Photo: Daniel Leal (Getty Images)
This week, European authorities struck a massive blow to the digital data-mining industrial complex with a new ruling stating that, quite simply, most of those annoying cookie alert banners that sites were forced to onboard en masse after GDPR was passed havent... actually been compliant with GDPR. Sorry.
The ruling, announced on Wednesday by Belgiums Data Protection Authority, comes at the tail-end of a years-long investigation into one of the biggest advertising trade groups in EU, Interactive Advertising Bureau Europe (or IAB Europe, for short). In 2019, about a year after GDPR rolled out, the Data Protection Authority reports it started getting a stream of complaints against the IAB for breaching various provisions of the GDPR and countless peoples privacy with the technical standards it created to govern those consent pop-ups.
Now, three years later, it looks like those tips were right; the Authority fined IAB Europe $280,000, ordered the group to appoint a data protection officer, and gave a two-month deadline to get its tech into compliance. Any data that the group collected from this illicit tech also needs to be deleted.
The ruling is great news for privacy buffs that have been calling out those ugly, oftentimes downright manipulative cookie pop-ups from the get-go, but its also not necessarily a surprise. In an apparent attempt to get ahead of the bad press, IAB Europe issued a statement last November that the upcoming ruling would apparently identify infringements of the GDPR by IAB Europe, but that those infringements would be fixable, and those cookie consent banners would keep on chugging within months of the Belgium ruling.
But that statement came in 2021. For those who work on the so-called sell-side of the digital ad industrytech operators who work hand-in-hand with digital media outlets and other sites across the webthis decision was inevitable. I spoke with three of these industry experts, all of whom asked to not be cited by name for fear of professional retribution thanks to the sway IAB holds over the industry.
While the ruling showed that GDPR is very much still in effect, it doesnt do a lot to explain how blatant some of these infringements were, or how loudly critics inside the industry had been raising red flags. Simply put, when the GDPR asked the adtech industry to get consent from users before tracking them, the IAB responded with a set of guidelines with loopholes large enough that data could still get through, anyway, without consent. And now that these practices are out in the public, nobody seems sure how to make them stop.
But to really explain how IAB Europe fell afoul of GDPR is complicated, even by adtechs already impossibly confusing standards. So instead, Im going to explain it using an analogy that pretty much everyone can understand: a bad date.
I know it sounds wild to compare a sweeping piece of European tech legislation to someones nightmare Tinder experience, but both are centered around the same thing: consent. Thats why regulatory types will often champion GDPR as the gold standard of privacy lawswhile laws like CPRA in the U.S. allow people to claw back their data from the companies after theyve mined it, the California law doesnt change the fact that this mining happened in the first place, regardless of whether users wanted it to happen or not. GDPR, on the other hand, mandates that sites obtain users consent to track them before that tracking happens, the same way a decent date would (hopefully) ask to make out before slobbering all over you at the bar.
On paper, consent is just an agreement between two people (or a person and a website). But your Tinder date might have different thoughts about what an agreement means than you do. If they ask to do some slobbering and you brush it off with a laugh, they might take that lack of no as a yes. They might also ply you with drinks or intimidate you into getting out the yes theyre looking for, which isand I cant stress this enoughnot consent. And even if you cant articulate whatconsent looks like in the moment, you probably know in your gut what it feels like: Consent is a yes thats unambiguous and freely given.
Thats exactly how GDPR defines the term, too. In order for a site to track you, Article 4 of the regulation notes that it needs to obtain a freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. And no pre-ticking consent boxes, either, buster.
But that little tick is, quite literally, just a tiny pile of snow at the top of a massive iceberg. On every page youre visiting, there could be a few, or dozens, or even hundreds of tiny tech companies working together to take whatever data gets exposed through the webpage youre visiting into some kind of targeted ad. By the time that annoying ad for some ugly t-shirt pops up on a blog youre reading, there have already been countless algorithmic bidding wars on that ad spacethe spot on the page where an ad appearsthat are each their own Olympic feats of Big Tech gymnastics. If this all wasnt so invasive and upsetting, it would almost be kind of impressive.
