The technical standard used by advertising companies to collect GDPR consent online is illegal. The consequences could be huge - for media outlets, but also for industry giants such as Google and Amazon.
The Belgian data protection authority APD has ruled that a central mechanism for cookie banners violates the European General Data Protection Regulation (GDPR). The decision was made in a so-called one-stop procedure. This means it applies to the entire EU. The procedure stems from a complaint by the Irish Council for Civil Liberties and other European civil rights organizations and could potentially be a huge blow to the European advertising industry.
Read more about the decision here.
"This has been a long battle", said Dr Johnny Ryan of the Irish Council for Civil Liberties. "Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies".
Targeted advertising on the internet works like this (simplified explanation): Every visit to a website using cookie tracking for targeted advertisement triggers an auction among the providers of advertisements. A decision is made in a matter of milliseconds as to which advertisements the user will see based on the user's profile and some other factors (= real-time bidding).
For this real-time bidding (RTB) to work, the advertising companies want to know a lot about the person currently browsing their website: Age, gender, interests, websites visited, place of residence, purchasing power and more. This data is used to display the best suited ad, the one that the user will most likely click.
Read here why we call on banning targeted advertisements.
However, under the GDPR such tracking is only allowed if the user consents to it. The Transparent and Consent Framework (TCF) by the Advertising association IAB Europe supposedly asks for this consent: If users click on "accept cookies" or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string. This identifier forms the basis for the creation of individual profiles. Then the profiles are used to match them against the advertisements to be displayed. In doing so, the TC string is forwarded to hundreds and hundreds of partners in the OpenRTB system.
The entire ad industry (when talking about targeted ads) is based on the TC string, which makes it the most important standard in the online advertising ecosystem.
In a landmark ruling, the Belgian APD has now decided that sharing the TC string with hundreds of partners violates the General Data Protection Regulation. According to the supervisory authority, the system used by advertisers to collect consent for targeted advertising on the Internet does not comply with the principles of legality and fairness.
In its ruling, the Belgian APD has issued a fine of 250,000 euros against the advertising association IAB Europe, which develops and operates the TCF mechanism. Furthermore, IAB must now delete the personal data already collected. Far more significantly, however, are the conditions that APD is imposing on the advertising industry to continue using the Transparency and Consent Framework at all.
Thousands of website operators, almost all online media and also large advertising companies such as Google and Amazon use the mechanism to pass on the supposed consent of users to the processing of their personal data for advertising purposes.
Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian APD says:
"People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalized ads. Although it concerns the TCF, and not the whole real-time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data."
Even if the decision does not directly affect the entire advertising system on the internet, it will have a major impact on the protection of web users' personal data, says Hijmans.
The Belgian data protection authorities argue that not only the advertising profiles are personal data, but the TC string - that is used for targeted advertisements - must be considered personal data as well. This string can be combined with the IP address and, thus, make any user identifiable.
As a consequence, the IAB Europe violates the GDPR with the TCF protocol used to generate TC strings. Furthermore, the consents given by the users to the data tracking (cookies) is ineffective as there is no sufficient legitimate interest by the website owner to ask for such consent in the first place.
The authorities argue that the legitimate interest of the users outweigh the legitimate interest of the advertisement companies due to the high risk associated with tracking based real-time bidding advertising.
Additionally, the information provided to users when giving consent was too general and vague for them to understand the nature and the scope of the processing of their data, especially given the complexity of tracking-based advertisement.
The decision does not immediately affect publishers or marketing companies using tracking-based advertisements.
For now, the decision only affects the advertising association IAB Europe as the provider of the TCF protocol.
Two major developments can be expected now:
More information: The information provided to users before giving consent will be more specific and less vague in the future.
Another consequence of this decision could be that in the future it would be difficult for companies to invoke a "legitimate interest" as the legal basis for data processing. The only possible legal basis would then be the actively given consent of the user.
A first sign of European authorities applying customer rights in a stricter way is that Google is finally adding a 'Reject all' button to its cookie banners.
Up to April 2022 it was very cumbersome to limit the cookie tracking by Google due to a missing 'Reject all' button.
For internet users who value data protection, the decision of the Belgian DPA to declare cookie banners illegal is very good news.
Firstly, because ad tech companies will have to delete the user data they have collected through the TCF mechanism.
Secondly - and more importantly - the decision of the Belgian data protection authorities could lead to the whole system of personalized advertisements being overturned.
This could finally put an end to targeted advertising.