A day of reckoning for IAB and Adtech

In a damning verdict, the Belgian Data Protection Authority ruled the illegality of IAB cookie consent banners. Also known as Transparency and Consent Framework, the system lacks security, transparency, and disregards our choices by abusively claiming a “legitimate interest” in turning our No to online surveillance into a Yes.

If the Belgian Authority already sent a “warning shot” in November 2020, their decision looks more like an ultimatum. The Belgian decision was issued under the GDPR consistency mechanism and is supported by 21 EU data protection authorities. This leaves the adtech industry with no place left to hide: the IAB will have to drop their endless line of denials, deceits, and face the harsh reality in front of them. They were given a few months to completely redesign their adtech system and solve what are seen as radical and fundamental failures to comply with the GDPR.

This ruling comes as a result of the Adtech RTB complaint that was lodged in the UK and Ireland by Jim Killock from the Open Rights Group, Micheal Veale from UCL and Johnny Ryan now at the Irish Council for Civil Liberties. It feels bittersweet to compare the success of our EU adtech coalition partners against the failed approach that the Information Commissioner’s Office and the UK Government have taken in this field.

Indeed, the ICO resisted calls to enforce the law against the IAB and the adtech industry, despite issuing an update Report in 2019 that largely anticipated what the Belgian DPA have ruled. At the same time, the UK Government launched a delusional proposal for a new UK data non-protection framework that would set the British clock back to a digital stone age, and condone morally bankrupt practices such as those perpetrated by the IAB.

Why is the IAB TCF a Problem?

Every time you visit a website, chances are that everything you do, read and watch is recorded and broadcasted to thousands of dodgy companies. Allegedly, this is to serve you with “advertisements that are relevant to you”. However, these same shady companies use this information to discriminate at scale, charge you more for purchases and products, and exclude you from housing or job advertisements. It is also the system that powers the toxic Internet made of rage factories, radicalising content and filter bubbles.

No one would ever accept such an offer, and this is where the IAB Transparency and Consent Framework plays its role. By spamming thousands of unintelligible, annoying and abusive cookie banners on the Internet, the IAB turn online surveillance into an offer you cannot refuse

This violates data protection laws, that require organisations to collect as little data as possible, use them in legitimate ways, and put the steering wheel into the hands of the individuals whose data is being used. 

What does the Belgian decision say?

While the IAB held to the bitter end that they were not responsible for their own creation, the Belgian Data Protection Authority set the record straight. They ruled that the IAB failed to ensure the security, legality, transparency, accountability, and privacy design and by default of their system. The IAB were ordered to address these shortcomings.

This is a task they will likely try to evade, last but not least because they made similar (empty) promises to the ICO years ago. Further, adtech data flows are designed to be complex and opaque, and certainly not meant to provide any meaningful control and security over thousands of dodgy businesses. Finally, they would be forced to give Internet users simple choices to reject or ignore cookies consent requests. When Apple implemented such a simple yes or no consent box in their iOS systems, the reject button was pushed 96% of the times

This would be bad news for dodgy adtech companies, but an extraordinary leap forward for the Internet and its netizens, who had to tolerate this crap for way too long.

What about the United Kingdom?

The Information Commissioner’s Office could have been at the forefront of the regulatory sweep and progress we are witnessing today. Together with the Irish DPC, they were the first Data Protection Authority to receive this complaint in 2018. One year later, they issued a first update report that ascertained the poor state of data protection compliance in the adtech sector.

Instead of acting upon these findings, the ICO stalled and issued a second report three years later, focusing again on adtech failures in proposing legal alternatives to these broken systems. When challenged by the Open Rights Group, they claimed that the adtech reform had started, and that the IAB was already taking steps to improve their practices. Two years have passed since then: we hope that the stark contrast between what the ICO claimed and the findings of their Belgian counterpart will spark some self-reflection over their regulatory approach.

Finally, while the ICO clearly took a wrong step, leadership from the Government is noticeably lacking. With “data a new direction” the Government didn’t only draw plans for a bonfire of UK residents’ digital rights. They went as far as to propose “the removal of the requirement for prior consent for all types of cookies” — in essence, a full liberalisation and legalisation of these data abuses. 

In other words, the UK Government is taking side with a status quo that benefits no one but the unworthy and that everyone else is seeking to abolish, from the United States to the European Union. This would turn the Country into a safe heaven for digital crooks and unethical, predatory businesses: a rather poor display of character, and an unfair representation for the UK.

Hear the latest

Sign up to receive updates about Open Rights Group’s work to protect our digital rights.