This is just a basic setup. Some sites can have dozensor even hundredsof players plugged in at a time Graphic: ad-exchange.fr (Getty Images)
In other words, the way web tracking works isnt really like a single guy being a sleaze at the bar; its more like a conga line of sleazes. And in order to get your consent, this Tinder guy (lets call him Devin) that you just met is being legally required to go with you down the row and, one by one, consent to smooching up on each of these other guys before a single smooch could ever happen.
You might be thinking, Geez, if I was the Devin in this scenario, Id just give up on getting consent for all my weird friends, and just try to be sleazy on someone with lower standards. And youre not alone! In the leadup to GDPR going into effect, countless recipe blogs, news outlets, and just regular-old personal blogs looked at this seemingly impossible standard EU regulators were now mandating from them and just... panicked. Who could blame them?
The thing that almost every publisher was worried about was that they were going to do all this work and get hit by regulators anyway, said one adtech engineer who also asked to remain anonymous out of fear of retribution from the IAB. The language of the law didnt get clear about how the technical method was supposed to work, what you could or couldnt block off, what level of ID you were allowed to ask a user for, etc.
Rather than try to parse a law that was, as he put it, both not specific enough and too specific, to actually be effective, some publishers just left. In GDPRs immediate aftermath, more than 1,000 news sites were suddenly unavailable trying to visit from the EU, with the bulk being smaller, local outlets, according to a list that one researcher compiled at the time. Thats not a coincidence; while the New York Timeses and Washington Posts could afford a legal team and tech setup to stay put without being threatened with GDPRs massive fines, local outlets were already struggling.
But this still left countless websites active in the EU that needed consent from their visitors once GDPR came into force. Enter the IAB. Because a lot of adtech is pretty much unregulated, the massive influential trade group has come to be accepted as the one to set the guidelines for advertisers, publishers, and everyone else to follow in order to keep them from running afoul of privacy laws. Both the IAB and its European wing are really, really serious about lobbying, which means thatideallythe organization would know exactly what makes these laws tick, and how the industry could accommodate them.
So, naturally, IAB Europe was responsible for coming up with the standards for websites that wanted to obtain user consent without effectively breaking their site in the process. And then, according to the industry experts I spoke with, they kept waiting. In April 2018literally a month before GDPR was set to come into effectIAB Europe debuted its new standards: the so-called GDPR Transparency and Consent Framework (or TCF) that websites were told would collect consent in a comprehensive, standardized way, while also funneling that consent back to the third-party partners each site works with.
This framework, to be blunt, looked like a hot mess. There were a few glaring issues critics pointed right off the bat, but one of the biggest was that the framework encouraged sites to bundle all their requests for consentfrom every third party they work withunder a single accept all button, without the need to actually disclose every one of the many, many partners that were hiding under that button.
In other words, these guidelines suggested that Devin just hide all his buddies inside a trench coat, with the implicit understanding that if you agreed to smooch him, youd agree to smooch all of them, too. But thats not how consent works IRL, and thats not how consent is supposed to work under GDPR.
So, when these new TCF specs were dropped in their laps with a month to go before European laws changed in major ways, website operators were faced with a pretty crummy choice: go through the expensive and mind-numbing legal process of bringing their site to compliance on their own, or going with what the IAB was presenting.
As one person in charge of advertising revenue at a major publication put it, IABs standards seemed bent on adhering to the letter of the law while ignoring the spirit of the law. Another industry expert thought the TCF standards seemed purposefully complicated to allow publishers to skirt regulation.
But without other options, publishersbegrudgingly or otherwisedecided to follow the TCF standards anyway. As one expert explained, the implicit understanding was that if anyone would take the fall for shoddy privacy compliance, it would be the IAB, and not them. And so far, at least, thats exactly whats happened. While the Data Protection Authority fined IAB Europe, it hasnt gone after publishers themselves, even though theyre also breaking GDPR by using the TCF standards.
To follow the framework, publishers were required to onboard another third-party piece of ad software called a consent management platform, or CMP, that would be responsible for collecting consent from users and beaming it where it needed to go. Those CMPsand there are dozens of different onesneed to be registered with the IAB for compliance purposes, which also means forking over a roughly $1,700 fee upfront, and again each year theyre on the list.
