A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.
The Belgian DPA’s investigation follows complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising which contend that a system of high velocity personal data trading is inherently incompatible with data security requirements baked into EU law.
The IAB Europe’s Transparency and Consent Framework (TCF) can be seen popping up all over the regional web, asking users to accept (or reject) ad trackers — with the stated aim of helping publishers comply with the EU’s data protection rules.
It was the ad industry standard’s body’s response to a major update to the bloc’s data protection rules, after the General Data Protection Regulation (GDPR) came into application in May 2018 — tightening standards around consent to process personal data and introducing supersized penalties for non-compliance — thereby cranking up the legal risk for the ad tracking industry.
The IAB Europe introduced the TCF in April 2018, saying at the time that it would “help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive”.
The framework has been widely adopted, including by adtech giant, Google — which integrated it this August.
Beyond Europe, the IAB has also recently been pushing for a version of the same tool to be used for ‘compliance’ with California’s Consumer Privacy Act.
However the findings by the investigatory division of the Belgian data protection agency cast doubt on all that adoption — suggesting the framework is not fit for purpose.
The inspection service of the Belgium DPA makes a number of findings in a report reviewed by TechCrunch — including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.
It also finds that the TCF does not provide adequate rules for the processing of special category data (e.g. health information, political affiliation, sexual orientation etc) — yet does process that data.
There are further highly embarrassing findings for the IAB Europe, which the inspectorate found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.
Its own privacy policy was also found wanting.
We’ve reached out to the IAB Europe for comment on the inspectorate’s findings.
A series of complaints against RTB have been filed across Europe over the past two years, starting in the UK and Ireland.
Dr Johnny Ryan, who filed the original RTB complaints — and is now a senior fellow at the Irish Council for Civil Liberties — told TechCrunch: “The TCF was an attempt by the tracking industry to put a veneer or quasi-legality over the massive data breach at the heart of the behavioral advertising and tracking industry and the Belgian DPA is now peeling that veneer off and exposing the illegality.”
Ryan has previously described the RTB issues as “the greatest data breach ever recorded”.
Last month he published another hair-raising dossier of evidence on how extensively and troublingly RTB leaks personal data — with findings including that a data broker used RTB to profile people with the aim of influencing the 2019 Polish Parliamentary Election by targeting LGBTQ+ people. Another data broker was found to be profiling and targeting Internet users in Ireland under categories including “Substance abuse”, “Diabetes,” “Chronic Pain” and “Sleep Disorders”.
In a statement, Ravi Naik, the solicitor who worked on the original RTB complaints, had this to say on the Belgian inspectorate’s findings:..
EU court lowers requirements for imposing fines for data protection breaches
The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set…