GDPR Consent Pop-Ups Likely to be Deemed ‘Illegal’

Due to a recent ruling by the Irish Council for Civil Liberties (ICCL), which found hat IAB Europe breached the European Union’s General Data Protection Regulation (GDPR) with its Transparency & Consent Framework (TCF) by the Belgian Data Authority (the APD), the tactics for obtaining user consent for data tracking in online advertising. 

This includes using pop-ups asking for authorization to use cookies

TCF is a technical standard for encoding user preferences in relation to their personal data. Essentially it is composed of a list of best-practice recommendations for gathering and processing data for advertising targeting purposes. 

This ruling could have a huge impact on businesses working in the EU that have been using the IAB Europe’s Transparency & Consent Framework (TCF).

A statement released by the ICCL,via their official website states: “The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights. These [consent] popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click. For almost four years, websites and apps have plagued Europeans with this ‘consent’ spam. But our evidence reveals that IAB Europe knew that conventional tracking-based advertising was ‘incompatible with consent under GDPR’ before it launched the consent system.”

Each European Union member state has a national data protection authority, as does the UK, which had chosen to adopt the GDPR into UK law after Brexit.  As Belgium is considered as the lead supervisory authority under the GDPR the normal course of events if all EU member states follow its lead in relation to ruling like this. Should it happen that IAB Europe are ruled to have violated GDPR it would mean that every Consent Management Platform that employs the framework by making cookies gathered by publishers unconsented which in turn could mean advertisers are unable to use cookie attributes to target consumers with their campaigns.

The group of complainants across Europe include: Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, Dr Pierre Dewitte, and Dr Johnny Ryan.

IAB Europe released a statement previously which said that the Belgian data protection authority was close to finalising a draft ruling to bring the matter to a close. It said: The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) in the coming two-three weeks under the Cooperation Procedure laid down in the GDPR.  Those DPAs will have 30 days to review it. Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.”