This week, European authorities struck a massive blow to the digital data-mining industrial complex with a new ruling stating that, quite simply, most of those annoying cookie alert banners that sites were forced to onboard en masse after GDPR was passed havenât… actually been compliant with GDPR. Sorry.
The ruling, announced on Wednesday by Belgiumâs Data Protection Authority, comes at the tail-end of a years-long investigation into one of the biggest advertising trade groups in EU, Interactive Advertising Bureau Europe (or IAB Europe, for short). In 2019, about a year after GDPR rolled out, the Data Protection Authority reports it started getting a stream of complaints against the IAB for âbreaching various provisions of the GDPRâ and countless peopleâs privacy with the technical standards it created to govern those consent pop-ups.
Now, three years later, it looks like those tips were right; the Authority fined IAB Europe $280,000, ordered the group to appoint a data protection officer, and gave a two-month deadline to get its tech into compliance. Any data that the group collected from this illicit tech also needs to be deleted.
The ruling is great news for privacy buffs that have been calling out those ugly, oftentimes downright manipulative cookie pop-ups from the get-go, but itâs also not necessarily a surprise. In an apparent attempt to get ahead of the bad press, IAB Europe issued a statement last November that the upcoming ruling would âapparently identify infringements of the GDPR by IAB Europe,â but that those infringements would be fixable, and those cookie consent banners would keep on chugging within months of the Belgium ruling.
But that statement came in 2021. For those who work on the so-called âsell-sideâ of the digital ad industryâtech operators who work hand-in-hand with digital media outlets and other sites across the webâthis decision was inevitable. I spoke with three of these industry experts, all of whom asked to not be cited by name for fear of professional retribution thanks to the sway IAB holds over the industry.
While the ruling showed that GDPR is very much still in effect, it doesnât do a lot to explain how blatant some of these infringements were, or how loudly critics inside the industry had been raising red flags. Simply put, when the GDPR asked the adtech industry to get consent from users before tracking them, the IAB responded with a set of guidelines with loopholes large enough that data could still get through, anyway, without consent. And now that these practices are out in the public, nobody seems sure how to make them stop.
But to really explain how IAB Europe fell afoul of GDPR is complicated, even by adtechâs already impossibly confusing standards. So instead, Iâm going to explain it using an analogy that pretty much everyone can understand: a bad date.
I know it sounds wild to compare a sweeping piece of European tech legislation to someoneâs nightmare Tinder experience, but both are centered around the same thing: consent. Thatâs why regulatory types will often champion GDPR as the gold standard of privacy lawsâwhile laws like CPRA in the U.S. allow people to claw back their data from the companies after theyâve mined it, the California law doesnât change the fact that this mining happened in the first place, regardless of whether users wanted it to happen or not. GDPR, on the other hand, mandates that sites obtain usersâ consent to track them before that tracking happens, the same way a decent date would (hopefully) ask to make out before slobbering all over you at the bar.
On paper, consent is just an agreement between two people (or a person and a website). But your Tinder date might have different thoughts about what âan agreementâ means than you do. If they ask to do some slobbering and you brush it off with a laugh, they might take that lack of ânoâ as a âyes.â They might also ply you with drinks or intimidate you into getting out the âyesâ theyâre looking for, which isâand I canât stress this enoughânot consent. And even if you canât articulate what consent looks like in the moment, you probably know in your gut what it feels like: Consent is a âyesâ thatâs unambiguous and freely given.
Thatâs exactly how GDPR defines the term, too. In order for a site to track you, Article 4 of the regulation notes that it needs to obtain a âfreely given, specific, informed and unambiguous indication of the data subjectâs wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.â And no pre-ticking consent boxes, either, buster.
But that little tick is, quite literally, just a tiny pile of snow at the top of a massive iceberg. On every page youâre visiting, there could be a few, or dozens, or even hundreds of tiny tech companies working together to take whatever data gets exposed through the webpage youâre visiting into some kind of targeted ad. By the time that annoying ad for some ugly t-shirt pops up on a blog youâre reading, there have already been countless algorithmic bidding wars on that ad spaceâthe spot on the page where an ad appearsâthat are each their own Olympic feats of Big Tech gymnastics. If this all wasnât so invasive and upsetting, it would almost be kind of impressive.
