Fortune favours the Brave: Privacy browser chap takes gripes over adtech body's website to Irish data watchdog

Adtech industry body IAB Europe is facing down another data protection complaint from Brave browser bod Johnny Ryan, this time over the all-encompassing cookie wall stalking its site.

The complaint, filed today in Ryan's home nation of Ireland, seeks to win a long-running argument between privacy activists and the tracking industry over methods employed to force users to choose between cookies and accessing a website.

On trying to enter the IAB's site, users are faced with a total cookie wall, not just a banner, that requires them to click "I agree" to the use of cookies from IAB Europe and third parties in order to enter.

A notice says these cookies are for functional and analytic purposes, and that some of those deployed by third parties may be used for targeted advertising.

None shall pass. Not without cookies, at least

Ryan's complaint contends that IAB's cookie wall and the mode it uses to gain "consent" from users before they can access content on the site falls foul of the General Data Protection Regulation (GDPR) and the e-Privacy Directive.

Moreover, he argues that, as the body that designs the adtech industry's data protection notices, the IAB has spread a notion that this kind of cookie wall is GDPR compliant – making it a systemic issue.

Ryan – who is also challenging the IAB over the amount of personal data transferred in real-time bidding ad auctions in a bid to fix the systems – wants to see the Irish Data Protection Commissioner not only crack down on the IAB's processing of data collected through the cookie wall, but also launch a broader probe of the body's compliance with data protection laws.

The submission follows a ruling last month from the Dutch data protection authority that stated using take-it-or-leave-it cookie walls didn't collect freely given consent from users, because there isn't a genuine choice – they have to accept tracking to enter the site.

At the time, the IAB's Matthias Matthiesen said in a firey Twitter spat with Ryan and other privacy activists that there was "nothing in either the GDPR or the ePrivacy Directive that prohibits so-called cookie walls (or consent walls for that matter)".

He went on to say that there was "nothing new to discuss" after the Dutch ruling, and wouldn't be unless "the Court of Justice of the EU pipes up and introduces new relevant information to consider".

I'm not disregarding, but disagreeing with a regulator who I think is wrong about a specific point of data protection law. If the Dutch regulator starts enforcing a non-existing prohibition of cookie walls, they would go beyond their legal powers and should be challenged in court

— Matthias Matthiesen (@mmatthiesen) March 8, 2019

By asking the Irish commissioner to step in, Brave's Ryan has escalated the war of words to the authorities – and aims to make IAB Europe rethink its guidance to the multitude of organisations it works with.

"This complaint will make it plain that the media and advertising industry should not rely on IAB Europe for GDPR guidance," Ryan said in a statement.

"IAB Europe has put itself forward as the primary designer of the online advertising industry's data protection notices, and has widely promoted the notion that access to content can be made conditional on consent for data processing that is not necessary for the requested service to be delivered," the complaint stated.

The submission (PDF), filed on Ryan's behalf by McGarr Solicitors, argued that IAB Europe didn't provide users with enough info when it presented them with the wall, or in its privacy policy, which it links to.

Missing details include what data will be processed, for what purpose, under what legal basis and how long data will be retained; it also makes it "impossible or difficult" to exercise data rights, such as access, rectification or erasure.

"Where companies rely on consent to process people's data it is critical that this is more than a box-ticking exercise," said Simon McGarr of McGarr Solicitors. "For consent to be valid, it must be freely given, informed, specific and unambiguous.

"There's nothing intrinsically good or bad in cookie technology – what matters is ensuring it's applied in a way which respects individuals' rights."

In a statement, the IAB said: "It is regrettable that Johnny Ryan's ongoing PR campaign against the digital advertising industry and in particular his unfounded and inaccurate accusations against IAB Europe are becoming ever more desperate. His claims only distract from the work regional and national regulators, alongside not-for-profits such as our own, are doing together to create a more transparent, trusted and safe online experience, for consumers, brands and publishers." ®