EU orders all personal data collected through ad consent pop-ups be deleted

A laptop showing an EU GDPR logo.
(Image credit: asiandelight via Getty)

In 2018 the European Union and European Economic Area began an initiative to protect the digital privacy of European citizens. Called the General Data Protection Regulation (GDPR), this framework made it so online advertisers had to ask permission from website users to serve them personalised (or as the industry would call them, relevant) adverts.

Any reader in the EU already knows what I'm talking about, but for those outside: Since this regulation came in, the vast majority of websites viewed from within the EU & EEA greet users with a pop-up asking for their consent to be tracked for advertising purposes. They're irritating, mainly because they obscure the content you're trying to see, but also because they can be designed in such a way as to deter users who want to say no (for example, making you untick dozens of boxes to do so).

This complaint was made by the Irish Council for Civil Liberties in 2019 against IAB Europe, a digital ad trade body that represents over 5,500 organisations, and is heavily involved in guiding the advertising industry through Europe's legal framework. It also runs the Transparency & Consent Framework (TCF), a system through which adverts are served. The TCF is the code that carries information on an individual’s decision on whether they're tracked and by who.

A new ruling by 28 EU data protection authorities has found that IAB Europe commits multiple violations of the GDPR in its processing of personal data through the TCF and the realtime bidding system OpenRTB (through which adverts are sold). Essentially, it is saying that these pop-up consent forms are in breach of the principles they were supposed to serve and are therefore illegal.

(Image credit: Photo by Tingey Injury Law Firm on Unsplash.)

The judgement reads, in part: "The approach taken so far does not meet the conditions of transparency and fairness required by the GDPR. Indeed, some of the stated processing purposes are expressed in too generic a manner for data subjects to be adequately informed about the exact scope and nature of the processing of their personal data."

The TCF is said to have "systematic deficiencies" and "supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects."

Design that irritates users and makes consent unclear was also a part of the reasoning behind this: "in its current set-up [the TCF] does not comply with the obligations arising from the transparency principle."

"This has been a long battle", said Dr Johnny Ryan of the Irish Council for Civil Liberties. "Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies."

The ICCL summarised what the judgement said about how the TCF infringes the GDPR:

  • Fails to ensure personal data is kept secure and confidential (Article 5(1)f, and 32 GDPR).
  • Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR).
  • Fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR).
  • Fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR).
  • Fails to respect the requirement for “data protection by design” (Article 25 GDPR).st

The judgement comes with a fine of €250,000 but that's small next to the other requirements: essentially, advertisers will have to delete the data gathered using the pop-ups which, if this judgment comes into effect as planned, will impact over 1,000 companies including the big beasts like Amazon, Google, Meta and Microsoft.

Furthermore, the IAB has to make the TCF GDPR-compliant, carry out a data protection impact assessment, and pay a data protection officer to oversee it. It has two months to come up with a draft plan "for the processing and dissemination of users' preferences within the context of the TCF" and six months to implement it.

The implications for individuals, advertisers, and publishers across Europe could be enormous. Not least exactly how the above can be done in a way that satisfies the EU, and what will replace it. A system that the entire industry is built on in this region of the world is facing at best huge changes.

The onus is now on the IAB's substantive response and how it proposes to get the TCF in line with what the European regulatory authorities want. In a statement responding to the ruling it said:

"IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe. We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.

"We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge."

Does this mean the end of consent pop-up spam in Europe? Probably not, but it does show that regulators recognise problems with the system as it exists, and are serious about enforcing change. Whether this will lead to increased clarity and control over how EU citizens' data is used remains to be seen. After all, if the advertising industry is good at anything, it's putting lipstick on a pig.

If you're a glutton for legalese, here is the full judgement.

Rich Stanton

Rich is a games journalist with 15 years' experience, beginning his career on Edge magazine before working for a wide range of outlets, including Ars Technica, Eurogamer, GamesRadar+, Gamespot, the Guardian, IGN, the New Statesman, Polygon, and Vice. He was the editor of Kotaku UK, the UK arm of Kotaku, for three years before joining PC Gamer. He is the author of a Brief History of Video Games, a full history of the medium, which the Midwest Book Review described as "[a] must-read for serious minded game historians and curious video game connoisseurs alike."