In other words, the way web tracking works isnât really like a single guy being a sleaze at the bar; itâs more like a conga line of sleazes. And in order to get your consent, this Tinder guy (letâs call him âDevinâ) that you just met is being legally required to go with you down the row and, one by one, consent to smooching up on each of these other guys before a single smooch could ever happen.
You might be thinking, âGeez, if I was the Devin in this scenario, Iâd just give up on getting consent for all my weird friends, and just try to be sleazy on someone with lower standards.â And youâre not alone! In the leadup to GDPR going into effect, countless recipe blogs, news outlets, and just regular-old personal blogs looked at this seemingly impossible standard EU regulators were now mandating from them and just… panicked. Who could blame them?
âThe thing that almost every publisher was worried about was that they were going to do all this work and get hit by regulators anyway,â said one adtech engineer who also asked to remain anonymous out of fear of retribution from the IAB. âThe language of the law didnât get clear about how the technical method was supposed to work, what you could or couldnât block off, what level of ID you were allowed to ask a user for, etc.â
Rather than try to parse a law that was, as he put it, âboth not specific enough and too specific,â to actually be effective, some publishers just left. In GDPRâs immediate aftermath, more than 1,000 news sites were suddenly unavailable trying to visit from the EU, with the bulk being smaller, local outlets, according to a listthat one researcher compiled at the time. Thatâs not a coincidence; while the New York Timeses and Washington Posts could afford a legal team and tech setup to stay put without being threatened with GDPRâs massive fines, local outlets were already struggling.
But this still left countless websites active in the EU that needed consent from their visitors once GDPR came into force. Enter the IAB. Because a lot of adtech is pretty much unregulated, the massive influential trade group has come to be accepted as the one to set the guidelines for advertisers, publishers, and everyone else to follow in order to keep them from running afoul of privacy laws. Both the IAB and its European wing are really, really serious about lobbying, which means thatâideallyâthe organization would know exactly what makes these laws tick, and how the industry could accommodate them.
So, naturally, IAB Europe was responsible for coming up with the standards for websites that wanted to obtain user consent without effectively breaking their site in the process. And then, according to the industry experts I spoke with, they kept waiting. In April 2018âliterally a month before GDPR was set to come into effectâIAB Europe debuted its new standards: the so-called âGDPR Transparency and Consent Frameworkâ (or TCF) that websites were told would collect consent in a comprehensive, standardized way, while also funneling that consent back to the third-party partners each site works with.
This framework, to be blunt, looked like a hot mess. There were a few glaring issues critics pointed right off the bat, but one of the biggest was that the framework encouraged sites to bundle all their requests for consentâfrom every third party they work withâunder a single âaccept allâ button, without the need to actually disclose every one of the many, many partners that were hiding under that button.
In other words, these guidelines suggested that Devin just hide all his buddies inside a trench coat, with the implicit understanding that if you agreed to smooch him, youâd agree to smooch all of them, too. But thatâs not how consent works IRL, and thatâs not how consent is supposed to work under GDPR.
So, when these new TCF specs were dropped in their laps with a month to go before European laws changed in major ways, website operators were faced with a pretty crummy choice: go through the expensive and mind-numbing legal process of bringing their site to compliance on their own, or going with what the IAB was presenting.
As one person in charge of advertising revenue at a major publication put it, IABâs standards seemed bent on adhering to the letter of the law while ignoring the spirit of the law. Another industry expert thought the TCF standards seemed purposefully complicated to allow publishers to skirt regulation.
But without other options, publishersâbegrudgingly or otherwiseâdecided to follow the TCF standards anyway. As one expert explained, the implicit understanding was that if anyone would take the fall for shoddy privacy compliance, it would be the IAB, and not them. And so far, at least, thatâs exactly whatâs happened. While the Data Protection Authority fined IAB Europe, it hasnât gone after publishers themselves, even though theyâre also breaking GDPR by using the TCF standards.
To follow the framework, publishers were required to onboard another third-party piece of ad software called a âconsent management platform,â or CMP, that would be responsible for collecting consent from users and beaming it where it needed to go. Those CMPsâand there are dozens of different onesâneed to be registered with the IAB for âcomplianceâ purposes, which also means forking over a roughly $1,700 fee upfront, and again each year theyâre on the list.
