It has been more than two years since a crucial part of the surveillance advertising industry’s consent collection apparatus was discovered to be violating European Union data protection laws. Today, the surveillance data complex has faced yet another devastating blow: The European Union’s highest court has dismissed arguments made by the industry body responsible for the tool, confirming that the data it generates in response to users’ privacy choices is indeed personal data within the scope of the bloc’s General Data Protection Regulation (GDPR) as it contains personal identifiers.
The Court of Justice of the EU (CJEU) also ruled that the ad industry association responsible for creating the consent management tool, IAB Europe, is considered a “joint controller” along with its advertiser members. This means that the association cannot avoid responsibility for ensuring that the data processing complies with the GDPR. However, the court did not find IAB to be a controller for data processing operations that occur after users’ consent preferences are recorded, although the possibility is still open if evidence of influence over subsequent data operations is found.
The CJEU’s ruling comes after a referral of questions from a court in Belgium, where IAB Europe challenged the February 2022 decision by the local data protection authority, which found that its “Transparency and Consent Framework” (TCF) violated the GDPR.
The Belgian DPA’s decision has been and continues to be a significant issue for web users in Europe. Ever since the GDPR came into effect in May 2018, users have been inundated with consent spam on websites, with never-ending pop-ups requesting consent for data sharing with long lists of ad partners.
The problem with these spammy pop-ups is that they do not appear to be GDPR compliant. The process of saying ‘yes’ or ‘no’ to ad tracking should not involve any more friction than that. However, the adtech industry, well-aware that most people favor privacy when given the option, chose to do everything in its power to avoid providing an easy way for users to deny tracking. This has resulted in opt-out options being less prominent and often hidden in submenus of pop-ups, if they are even offered at all. In contrast, the ‘accept’ button, which is easily accessible to users, makes it simple to dismiss an annoying pop-up with hidden costs to privacy.
In addition to these tactics, the adtech industry has also engaged in pre-checking sharing options and requiring users to manually click through and uncheck multiple boxes. This makes it tedious and time-consuming to reclaim one’s privacy.
Unfortunately, it gets even worse. Independent research has shown evidence of some adtech vendors, who are plugged into the IAB’s TCF, continuing to track and profile users even when they explicitly opt-out of tracking-based ads.
Critics have labeled this entire approach as mere compliance theatre – an attempt by the ad industry to evade data protection laws and continue tracking and profiling web users on a large scale by packaging systematic non-compliance into an industry standard framework.
Of course, the IAB does not share this view. Its legal challenge against the Belgian decision that found the TCF to violate the GDPR is still ongoing. However, with the CJEU’s ruling, the case will now go back to the court to take into account.
The ad association had attempted to overturn the Belgian decision by arguing that TCF strings are not personal data. It also contested the authority’s classification of it as a joint controller. However, the CJEU found otherwise on both counts. Therefore, it is not looking too promising for the IAB’s appeal.
In a press release today, the IAB acknowledged the court’s ruling and stated that it welcomes the “much-needed clarity on the concepts of personal data and (joint) controllership.” The association also declared that they would soon release a more detailed commentary on the ruling and its consequences.
The press release continued, stating that “the Belgian Market Court will now resume its analysis of IAB Europe’s substantive arguments in line with the answers provided by the CJEU.” It further added that “pending the conclusion of the proceedings before the Market Court, which could take several months, the suspension of the implementation of IAB Europe’s action plan following its validation will continue to apply.”
In other words, the IAB expects to have a few more months before the Belgian court makes a ruling on the fate of the TCF.
In an updated FAQ on the situation, the ad association denies that the CJEU ruling is a blow to its chances of overturning the Belgian DPA’s decision that the TCF violates the GDPR. The IAB argues that “there is nothing in the CJEU ruling that could be remotely considered questioning the legality of consent prompts or prohibiting their use by the digital ecosystem to comply with legal requirements under the EU’s data protection framework.”
However, this is simply spin considering the CJEU’s role is to respond to the raised points of law. It is up to the referring court to take the next steps, considering the top court’s guidance on interpreting key points of law relevant to the case.
As a quick reminder, the Belgian DPA’s February 2022 decision on the long-standing complaint against the IAB’s TCF found violations of various articles of the GDPR, including those related to transparency, security, and data protection by design and default. The authority also issued a fine of €250,000 on the IAB and gave them six months to bring the framework into compliance. However, the action requiring reform was suspended pending a final court ruling on the IAB’s appeal, which is why we still see pop-up consent spam on EU websites today.
Thankfully, it seems like this zombie consent spam may finally be on its last legs with this decision. Following the CJEU ruling, the Irish Council for Civil Liberties’ senior fellow and Enforce director, Johnny Ryan, who filed GDPR complaints against the TCF, and prior to that, complaints against real-time bidding, predicted that the end of this long battle is finally in sight.
According to Ryan, “People across Europe have been plagued by fake ‘consent’ pop-ups every day on almost every website and app since the GDPR was introduced almost six years ago. IAB Europe has sought to evade its responsibility in this charade. However, the European Court of Justice has set the record straight. This decision will not only put an end to the biggest spam operation in history, but it will also deal a fatal blow to the online tracking-based advertising industry.”
Nevertheless, the IAB’s PR today appears to project a serene legal proceeding ahead, despite the CJEU dismissing their arguments. This may be because the industry may have found an alternative strategy to strong-arm consent-to-track from European web users. This is due to the increasing adoption of ‘consent or pay’ models, driven by Meta’s adoption of the tactic last fall. Here, the choice is even more explicitly manipulative and abusive – either pay for your privacy by signing up for an ad-free subscription, or agree to tracking and get no privacy at all.
However, the controversial ‘consent or pay’ model is already facing numerous privacy and consumer protection challenges. Furthermore, the European Data Protection Board is expected to release guidance soon, and the European Commission is also investigating Meta’s use of the tactic under the Digital Services Act, which involves obtaining consent for using people’s data for ads and imposing certain conditions on how consent can be collected, in addition to the GDPR’s basic requirements.
It is unclear how much longer the surveillance advertising industry can continue to operate in the EU, given the shrinking legal avenues as privacy complaints and enforcement actions progress, and with new compliance attacks opening up on several fronts. It may only be a matter of months, or it may require the CJEU to also weigh in on the ‘consent or pay’ tactic (which could take a couple of years). However, it is clear that the industry’s only real option is to reform or face the end.
[…] business, has reportedly filed a legal challenge against a suspension order from Spain’s data protection authority on […]