A recent decision by Belgium’s Data Protection Authority could strongly impact the “real-time bidding” systems that underpin targeted digital advertising, and could even be felt outside of Europe. The decision found GDPR violations in the consent management systems widely used by ad networks (such as those run by Google and Facebook), ruling that the process is not adequately transparent to data subjects and does not inform them or secure their data properly.
The ruling is immediately enforceable across the European Union, but could force changes to ad networks that span other countries. Digital advertisers in Europe are being given a two month grace period to come up with a plan demonstrating how they will bring these systems into compliance, with the industry’s widely-used standard consent framework now specifically invalidated by the ruling.
Widely used consent management framework shot down by EU regulator
The Interactive Advertising Bureau Europe (IAB Europe) was fined for GDPR violations in the use of its Transparency & Consent Framework (TCF), a set of rules and protocols that ostensibly was supposed to keep advertisers GDPR-compliant while engaging in personalized profiling and participating in real-time bidding (RTB) systems.
The IAB was fined €250,000 for the GDPR violations, but the TCF is a widely used digital marketing standard adopted by companies all throughout Europe. These companies are now vulnerable to similar privacy and security complaints. Numerous complaints have already been registered about the TCF since 2019, with users feeling that consent granted to one website should not automatically be transferred to any number of unknown third parties.
RTB systems attempt to match ads to users based on collected information about the user’s interests, making this connection in “real time” as the user browses a website or app that is plugged into a digital advertising network. The system is popular with advertisers as it allows for much more selective and cost-effective ad spend; the advertiser specifies that ads only be delivered to certain pre-selected demographics, and only pays for ads that are displayed to a user that matches their desired customer.
The problem for the end user is that they are only prompted for consent to participate in this upon first visiting a website or firing up an app. The information collected about them is then provided to the advertisers participating in the ad network, stored in a cookie that persists across multiple websites and apps.
The Belgian DPA found multiple GDPR violations in this consent management system: failure to establish a legal basis for the processing of the end user’s collected information, failure to meet GDPR transparency standards, failure to keep a register of required processing activities, and failure to appoint a data protection officer or conduct a data protection impact assessment.
Those are just the findings as regards user privacy rights. The Belgian DPA was even more critical of the security aspects of the consent management system. It found that data was essentially impossible to secure properly once it was fed into this network of thousands upon thousands of disparate participants, as well as allowing data subjects to control it.
In addition to establishing a legal basis for processing data and a consent management structure that is GDPR compliant within the next two months, the IAB has also been instructed to begin screening its data partners to ensure that they meet the standards of the GDPR before customer data is passed on to them.
IAB is pursuing a legal appeal, which could very well draw the process out for a greater length of time. But the complaint was heard under the GDPR “one stop shop” mechanism and the ruling received the blessing of most of the other countries in the European Economic Area.
Freewheeling days of RTB GDPR violations may be over
If the appeal does not work, IAB will have to demonstrate a revised consent management system that is not as “generic and vague” about the scope of use of personal data and that allows end users to retain GDPR rights to personal control (which includes visibility and ability to change and delete stored data). IAB itself has been ordered to delete all of the stored data it currently has, as well as any processors it has contracted with, as GDPR violations were committed in its collection.
The ruling undercuts a common defense used by those in the targeted industry; that they are not “data controllers” under the definition presented by the GDPR, but are merely “processors” and thus subject to a lighter set of regulations. The ruling specifically names outfits such as IAB as controllers, subjecting them to a slew of new potential GDPR violations.
While IAB is contesting the ruling, a blog post from the organization spins it as not entirely being a negative development for the industry. The new consent management standards, which the organization is expected to present a plan for in two months and have functioning in six, could represent a single transnational framework given blessing by the EU.
It is quite a gamble, however, as the TCF will likely be destroyed entirely if the organization cannot revise it to the satisfaction of regulators within half a year. IAB faces additional fines of €5,000 per day each day it remains in use after the grace period is up. While the fine amounts may sound small for something that can potentially touch all of Europe’s internet users, IAB makes only about €2.5 million per year and is nowhere near the magnitude of the ad networks run by social media giants.
The ruling also has impact far beyond IAB, including for those social media giants. Cillian Kieran, Founder and CEO of Ethyca, summarizes the total expected industry impact: “Unlike other EU rulings in recent months against consumer brands like Amazon or WhatsApp, this decision cuts deeper into the infrastructure that powers a much wider network of services. IAB and TCF might not be top-of-mind to an everyday internet user, but their personal data has very likely gone through these systems … Don’t be fooled by the size of the monetary penalty. The Transparency and Consent Framework is used so widely that this decision has significant and direct implications for the ecosystem of real-time bidding for advertising. On the technical front, the decision emphasizes the need for tech systems to actually implement users’ consent preferences—not just receive a notification of the preferences. The authorities find the framework to only do the latter, which means that there’s nothing technically stopping a vendor from modifying or falsifying consent preferences … Even if platforms want to assume the best intentions in every party, no organization can afford to do that when the scale is so sweeping and the stakes of algorithmic discrimination and re-identification are so high. The framework has come to touch so much of the EU’s internet, and the decision spells out the need to implement data protection by design and by default.”