European regulators have ruled that the technical framework underlying those obnoxious and ubiquitous consent banners that have blanketed the internet for years are actually a violation of Europe’s General Data Protection Regulation.
That is, of course, ironic, since the framework was developed by leading ad-tech industry group IAB Europe precisely as a response to GDPR. Now, Belgium’s Data Protection Authority has not only ruled that the so-called Transparency and Consent Framework, or TCF, fails to protect Europeans’ data as required under GDPR, but the regulator also sanctioned IAB Europe more than $280,000 for its offenses and has given the group just two months to come up with a plan to rework the entire system.
"The processing of personal data (e.g. recording user preferences) under the current version of the TCF is not in accordance with the GDPR, because of an inherent violation of the principle of fairness and lawfulness,” Hielke Hijmans, chair of the regulator’s Disputes Chamber, said in a statement. “[It] asks people to give their consent, when most of them don't know that their profiles are sold countless times a day to expose them to personalized ads.”
When you use almost any website in Europe and click on a consent banner to express your preferences, it’s the TCF that stores those preferences and allows them to be shared with third parties across the web. In this decision, the Belgian authorities argued that not only are the banners themselves too vague for anyone to know what they’re opting into — a violation of GDPR’s transparency requirements — but the information those banners collect about people’s tracking preferences is itself personal data that IAB is failing to keep secure.
If that sounds like a hyper-niche nitpick considering how much sensitive data gets bought and sold and spilled across the internet every second, that’s because it is.
But that was by design, said Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, whose initial complaint about the IAB system kickstarted a wave of other complaints across Europe, including with the Belgian authorities. “We were really narrow,” Ryan said. “We were going to talk about this tiny little bit of data that held the whole thing together. So we've crucified them on a pin rather than nailing in all the big nails.”
The decision is a big deal for Europe, Ryan said, but it could also have ripple effects across the Atlantic. For one thing, he argued, American lawmakers and regulators have often looked at the “consent spam” polluting Europe and pointed to it as one of the worst consequences of GDPR. This new decision, Ryan said, exposes that spam to be a violation of the law, not a fulfillment of it.
“That red tape was fake. It was a cynical attempt to undermine the law. It wasn’t a consequence of the law,” Ryan said. “It is the law that protects us from that interference and that nuisance.” The Belgian authorities' decision was simultaneously approved by authorities overseeing most of the rest of Europe.
None of this means that those banners and the system underpinning them are going to disappear overnight. The IAB has two months to propose a plan and six months to enact it. In a statement, IAB Europe also rejected the idea that it is a data controller under GDPR, and said it is considering “all options with respect to a legal challenge.”
Still, the group appeared to cling to the idea that the regulators are giving them an opportunity to reform TCF, not scrap it altogether. “We note that the decision contains no prohibition of the Transparency & Consent Framework,” the statement reads.
Until IAB Europe and its regulator figure out a new approach to TCF that does make it compliant with GDPR, Ryan argues it’s hard to read Wednesday’s decision as anything other than a complete crackdown waiting to happen. “Not every inevitable thing necessarily needs to be written down,” he said. “It’s an inescapable conclusion of what they've said.”