IAB Europe Says It's Expecting To Be Found In Breach of GDPR

A flagship framework used by Google and scores of other advertisers for gathering claimed consent from web users for creepy ad targeting looks set to be found in breach of Europe's General Data Protection Regulation (GDPR). TechCrunch reports: A year ago the IAB Europe's self-styled Transparency and Consent Framework (TCF) was found to fail to comply with GDPR principles of transparency, fairness and accountability, and the lawfulness of processing in a preliminary report by the investigatory division of the Belgian data protection authority. The complaint then moved to the litigation chamber of the DPA -- and a whole year passed without a decision being issued, in keeping with the glacial pace of privacy enforcement against adtech in the region.

But the authority is now in the process of finalizing a draft ruling, according to a press statement put out by the IAB Europe today. And the verdict it's expecting is that the TCF breaches the GDPR. It will also find that the IAB Europe is itself in breach. Oopsy. The online advertising industry body looks to be seeking to get ahead of a nuclear finding of non-compliance, writing that the DPA "will apparently identify infringements of the GDPR by IAB Europe," and trying to further spin the finding as "fixable" within six months (it doesn't say how, however) -- while simultaneously implying the breach finding may not itself be fixed because other EU DPAs still need to weigh in on the decision as part of the GDPR's standard cooperation procedure (which applies to cross-border complaints).

In terms of timing, a final verdict on the investigation is still likely months off -- and may not emerge 'til deep into 2022. Appeals are also almost inevitable. But the tracking industry's problems are starting to look, well, appropriately sticky. In the short term, the IAB says it expects a draft ruling to be shared by Belgium with other EU DPAs in the next two to three weeks -- at which point they get 30 days to review it and potentially file objections. If DPAs don't agree with the lead authority's finding and can't agree among themselves, the European Data Protection Board may need to step in and take a binding decision -- such as happened in another cross-border case against WhatsApp (which led to a $267 million fine, a larger penalty that the lead DPA in that case had originally proposed).

Twitter too

[beepsky]

Twitter is in violation of the GDPR too. I sent them a GDPR request to delete an account belonging to me that was perma-suspended and they just ignored me.
It's literally impossible to delete your data off Twitter if your account is suspended, since suspension locks you out of deleting your account.

Re:

[sabri]

So sick and tired of all these stupid GDPR pop-up boxes all over the Interwebs.

You forgot all the cookie consent walls

Fuck the unelected EUSSR.

Re:

[tlhIngan]

So sick and tired of all these stupid GDPR pop-up boxes all over the Interwebs.

You forgot all the cookie consent walls

Fuck the unelected EUSSR.

Then put pressure on the websites doing it to STOP DOING IT.

The whole point is to get consent, and that to get consent, you try to minimize the intrusions you put up. Why do you need "performance cookies" or "tracking cookies" - you're supposed to be putting pressure on those sites to get rid of the junk.

Re:

[dromgodis]

What about session cookies?

Re:

[sabri]

Then put pressure on the websites doing it to STOP DOING IT.

Why? Because you are too lazy to tell your browser to stop accepting cookies?

If you don't want cookies, don't accept them. It's an option in every major browser. Don't have your unelected representatives tell the world what to do.

Fuck the EUSSR.

Re:

[AmiMoJo]

Github got rid of their cookie consent pop-ups. All they had to do was stop using non-essential cookies and other kinds of tracking.

Website choose to be shit, it's not a legal requirement.

Re: The Internet was better before GDPR

[guruevi]

GitHub is in violation of GDPR then. They do track people, because they make suggestions, save what Iâ(TM)ve visited and track my login across multiple sites.

They found a way to do it without cookies, through Microsoftâ(TM)s massive infrastructure and more and more big advertisers are doing it. Youâ(TM)ve got what you wanted, you got rid of the cookies, now theyâ(TM)re just doing it all server-side, less transparent.

Re:

[AmiMoJo]

Cookies that are essential to the service (e.g. needed so you can log in) don't need opt in agreement.

