The AdTech industry club since a long time uses a highly irritating pseudo-consent form (you know the kind, it takes one click to give away everything, and a day of clicks to deny consent). Today the good news is that IAB’s ‘Transparency and Consent Framework‘ is deemed illegal by the EU data protection authorities, because it is neither transparent nor has any meaningful connection with the word consent. This verdict was to be expected since last year November. This impacts over 1000 companies who as IAB members pay for the privilege of IAB violating the GDPR for them, amongst which Google, Amazon and Microsoft, but also to my surprise Automattic (WordPress) whom I expect much better of.
It should also impact the real time bidding system for adverts (OpenRTB) based on the data involved. This decision isn’t about that real time bidding system, but it does draw welcome attention to “the great risks to the fundamental rights and freedoms of the data subjects posed by OpenRTB, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance“. Which amounts to ‘please bring some complaints about OpenRTB before us asap’.
The decision finds IAB is non-compliant with no less than 11 different GDPR articles. The Belgian DPA called IAB negligent and TCF systematically deficient. IAB must within 2 months provide a plan to reach compliance within at most 6 months. Every day after those two time limits will cost 5000 Euro. A fine of 250.000 Euro is also ordered.
I am grateful to the organisations who brought this complaint, amongst which is the Dutch foundation ‘Bits of Freedom’ which I support financially. The Timelex law office, whom I had the pleasure of closely working with in the past, deserve thanks for their legal assistance in this complaint.
Ceterum censeo AdTech is fundamentally non-compatible with the GDPR, and needs to die.