The Belgian data protection authority (APD) has issued its final decision on a complaint against the digital advertising trade association, Interactive Advertising Bureau (IAB) Europe. The APD has found the pop-up legal form system used by IAB Europe and relied upon by digital advertising firms is not compliant with the General Data Protection Regulation (GDPR). The pop-up forms are used on around 80% of websites accessible to European Union visitors to obtain consent to track them across the Internet.
On May 25, 2018, the GDPR took effect and introduced a slew of new requirements to protect the privacy of EU citizens, which included a requirement for advertisers to obtain permission from website visitors to track people as they browsed the internet to serve them relevant adverts. In 2018, a complaint was lodged with the APD concerning the insecurity of the online advertising Real-Time Bidding (RTB) system by Dr. Johnny Ryan of the Irish Council for Civil Liberties.
IAB Europe has been guiding the online advertising industry on the legal requirements of data privacy laws, including those covering the capture of personal data and the tracking of website visitors across the Internet. The IAB’s Transparency & Consent Framework (TCF) is used by many companies that engage in online advertising and involves serving pop-up forms to obtain permission to track users. The pop-up forms are used to comply with the requirements of the GDPR, but IAB Europe has been found to have committed multiple violations of the GDPR in relation to the processing of personal data related to the TCF and the real-time bidding system, OpenRTB, which deprived hundreds of millions of Europeans of their fundamental rights.
Specifically, IAB Europe violated the GDPR in several areas:
- The TCF system does not ensure personal data are kept private and confidential, in violation of Articles 5(1)f and 32 of the GDPR
- The TCF system does not properly request consent and relies on a ‘legitimate interest’ as the lawful basis for processing data, which is not permissible due to the severe risk posed by online tracking-based RTB advertising, in violation of Articles 5(1)a and 6 of the GDPR
- There is a lack of transparency about what happens to the personal data of EU citizens, in violation of Articles 12, 13, and 14 of the GDPR
- The was a failure to implement measures to ensure data processing is performed in accordance with the GDPR, in violation of Article 24 of the GDPR
- There was a failure to respect the requirement for data protection by design, in violation of Article 25 of the GDPR
- IAB Europe failed to maintain records of data processing, in violation of Article 30 of the GDPR
- IAB Europe failed to conduct a data protection impact assessment, in violation of Article 35 of the GDPR
- IAB Europe failed to appoint a Data Protection Officer, in violation of Article 37 of the GDPR
The APD determined IAB Europe was negligent and was aware of the risks of non-compliance and said IAB Europe “supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behavior, and the ensuing surveillance of data subjects.”
IAB Europe was fined €250,000 for the violations. The fine may seem particularly lenient given the maximum financial penalty is €20 million, or 4% of global annual turnover for the previous fiscal year, whichever is greater. The turnover of IAB Europe was €2.5 million in 2020. APD considered the business volume when calculating the fine.
The complainants were trying to get the TCF system banned, but the APD instead gave IAB Europe a 6-month deadline for correcting the compliance issues in the TCF, after which a financial penalty of €5,000 per day will be imposed until the system is made compliant. In addition to the financial penalty, IAB Europe is required to delete any data that has been collected illegally.
There are much wider implications, as all advertisers that use the system, including Google, Microsoft, and Amazon, will also need to delete the data they have illegally collected through the TCF system.
“Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies,” said Dr. Ryan.
IAB Europe is considering a legal challenge to the final decision of the APD. “We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge,” said IAB Europe in a statement.