Home / SmartTech / IAB Europe’s ad tracking consent framework has not met the TechCrunch GDPR standard

IAB Europe’s ad tracking consent framework has not met the TechCrunch GDPR standard

According to its EU data protection officer, a flagship framework for obtaining the consent of internet users for targeting with behavioral ads, which was developed by IAB Europe, a body in the advertising industry, does not meet the required statutory data protection standards.

The Belgian Data Protection Agency’s investigation follows complaints about the use of personal data in real-time bidding (RTB). Part of programmatic advertising.

The IAB Europe’s Transparency and Consent Framework (TCF) appears across the regional web, encouraging users to accept (or decline) ad trackers – with the stated aim of helping publishers comply with EU data protection regulations.

It was the response of the advertising industry body to a major update of the block̵

7;s data protection provisions under the General Data Protection Regulation (GDPR). went into effect in May 2018 – tightening the standards for consent to the processing of personal data and introducing excessive penalties for violations – increasing the legal risk for the ad tracking industry.

IAB Europe launched the TCF in April 2018, saying at the time that it would “help the digital advertising ecosystem meet its obligations under the GDPR and the Electronic Communications Privacy Policy”.

The framework has been largely adopted, including by the adtech giant Google, who integrated it in August. Beyond Europe, the IAB recently urged that a version of the same tool be used to “comply” with California’s consumer law.

However, the results of the investigation department of the Belgian DPA cast doubts on all of this assumption – which suggests that the framework is inadequate.

The inspection service of the Belgian data protection authority found a number of findings in a report audited by TechCrunch – including that the TCF does not comply with the GDPR principles of transparency, fairness and accountability, as well as the legality of processing.

It is also noted that the TCF does not have adequate rules for processing specific category data (e.g. health information, political affiliation, sexual orientation, etc.) – it does process that data.

There are other extremely embarrassing results for IAB Europe where the regulator has not appointed a data protection officer or kept a register of its own internal data processing activities.

It was also found that there is no separate privacy policy.

We asked IAB Europe to comment on the results of the supervisory authority.

A number of complaints have been filed against RTB across Europe in the past two years, starting in the UK and Ireland.

Dr. Johnny Ryan, who filed the original RTB complaints and is now a Senior Fellow with the Irish Council for Civil Liberties, told TechCrunch, “The TCF was an attempt by the tracking industry to veneer or quasi-legalize the massive data Belgian data protection agency, at the heart of the behavioral advertising and tracking industry, is now peeling the veneer and exposing the illegality. “

Ryan previously described the RTB problems as “the largest data breach ever recorded”.

Last month he released another hair-raising evidence dossier about the amount of and worrying RTB disclosures about personal information. Findings included that a data broker used RTB to profile people to influence the 2019 Polish parliamentary elections by targeting LGBTQ + people. Another data broker was found to profile and target Internet users in Ireland under the categories of ‘substance abuse’, ‘diabetes’, ‘chronic pain’ and ‘sleep disorders’.

In a statement, Ravi Naik, the attorney who worked on the original RTB complaints, said of the Belgian regulator’s findings: “These findings are harmful and overdue. As a standard setter, the IAB is responsible for violations of the GDPR. Your supervisory authority has rightly determined that the IAB “neglects” the risks for data subjects. The IAB is now responsible for stopping these violations. “

After filing RTB complaints, the UK data watchdog ICO warned against behavioral advertising in June 2019 and urged the industry to take note of the need to comply with data protection standards.

However, the regulator has not taken any enforcement action – unless you count several lightly worded blog posts. Most recently, it suspended its (ongoing) investigation into the problem because of the pandemic.

In another development last year, Ireland’s DPC launched an investigation into Google’s online advertising exchange looking into the lawful basis for processing personal data. But this investigation is one of the scores that remains open on the desk. And the regulator continues to face criticism for how long it takes to make decisions on major cross-border GDPR cases related to big tech.

Jef Ausloos, a postdoctoral researcher in data protection at the University of Amsterdam – and one of the complainants in the Belgian case – told TechCrunch that the DPA’s move is putting pressure on other EU regulators and calling for what it calls “complete” called “inaction of the deer in the headlights”.

“I think we will see more of this in the months / years to come, meaning other DPAs are sick and tired and taking matters into their own hands instead of waiting for the Irish,” he added.

“We are delighted that a data protection authority has finally decided to take over the online advertising industry at its roots. This could be the first important step to fight surveillance capitalism, ”Ausloos said in a statement.

There are still a few steps to be taken before the Belgian Data Protection Authority takes (any) action on the content of their supervisory authority’s report – with a number of steps still pending in the regulatory process. We asked the Belgian data protection authority for a comment. However, according to the complainants, the regulator’s findings have been forwarded to the Trial Chamber and action is expected in early 2021. This suggests that data protection officers in the EU may finally be able to protect their rights against the ad tracking industry / data industry complex.

For publishers, the message must be changed How They monetize their content: alternatives to scary ads that respect rights are possible (e.g. contextual ad targeting that doesn’t use personal data). Some publishers have already found that moving to contextual ads is good news. Subscription business models are also available.

Source link