The AdTech industry club since a long time uses a highly irritating pseudo-consent form (you know the kind, it takes one click to give away everything, and a day of clicks to deny consent). Today the good news is that IAB’s ‘Transparency and Consent Framework‘ is deemed illegal by the EU data protection authorities, because it is neither transparent nor has any meaningful connection with the word consent. This verdict was to be expected since last year November. This impacts over 1000 companies who as IAB members pay for the privilege of IAB violating the GDPR for them, amongst which Google, Amazon and Microsoft, but also to my surprise Automattic (WordPress) whom I expect much better of.
It should also impact the real time bidding system for adverts (OpenRTB) based on the data involved. This decision isn’t about that real time bidding system, but it does draw welcome attention to “the great risks to the fundamental rights and freedoms of the data subjects posed by OpenRTB, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance“. Which amounts to ‘please bring some complaints about OpenRTB before us asap’.
The decision finds IAB is non-compliant with no less than 11 different GDPR articles. The Belgian DPA called IAB negligent and TCF systematically deficient. IAB must within 2 months provide a plan to reach compliance within at most 6 months. Every day after those two time limits will cost 5000 Euro. A fine of 250.000 Euro is also ordered.
I am grateful to the organisations who brought this complaint, amongst which is the Dutch foundation ‘Bits of Freedom’ which I support financially. The Timelex law office, whom I had the pleasure of closely working with in the past, deserve thanks for their legal assistance in this complaint.
Ceterum censeo AdTech is fundamentally non-compatible with the GDPR, and needs to die.
and as I was suprised to find @email@example.com amongst the members paying IAB for the privilege of breaching my rights under the GDPR, I sent out a tweet urging them to cancel their membership: https://twitter.com/ton_zylstra/status/1488962274752712707
Ton Zijlstra on Twitter
We have to sit users down for 10mins to explain everything before they enter the store? The entire process is fundamentally broken, I get why it’s come about as Facebook and others we’re harvesting massive amounts of person data. But there doesn’t seem to be a good solution
Thanks for the great news Ton! And also for bringing my attention to IAB illegal practices.