European watchdog: All data collected about users via ad-consent popup system must be deleted

Decision to affect Google's, Amazon's and Microsoft's online ads biz

All data collected "so far" through the Transparency & Consent Framework (TCF) by means of a TC String – part of its consent popup system – must now be deleted by international digital marketing and advertising association IAB Europe.

Over 1,000 firms pay IAB Europe to use TCF. This includes Google's, Amazon's and Microsoft's online advertising businesses.

The TC String is a coded character string storing information about consent in the context of the realtime bidding (RTB) system OpenRTB.

This is according to a decision handed down today by the Belgian data protection authority [PDF] finding that the "consent solution" fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking under Article 5(1)a, and Article 6 of the GDPR.

The DP watchdog also cited additional GDPR breaches, namely that: consent was not "properly requested"; there was not enough "transparency about what will happen to people's data (articles 12, 13, and 14)"; there was a failure to "implement measures" to ensure data processing was compliant with the GDPR (article 24); and that IAB failed to respect the requirement for "data protection by design" (article 25).

The ruling spoke about the use of the TCF in the context of the realtime bidding (RTB) system OpenRTB. OpenRTB is a protocol that governs the connection between ad space providers, publishers (ad exchanges, sell-Side Platforms, ad networks etc), and competing buyers who are bidding on that ad space.

IAB Europe has argued that it can't be held responsible for the alleged illegal practices of "RTB participants, as the TCF is completely separate from RTB." The litigation chamber conceded that IAB Europe was not "a data controller in that context," but maintained that because "TCF is the tool on which OpenRTB relies to justify its compliance with the GDPR," it "plays a pivotal role as regards the OpenRTB."

What is TCF?

TCF is a "consent solution" designed to help online ad-slingers to show they comply with the EU's General Data Protection Directive (GDPR) and ePrivacy Directive when they process personal data or access and store information on a user's device. Broadly, this includes cookies, ads IDs, ways to identify users' devices and more. The data is pivotal to the operation of real-time bidding (RTB) systems, which automatically match adverts with the viewers whom advertisers want to reach (based on data collected).

IAB Europe describes itself as "the European-level association for the digital marketing and advertising ecosystem." It represents over 5,500 organisations, including trade assocs and private companies. The IAB Global Network, meanwhile, is made up of several international licensee organisations.

The most recent iteration of TCF, v2.0, came out in August 2019, "following extensive industry consultation particularly with publishers and the industry associations."

Delete it all

The litigation chamber ruled:

[A]ny personal data collected so far by means of a TC String in the context of the globally scoped consents, which is no longer supported by IAB Europe, shall be deleted without undue delay by the defendant. In addition, the Litigation Chamber orders the defendant to prohibit the use of legitimate interest as a legal ground for processing by the organisations participating in TCF in its current format, via its terms of use.

IAB Europe responded to the ruling, saying: "We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.

"Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF's continuing utility in the market."

It also noted in a recent report it commissioned by GfK that "digital advertising in the EU generates annual revenues of €41.9bn, with growth of 12.3 per cent yoy," that "behavioural targeting is used in 66 per cent of all digital advertising and contributes to 90 per cent of digital advertising growth," and that "69 per cent of Europeans are willing for their browsing data to be shared for advertising, in order to access digital content such as news articles and online video, for free."

This specific lawsuit was first filed in June last year by the Irish Council for Civil Liberties with the Belgian Data Protection Authority (although the ruling will apply Europe-wide due to the GDPR's "one-stop-shop" mechanism). However, it followed some years of complaints about the insecurity of the online advertising Real-Time Bidding (RTB) system initiated by Johnny Ryan and others.

Ryan, formerly the chief policy officer at privacy-focused browser biz Brave, called today's decision "momentous news."

Ryan has previously touted the benefits of contextual targeting, such as that used by privacy-focused search engine DuckDuckGo, citing a study showing a Dutch national broadcaster got more ad revenue when it stopped tracking users than it had netted when it followed them.

Besides deleting already collated data, under the ruling, the IAB will have to make the TCF GDPR-compliant with the breached articles, carry out a data protection impact assessment covering both the processing activities under the TCF and the "impact of these activities on subsequent processing under the OpenRTB," and get a data protection officer in place to oversee all this.

It also has to provide "a valid legal basis for the processing and dissemination of users' preferences within the context of the TCF." It has six months to do so and has to submit an action plan to the DPA within two months, or else pay a fine of €2,000 a day.

IAB has 30 days to appeal.

Over in the United States, the ads-trade body is facing similar moves to curtail data processing in the form of the Banning Surveillance Advertising Act [PDF]. The proposed federal legislation, which was floated just last week, seeks to ban targeted advertising by saying that "advertising facilitators" may not target ads to individuals "based on their personal information."

"Banning personalized ads would severely impact an increasingly important economic sector, stifling innovation and dramatically harming the small business community who use data-driven advertising to promote their goods and services and reach customers all over the world," IAB CEO David Cohen said of the move at the time.

The IAB's Annual Leadership meeting takes place this coming Monday. Oh to be a fly on the wall. ®

Similar topics

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022