IAB Pop-ups are Not GDPR Compliant

On the 2nd February 2022, the Belgian Data Protection Authority (acting on behalf of the EU) made a draft ruling that cookie consent popups (the ones you see when you go to a website and it asks for consent to track you) are not GDPR compliant. We delve into the detail.

 

On the 2nd February 2022, the Belgian Data Protection Authority (acting on behalf of the EU) made a draft ruling that cookie consent popups (the ones you see when you go to a website and it asks for consent to track you) are not GDPR compliant.

We’ll delve into the detail of what’s going on but first let’s address what you, as a brand with a website with a popup, might want to know what you need to do right now. Please note that this is our opinion only – check with your legal team for official legal guidance.

 

What do I need to do right now?

First of all, since this impacts the IAB Transparent Consent Framework (TCF) which is used across Europe by thousands of sites, you’re not alone (in fact most sites which you’ll read these very articles on still use the TCF).

Secondly, since it’s a draft ruling, the details of which haven’t been made public, all we can do right now is wait for the final ruling as well as understanding the matter and getting ready to make changes if required.

We predict that the IAB will update the TCF, meaning that websites will need to adjust their site settings to be compliant. We can’t say what timeframe will be available for these changes however so it may be worth thinking about this now if you know that changes to site settings can be slow. There may also be a requirement to delete data collected through these popups. The IAB is required to make these changes within the next 6 months (but submit their changes to the court within 2 months).

For now, interpretations on the ruling seem to vary quite significantly depending on the source and we would therefore recommend that your legal or compliance teams are made aware of the situation.

A draft ruling can be seen here. This is an unofficial translation from Dutch with the full release to follow in the next month or so:

https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022- english.pdf

There’s also an FAQ on the IAB’s website here incase you wish to forward this onto your legal or compliance teams:

https://iabeurope.eu/wp-content/uploads/2022/02/APD-Decision-FAQ-v1-1.pdf

We will keep you apprised of any updates on the matter as they become available.

Taking a step back, we’ll now get into the detail of what the TCF is, why the ruling has come and what the IAB intends to do about it.

What is the Transparent Consent Framework (TCF)?

The TCF is a technical standard for encoding user preferences about their personal data, and effectively makes up a set of best-practice guidelines for collecting and processing data for ad targeting.

As a user, the TCF is the popup that appears asking you what information you’re happy to share and how you are tracked. It was put in place in an attempt to both allow sites to be GDPR compliant as well as allowing them enough tracking ability to be able to monetise their inventory through targeting of ads.

What is allegedly wrong with the TCF?

The complainant stated that the TCF is at fault across 5 key areas:

  1. Fails to ensure personal data is kept secure and confidential (Article 5(1)f, and 32 GDPR).

  2. Fails to properly request consent and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR).

  3. Fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR).

  4. Fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR).

  5. Fails to respect the requirement for “data protection by design” (Article 25 GDPR).

How did this come about?

The action against IAB Europe’s system was initiated by complainants to the BE DPA from various organisations in Belgium, the Netherlands, Poland and Ireland – the Irish Council for Civil Liberties (ICCL) coordinated the action. It stems from an initial complaint made in 2018 by Johnny Ryan of the ICCL.

How long does the IAB have to fix these issues?

The IAB has 6 months to rectify the issues but must submit their proposal to the Belgian Data Protection Agency within 2 months.

If the IAB appeal (and we hear they may) then they have 30 days to do so.

Are there any fines imposed on the IAB?

The IAB has been fined €250,000

Why has this happened?

I’d argue that this is a failing of the EU to properly legislate around GDPR (and I think we all remember how unclear it was at the time of introduction). Had the legislation been clear, there would have been no grey areas meaning that the IAB would have created a more rigorous and compliant framework.

What does this mean for advertisers?

In the immediate future, any advertiser using the IAB’s TCF should ensure that they remain compliant with latest GDPR rulings. This may impact retargeting and lookalike targeting particularly via programmatic activity so please be aware that if/when new changes are implemented, performance on these channels may see a temporary decline. This will be particularly true if past data is required to be deleted. These performance dips will be most pronounced on DR activity

Longer term, this only serves to cement the coming changes around privacy from iOS14.5 and Google Chrome cookie deprecation. This means that advertisers that should focus on reliable data sources such as 1st party data and look towards premium inventory or context to drive relevance and reach at scale.