These CMPs are the ones responsible for plopping the dreaded cookie banner on the site. Behind the scenes, when you press yes or no on a sites request to track you, that choice gets stored in the form of a consent string on your browser. Unless you clear your browser cache (which, lets be honest, you should probably do), that webpage will load up that string every time you visit and pass it on to any third parties involved with serving an ad on the siteyou know, that aforementioned chain of sleazy dudes.
Pretty quickly, though, it became clear that the rules laid out by TCF werent going to cut it, and the cookie banners created in its wake were blatantly violating some of GDPRs core rules in all sorts of shady ways. Some would share peoples consent preferences on a single site with every company that was partnered with the IAB, while others would leave site visitors with the option to accept cookies, but not the option to reject them. Others would just not work at all.
What eventually brought Google onboard was the IABs new and improved TCF 2.0, which debuted about a year and a half after GDPR rolled out. We wont go into every change (you can read about those here), but in a nutshell: This new framework promised more power to publishers, more privacy to end-users, and less of a legal shitshow overall. But when digital advertising is a field thats flush with hundreds of billions of dollars per year and not nearly enough legal oversight, bad actors are going to be bad. Dark patterns continued to be dark even with the update, and middlemen further down the daisy chain from the CMP started offering alternatives meant to bypass these cookie banners entirely, meaning that the need for consentwhich, again, is the core tenant of GDPRwould no longer be part of the equation.
In some absolutely cursed scenarios, CMPs began forging consent signals from end-usersliterally turning their requests not to be tracked into a yes, please track mewith nobody, even the IAB, checking in initially. Even after the trade group started auditing the vendors it worked with last fall, researchers outside the adtech sphere found that consent fraud was still very much happening, with seemingly no easy way to get bad actors to stop.
As one adtech executive speaking about the issue to Digiday put it, not many businesses are incentivized to completely clamp down on it because everyones motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. Its a frustration for any exchange thats following the rules because it puts them at a massive commercial disadvantage. Were sticking to the IABs rules, but it is hurting us to do so.
You could say their dilemma is a microcosm of regulators attemptsin the EU and abroadto get the digital data industrial complex under control. When regulators set standards that are too tough for anyone to practically follow, talking heads within the industry create their own response that ticks every legal box while also enabling anyone creative enough to continue with business as usual anyway. And when publishers are literally stuck between too easy to cheat, and impossible to adhere to, which one do you think theyll choose?
The full ruling against IAB Europe doesnt address the bad behavior of these downstream parties. Instead, its going after IAB Europes awful standards, and its consent strings, specifically. Contrary to IAB Europes claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user, the Authority wrote in a statement about the new ruling. This means that IAB Europe can be held responsible for possible violations of the GDPR.
Based on this, the Authority was finally able to go after the IAB directly for what it describes as a flurry of infractions. For starters, the ruling alleges that IAB Europe failed to establish any sort of legal basis for the processing of these consent strings under GDPR, and failed to keep that data confidential, by GDPR standards, once it was collected. On top of that, the new ruling agrees with the same complaints a lot of us have had about those cookie pop-ups for years: Theyre too vague, too hard to opt-out of, and just clearly dont do what theyre promised to do.
The information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF, the Authority wrote, noting how difficult this makes it for any user to actually have the control over their data that GDPR warrants,
So what comes next? Well right now, nobody seems to know. IAB Europe put out a terse statement on the ruling that noted how the group [looks] forward to working with [the Belgian Data Privacy Authority] on an action plan to be executed within the prescribed six months that will ensure the TCFs continuing utility in the market.
As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct, the group wrote. Todays decision would appear to clear the way for work on that to begin. Well, good luck with that. In the meantime, were stuck with essential parts of the entire ad-serving market in the EU being rendered... entirely illegal. At least for now.
Its impossible to say whats going to come next, but given the adtech industrys lengthy track record of sweeping bad actors under the rug instead of stopping them cold, and with those bad actors facing the huge financial incentive to keep being bad, I think its safe to say thats what theyll keep doing. When a major part of the online economy is just a big race to the bottom, you just need to pray that lawmakers get there first.
Read more here:
The Hidden Failure of the World's Biggest Privacy Law - Gizmodo
Read More..