Belgian authority finds IAB Europe’s consent pop-ups incompatible with the GDPR

Following a number of complaints filed in 2018 and 2019, including by EDRi-members Panoptykon and Bits of Freedom, and coordinated by the Irish Council for Civil Liberties, the Belgian Data Protection Authority has found that the consent system developed and managed by the adtech industry body IAB Europe, and used by many websites in the EU, is illegal under the GDPR.

By Panoptykon Foundation & Bits of Freedom (guest author) · February 16, 2022

The decision has been confirmed by 27 data protection authorities from 20 EU countries involved in the cross-border investigation.

Perhaps unknowingly, most people come across this consent system, known as the Transparency & Consent Framework (TCF), on a daily basis in the form of a “consent pop-up”. The pop-up nudges you into “accepting” cookies allowing your information to be shared, through a single website visit, with hundreds of adtech companies.

The TCF was developed by IAB Europe primarily as a way to find a legal ground for processing personal information within the real-time bidding (RTB) advertising system. However, the Belgian DPA has now ruled that consent collected via these popups is invalid because of the lack of information about specific processing purposes and the types of data that are collected, as well as the sheer number of parties on the receiving end, make it impossible for users to truly understand the consequences of their consent.

In addition, the Belgian DPA finds that neither IAB Europe nor adtech intermediaries can rely on their legitimate interest as a processing ground, because it is far outweighed by the risks to users’ fundamental rights. Finally, the Belgian DPA notes that IAB Europe has violated the principle of data security because it has failed to guarantee that adtech companies cannot simply generate “fake consent” in order to track people, as well as the principle of data protection by design because it is much harder for people to withdraw their consent than it is to give it.

The Belgian decision is momentous, because it finally puts an end to what many believed to be not just a nuisance, but manipulative and harmful. Not only has the TCF been found incompatible with the GDPR, but IAB Europe, its developer, has been found responsible for multiple infringements of key GDPR principles of lawfulness, fairness, transparency, and security.

In its decision, the Belgian DPA further emphasises that the TCF plays a pivotal role in the current architecture of the OpenRTB system” and “supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects”.

IAB Europe has been given the deadline of two months to present a plan of how it will bring the TCF into compliance, subject to approval from the Belgian DPA, and a further four months to implement the changes. IAB Europe, and all companies that have gathered data unlawfully through the TCF, including publishers, ad exchanges, data brokers, and other intermediaries, must delete this data immediately.

It is up to IAB Europe whether it will continue to play hide-and-seek with GDPR enforcers or whether it will genuinely engage in a meaningful reform of the adtech industry. The Belgian decision is also a long-awaited incentive for websites and apps to adopt GDPR-friendly alternatives such as contextual advertising.

(Contribution by: Karolina Iwańska, Lawyer and Policy Analyst, EDRi Member Panoptykon Foundation, and Evelyn Austin, Director, EDRi Member Bits of Freedom)