Suggestions based on your behaviour I'm not sure about. I guess it could be considered part of the service, and as long as they don't use the data for anything else it's probably okay.

Re:

[guruevi]

Is that why I get spam from Microsoft based around my Github account? Everything Facebook does can be considered part of its service, I'm not sure that defense will fly.

Re:

[AmiMoJo]

Interesting, I don't get any Github related spam.

Could be that you are US based, weaker privacy laws.

Re:

[guruevi]

I am a EU citizen with holdings there, GDPR applies to me.

Furthermore the GDPR applies to anyone:
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data

Re:

[AmiMoJo]

So what illegal spam are you getting, or did you opt into it?

Re:

[sabri]

Website choose to be shit, it's not a legal requirement.

Websites should be able to choose to be shit, and you should be able to vote with your feet.

The legal requirement to make them extra shit by adding this stupid cookiewall comes from the EUSSR, because the average EUSSR citizen is too stupid to tell their own browser to refuse cookies. So the EUSSR creates a legal requirement for the website to do it for them.

Fuck the EUSSR.

Re:

[Send it to the newts]

So sick and tired of all these stupid GDPR pop-up boxes all over the Interwebs.

I'm sick of them too, I think everybody is. But I think that the GDPR is potentially a stroke of genius by the regulators. Give companies the opportunity to quit with the mass surveillance, and if they turn that down (as they largely have), use the backlash against the popups to generate support for real action against surveillance capitalism. If that's where it ends up, then it will all have been worth it IMHO.

Re:

[freax]

https://noyb.eu/ [noyb.eu] is a lobby organisation that assisted with the formulation of the GDPR in various ways.

Re: Twitter too

[Anonymouse Cowtard]

I got suspended on Twitter too. Now I can't access my account without providing my phone number. That was a bit over a year ago. I miss that account, I had over 500 influential followers and was only following 100 people. Any "social" platform can FOAD if they want my number. As in your case, I can't even delete the offending tweet. Irony much?

Re:

[jafffacake]

in the uk you can have a free sim card delivered to you from most providers - you're expected to top it up with money but you don't have to. you can receive a text on the sim, validate the code on the website, and then bin the sim. wasteful, but it'll get you back into your account without twitter having any useful information. here is an example link https://www.three.co.uk/Suppor... [three.co.uk]

Re:

[AmiMoJo]

File a complaint with your regulator. In the UK it's the ICO, and I've had good results with them. Companies usually comply once they get a nastygram from the ICO.

Creepy adtech company is cheating!?

[memory_register]

I am shocked, shocked I tell you!

In all seriousness, is this a surprise to anyone? Their business model is predicated upon violating your privacy wherever they can. This sounds less like an accident and more like a calculated cost vs benefit decision

Re:

[Otis B. Dilroy III]

I have not done the research, but I have to ask who are the major donors to the non-profit?

Re:

[raynet]

You can very simply serve banner ads on websites according to all GDPR rules, it is that difficult. We just want to get rid of the privacy violating ad networks.

Old mantra folks: if it's free,

[blugalf]

you're the product.

Stalker Net

[khchung]

These creepy ad companies should be called "Stalker Net" so people can better understand what they do.

It is a Good Thing for Europe to rein them in. More countries should make GDPR-like laws.

IAB?

[Megane]

So WTF is an IAB?

Re:

[Megane]

And now I've noticed that I also don't know WTF a DPA is. Thanks for explaining these for those of us who aren't in Europe.

Re:

[RockDoctor]

I had to hunt for it - a job that BeauHD should probably have done - and another article deeper found that the framework is "designed by ad industry body, the IAB Europe".

And I've lost interest. For adverts, I have AdBlock and Noscript. On Twitter, almost every "promoted" tweet scores a BLOCK on the advertiser. Sometimes a MUTE, so I can send an snarky comment about an Advertising Manager who has just blown part of his budget on reducing exposure. Slow Hand Clap.

No, I don't care if they starve in the stre