This week, European authorities struck a massive blow to the digital data-mining industrial complex with a new ruling stating that, quite simply, most of those annoying cookie alert banners that sites were forced to onboard en masse after GDPR was passed haven’t… actually been compliant with GDPR. Sorry.
The ruling, announced on Wednesday by Belgium’s Data Protection Authority, comes at the tail-end of a years-long investigation into one of the biggest advertising trade groups in EU, Interactive Advertising Bureau Europe (or IAB Europe, for short). In 2019, about a year after GDPR rolled out, the Data Protection Authority reports it started getting a stream of complaints against the IAB for “breaching various provisions of the GDPR” and countless people’s privacy with the technical standards it created to govern those consent pop-ups.
Now, three years later, it looks like those tips were right; the Authority fined IAB Europe $280,000, ordered the group to appoint a data protection officer, and gave a two-month deadline to get its tech into compliance. Any data that the group collected from this illicit tech also needs to be deleted.
The ruling is great news for privacy buffs that have been calling out those ugly, oftentimes downright manipulative cookie pop-ups from the get-go, but it’s also not necessarily a surprise. In an apparent attempt to get ahead of the bad press, IAB Europe issued a statement last November that the upcoming ruling would “apparently identify infringements of the GDPR by IAB Europe,” but that those infringements would be fixable, and those cookie consent banners would keep on chugging within months of the Belgium ruling.
But that statement came in 2021. For those who work on the so-called “sell-side” of the digital ad industry—tech operators who work hand-in-hand with digital media outlets and other sites across the web—this decision was inevitable. I spoke with three of these industry experts, all of whom asked to not be cited by name for fear of professional retribution thanks to the sway IAB holds over the industry.
While the ruling showed that GDPR is very much still in effect, it doesn’t do a lot to explain how blatant some of these infringements were, or how loudly critics inside the industry had been raising red flags. Simply put, when the GDPR asked the adtech industry to get consent from users before tracking them, the IAB responded with a set of guidelines with loopholes large enough that data could still get through, anyway, without consent. And now that these practices are out in the public, nobody seems sure how to make them stop.
But to really explain how IAB Europe fell afoul of GDPR is complicated, even by adtech’s already impossibly confusing standards. So instead, I’m going to explain it using an analogy that pretty much everyone can understand: a bad date.
I know it sounds wild to compare a sweeping piece of European tech legislation to someone’s nightmare Tinder experience, but both are centered around the same thing: consent. That’s why regulatory types will often champion GDPR as the gold standard of privacy laws—while laws like CPRA in the U.S. allow people to claw back their data from the companies after they’ve mined it, the California law doesn’t change the fact that this mining happened in the first place, regardless of whether users wanted it to happen or not. GDPR, on the other hand, mandates that sites obtain users’ consent to track them before that tracking happens, the same way a decent date would (hopefully) ask to make out before slobbering all over you at the bar.
On paper, consent is just an agreement between two people (or a person and a website). But your Tinder date might have different thoughts about what “an agreement” means than you do. If they ask to do some slobbering and you brush it off with a laugh, they might take that lack of “no” as a “yes.” They might also ply you with drinks or intimidate you into getting out the “yes” they’re looking for, which is—and I can’t stress this enough—not consent. And even if you can’t articulate what consent looks like in the moment, you probably know in your gut what it feels like: Consent is a “yes” that’s unambiguous and freely given.
That’s exactly how GDPR defines the term, too. In order for a site to track you, Article 4 of the regulation notes that it needs to obtain a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” And no pre-ticking consent boxes, either, buster.
But that little tick is…
These Companies Know When You’re Pregnant—And They’re Not Keeping It Secret
In early 2012, the New York Times Magazine put out a cover story about Andrew Pole, a stat…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
