move was widely rejected and seen as ‘more of the same’ as the major ad platforms struggle to keep up with their commitments to providing a privacy first web experience.

For the moment at least, digital marketing remains ‘business as usual’. But the increasingly vocal calls for less tracking and more transparency around what data is held by the digital giants is putting the pressure on.

Expect this to be ongoing news for a few more years yet.