Get your extra reading on “cookie consent” and AdTech done

On 22 February, the Belgian Data Protection Authority (DPA) made a decision regarding complaints about the Internet Advertising Bureau Europe (IAB Europe) “consent framework”. This is a commonly used cookie pop-up asking for “consent” to be tracked. 

An important part of the decision is that the Belgian DPA found this framework to violate both the General Data Protection Regulation (GDPR) and the Belgian implementation of the ePrivacy Directive, and has given IAB Europe until early April to prove that it can be made compatible with these rules. 

What does academic research have to say?

Two academic papers published recently question the ability of IAB Europe to comply with the rules. One, titled “An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?” by Johnny Ryan (Senior Fellow at the Irish Civil Liberties Council and one of the complainants in the Belgian procedure) and Cristiana Santos (Assistant Professor at Utrecht University). The other, titled “Impossible asks: Can the TCF Ever Authorise Real-Time Bidding After the Belgian DPA Decisi” by Michael Veale (Associate Professor at University College London), Midas Nouwens (Assistant Professor at Aarhus University) and Cristiana Santos (Assistant Professor at Utrecht University), published in Technology and Regulation. 

Both papers conclude that consent frameworks like the one used by IAB Europe are inherently irreconcilable with relevant European and Member State law. In particular, the way how Real-Time Bidding (RTB), an auction setting where ad impressions are publicly auctioned in milliseconds, works in AdTech, is structurally hard to reconcile with core principles of data protection law. One such principle is that consent must be well-informed and specific, which in light of the plurality of recipients (hundreds of AdTech companies) of the personal data in the RTB environment is a nearly impossible barrier to clear. Another one is that consent can be withdrawn, which is likewise very difficult to effectuate in an environment with large (and changing) groups of recipients of the personal data received.

For more in-depth reading on the RTB, we recommend another recent paper, titled “Adtech and Real-Time Bidding under European Data Protection Law” by Michael Veale (Associate Professor at University College London) and Frederik Zuiderveen Borgesius (Professor at Radboud University). This calls for regulatory intervention for which the EU Digital Services Act would be an excellent place to do so, notes the article’s author.

(Contribution by: Walter Van Holst, EDRi member Vrijschrift)