Europe’s highest court delivers landmark judgment against IAB Europe in GDPR consent spam pop-ups case
The Court of Justice of the European Union's landmark decision on March 7, 2023, against the auctioning of personal data for advertising purposes under the General Data Protection Regulation (GDPR) challenges the legality of invasive tracking and profiling in the context of online advertising. It marks a significant victory for privacy advocates and sets a precedent for the protection of personal data in the digital era.
In a landmark decision on 7 March 2023, the Court of Justice of the European Union (CJEU) issued a groundbreaking judgment against online targeted ads prohibited by the General Data Protection Regulation (GDPR). This ruling has far-reaching implications for major platforms, including giants like Google and TikTok, that rely on the online personalised advertising industry as part of their business model. The Court recognised that invasive tracking and profiling cannot be sanctioned through ‘consent’ pop-ups, responding to a complaint that focused on the mechanisms facilitating the covert profiling and monitoring of the private activities of a majority of individuals across the digital realm. The court’s decision emphasised the need for stricter controls on the online tracking and advertising industry.
The ruling stands as a crucial victory for privacy advocates and established a precedent for future cases, underscoring the paramount importance of safeguarding individuals’ personal data in the digital age. Complainants, including EDRi members such as ICCL, Panoptykon Foundation, and Bits of Freedom, have played a crucial role in bringing this issue to light. Their coordinated efforts through Enforce, a unit of the ICCL, initiated complaints about the GDPR violations of the online advertising “Real-Time Bidding” (RTB) system in 2018. The Irish Data Protection Authority (DPA), the Data Protection Commission, is expected to release a preliminary decision regarding Google’s real-time bidding (RTB) system in the first quarter of 2024. Thanks to the work of digital defenders, courts and regulators continue to restrict the legal pathways for firms intending to deliver personalised ads for tracking and profiling internet users.
A victory for privacy and data protection advocates
The CJEU found that the Interactive Advertising Bureau (IAB) Europe must be held accountable under multiple provisions of the GDPR for establishing an extensive infrastructure for consumer surveillance. The decision referred to the firm’s role in two online advertising systems obtaining individuals’ online consent for personalised advertisements and controlling data processing activities when users’ consent preferences are logged.
The Court unmistakeably acknowledged that ‘consent-strings’ data strings produced in reaction to the privacy preferences expressed by users – are personal data, emphasising the private nature of user preferences, especially when additional identifiers (like IP addresses) are in use and might lead to profiling activities. This facilitates the handling and broadcasting of data, including highly sensitive data, to thousands of companies billions of times a day.
The Transparency and Consent Framework (TCF) consent system is used by advertisers and data brokers to acquire individuals’ ‘consent’ for online tracking and to have their data auctioned by advertisers and data brokers for personalised ads.
TCF is a crucial part of the RTB online advertising system, enabling advertisers to bid on ad impressions in real-time, precisely targeting their audience and helping publishers maximise the value of their ad inventory. From a technical point of view, data subjects cannot feasibly have prior knowledge of every data controller participating in an RTB scenario, much less object to the collection and processing of their personal data once it has been broadcasted to thousands of vendors.
Firms are aware that the majority of individuals tend to support privacy when provided with the opportunity to express their preference, and try to avoid that at all costs. What is worse, some ad tech vendors, connected to the TCF system, seem to persist in tracking and profiling users despite explicit indications that they do not want ads based on tracking. This situation is clearly incompatible with how the GDPR conceptualises consent, an issue also at stake regarding the ‘Pay or Consent’ models.
Big tech firms, but also more modest platforms, have relied on IAB Europe’s ‘consent’ system for years. This system, widespread since the GDPR’s introduction, is responsible for the vast majority of the pervasive cluttering of websites with incessant pop-ups that seek approval for ‘sharing’ user data with an array of advertising ‘partners’ within the EU. More worryingly, highly sensitive data is transferred to companies worldwide, including authoritarian states.
Johnny Ryan from EDRi’s member ICCL has highlighted the relief for citizens across Europe who have endured the widespread proliferation of fake ‘consent’ pop-ups since the introduction of the GDPR. The ruling not only marks the end of what Ryan calls the ‘biggest spam operation in history’ but also delivers a severe blow to the online tracking-based advertising industry, which will likely now be forced to rethink their model.
Katarzyna Szymielewicz, representing EDRi member Panoptykon Foundation, expressed regret over the fact that it has taken too long to establish that the ad tech industry’s invasive tracking and profiling of internet users is unlawful.
The Court’s verdict: meaningful limits to the ad tech industry
Several privacy activists filed complaints in 2019 shedding light on the unlawful data processing used by the entire online advertising industry. The Belgian DPA’s ruling in February 2022 deemed the TCF ‘consent’ spam system illegal in violation of the GDPR and stated it needed to be changed.
The decision was appealed at the Brussels Markets Court, with IAB Europe attempting to evade responsibility by arguing that it was just a technical standard-setting organisation for data usage, not actively processing the data. Thus not legally responsible for how other companies use that framework.
However, the CJEU’s decisive verdict affirms IAB Europe’s responsibility as a ‘joint data controller’ – with its advertiser members – as its mechanism collects fragments of information that qualify as personal data, capable of identification and profiling of a user under the GDPR. Being recognised as a (joint) controller doesn’t necessitate having direct access to personal data. The Court also stated that this joint controller also seems to wield influence in the processing of data, collaborating with others to establish the purposes for such processing.
The CJEU’s decision not only ends a significant chapter in the ongoing battle against ‘consent’ spam pop-ups but also sends a clear message to the online tracking and advertising industry.
The prevailing question now is, ‘What comes next in requesting user consent?’ From EDRi’s viewpoint, the answer is evident: refraining from broadcasting personal data in any way and putting an end to ‘compliance performance’. Major online players can no longer evade their responsibilities by claiming immunity from data protection laws, and the EDRI network – together with privacy advocates throughout Europe – will keep pushing for that to happen.