These CMPs are the ones responsible for plopping the dreaded cookie banner on the site. Behind the scenes, when you press âyesâ or ânoâ on a siteâs request to track you, that choice gets stored in the form of a âconsent stringâ on your browser. Unless you clear your browser cache (which, letâs be honest, you should probably do), that webpage will load up that string every time you visit and pass it on to any third parties involved with serving an ad on the siteâyou know, that aforementioned chain of sleazy dudes.
Pretty quickly, though, it became clear that the rules laid out by TCF werenât going to cut it, and the cookie banners created in its wake were blatantly violatingsome of GDPRâs core rules in all sorts of shady ways. Some would share peopleâs consent preferences on a single site with every company that was partnered with the IAB, while others would leave site visitors with the option to accept cookies, but not the option to reject them. Others would just not work at all.
What eventually brought Google onboard was the IABâs new and improved TCF 2.0, which debuted about a year and a half after GDPR rolled out. We wonât go into every change (you can read about those here), but in a nutshell: This new framework promised more power to publishers, more privacy to end-users, and less of a legal shitshow overall. But when digital advertising is a field thatâs flush with hundreds of billions of dollars per year and not nearly enough legal oversight, bad actors are going to be bad. Dark patterns continued to be dark even with the update, and middlemen further down the daisy chain from the CMP started offering alternatives meant to bypass these cookie banners entirely, meaning that the need for consentâwhich, again, is the core tenant of GDPRâwould no longer be part of the equation.
In some absolutely cursed scenarios, CMPs began forging consent signals from end-usersâliterally turning their requests not to be tracked into a âyes, please track meââwith nobody, even the IAB, checking in initially. Even after the trade group started auditing the vendors it worked with last fall, researchers outside the adtech sphere found that consent fraud was still very much happening, with seemingly no easy way to get bad actors to stop.
As one adtech executive speaking about the issueto Digiday put it, ânot many businesses are incentivized to completely clamp down on it because everyoneâs motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. Itâs a frustration for any exchange thatâs following the rules because it puts them at a massive commercial disadvantage. Weâre sticking to the IABâs rules, but it is hurting us to do so.â
You could say their dilemma is a microcosm of regulatorsâ attemptsâin the EU and abroadâto get the digital data industrial complex under control. When regulators set standards that are too tough for anyone to practically follow, talking heads within the industry create their own response that ticks every legal box while also enabling anyone creative enough to continue with business as usual anyway. And when publishers are literally stuck between âtoo easy to cheat,â and âimpossible to adhere to,â which one do you think theyâll choose?
The full ruling against IAB Europe doesnât address the bad behavior of these downstream parties. Instead, itâs going after IAB Europeâs awful standards, and its consent strings, specifically. âContrary to IAB Europeâs claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual usersâ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user,â the Authority wrote in a statementabout the new ruling. âThis means that IAB Europe can be held responsible for possible violations of the GDPR.â
Based on this, the Authority was finally able to go after the IAB directly for what it describes as a flurry of infractions. For starters, the ruling alleges that IAB Europe âfailed to establish any sort of legal basis for the processing of these consent strings under GDPR,â and failed to keep that data âconfidential,â by GDPR standards, once it was collected. On top of that, the new ruling agrees with the same complaints a lot of us have had about those cookie pop-ups for years: Theyâre too vague, too hard to opt-out of, and just clearly donât do what theyâre promised to do.
âThe information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF,â the Authority wrote, noting how âdifficultâ this makes it for any user to actually have the control over their data that GDPR warrants,
So what comes next? Well right now, nobody seems to know. IAB Europe put out a terse statement on the ruling that noted how the group â[looks] forward to working with [the Belgian Data Privacy Authority] on an action plan to be executed within the prescribed six months that will ensure the TCFâs continuing utility in the market.â
âAs previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct,â the group wrote. âTodayâs decision would appear to clear the way for work on that to begin.â Well, good luck with that. In the meantime, weâre stuck with essential parts of the entire ad-serving market in the EU being rendered… entirely illegal. At least for now.
Itâs impossible to say whatâs going to come next, but given the adtech industryâs lengthy track record of sweeping bad actors under the rug instead of stopping them cold, and with those bad actors facing the huge financial incentive to keep being bad, I think itâs safe to say thatâs what theyâll keep doing. When a major part of the online economy is just a big race to the bottom, you just need to pray that lawmakers get there first.
