GDPR enforcer rules that IAB Europe’s consent popups are unlawful

It was obvious to anyone technical they didn&#x27;t work as they presented themselves to work, but it takes time for the courts to deal with such things.<p>They are also totally annoying and I suspect there primary purpose was to annoy users and not actually comply with the GDPR. It was a way for these companies to fight the GDPR with a war of attrition. I&#x27;m glad you see with this round hasn&#x27;t worked... Yet.<p>I suspect that based on this ruling, things will not get better, as in providing a less annoying user experience and more compliance with the GDPR. Instead I predict another round of pseudo compliance and a more annoying user experience. Eventually they&#x27;ll start a policy campaign in earnest stating that the GDPR is unworkable.

This headline and article is a gross misrepresentation of the ruling. The ruling is that the TCF consent string contains personal data and that the IAB is the data controller for this bit of data. This ruling has no impact what so ever on consent popups. It basically &quot;just&quot; trashes the industry standard that is used to pass consent signals. There are plenty of custom or non TCF implementations (all equally awful) of consent dialogs.<p>This ruling puts Google and FB in a much more powerful position - because they do not have to rely on standards like TCF to pass consent signals.<p>Instead of going after publishers and website owners who integrate these popups in the first place - they went after the inventor of the spec.

A new job opportunity has come up :)<p><a href="https:&#x2F;&#x2F;iabeurope.eu&#x2F;blog&#x2F;want-to-join-the-iab-europe-team-new-position-available-privacy-counsel&#x2F;" rel="nofollow">https:&#x2F;&#x2F;iabeurope.eu&#x2F;blog&#x2F;want-to-join-the-iab-europe-team-n...</a>

&gt; <i>The Belgian Data Protection Authority said IAB Europe “was aware of risks linked to non-compliance” and “was negligent”. It also found that IAB Europe had failed to honour its data protection obligations to maintain records of data processing (Article 30 GDPR), to conduct a data protection impact assessment (DPIA) (Article 35 GDPR), and to appoint a Data Protection Officer (Article 37 GDPR).</i><p>Even if you were to give IAB the greatest possible benefit of the doubt, the fact that they didn&#x27;t appoint a data protection officer makes it clear just how little they care(d).

Nonsurprisingly, the Interactive Advertising Bureau has a slightly different spin on the ruling [1]: &quot;APD Ruling Clears Way For Work on Developing TCF into a Formal GDPR Code of Conduct&quot;.<p>I&#x27;m surprised that ICCL very assertively states that all data collected through TCF must be deleted. The Belgian DPA only mentions a €250.000 fine and gives IAB two months to present an action plan [2]. Interesting to see how this plays out. :)<p>[1] <a href="https:&#x2F;&#x2F;iabeurope.eu&#x2F;all-news&#x2F;apd-ruling-clears-way-for-work-on-developing-tcf-into-a-formal-gdpr-code-of-conduct-iab-europe-statement-on-the-apd-decision-announced-today&#x2F;" rel="nofollow">https:&#x2F;&#x2F;iabeurope.eu&#x2F;all-news&#x2F;apd-ruling-clears-way-for-work...</a> [2] <a href="https:&#x2F;&#x2F;www.dataprotectionauthority.be&#x2F;citizen&#x2F;iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr" rel="nofollow">https:&#x2F;&#x2F;www.dataprotectionauthority.be&#x2F;citizen&#x2F;iab-europe-he...</a>

Some crazy figures here:<p>The maximum fine for such a breach is 4% of the company&#x27;s global revenue.<p>Microsoft, in 2021, turned over $168Bn. Google turned over $181.69Bn. Amazon turned over a staggering $457.96.<p>Between them they had a combined turnover of $807.65Bn, making them liable for a fine of up to $32.3Bn per year (assuming revenue is flat and they all get hit for the maximum penalty and don&#x27;t do any kind of damage limitation).<p><i>The EU general budget in 2019 was only €148.2Bn</i>. So such a fine would actually cover nearly 20% of the running cost of a 27 member multilateral trading entity with a population larger than the United States.

We designers must reasonably but seriously convey the user-hostility of these patterns to higher-ups at every available opportunity. Sure, you&#x27;ll get overruled by the dollar-focused Jr. Marketing Exec. On the other hand, the folks who say things like &quot;Refuse! It&#x27;s a designers job to say no!&quot; probably have much bigger savings accounts than I and most others do... but not saying anything implies consent, and that&#x27;s when behavior that&#x27;s bad for your users and bad for the world become a silently absorbed into your corporate praxis.

This is amazing news.<p>I implemented GDPR consent management for some US publishers with EU exposure. As part of this I evaluated vendors and various systems like the IAB framework.<p>IMHO it was clear it was not compliant. It could never know the potential adtech it was going to load in advance (and therefore could not ask someone to consent), and it still allowed ads&#x2F;adtech&#x2F;trackers to load in page <i>before</i> asking for consent.<p>They ignored anyone who pointed this out.

This ruling should not be a surprise.<p>The writing has been on the wall for a long time that GDPR informed consent is to be interpreted in a narrow sense (i.e. actually being informed, not just clicking). And we know EU legal measures often take a long time but can bite hard. So here we are now!<p>[Edit]: Note that the decision can be appealed - so it&#x27;s going to be a long while before we get a final verdict.

Good, but i &#x27;d like to see someone going after the root perpetrators of this racket, the advertisers themselves. That industry is surprisingly immune from scrutiny despite the fact that they &#x27;ve wholesale sold their soul to google which is now both the buyer and seller of billions of advertiser money. They re just enabling the monopoly

Good. Now pick a random one of the companies that used this particular product&#x2F;service and make an example of them.<p>The problem I think until now has basically been that sites that rely on tracking ads <i>know</i> they are in violation. They don&#x27;t <i>want</i> to comply, because it would be too costly.<p>Basically, a meeting at one of these businesses (I&#x27;m imagining) has a conversation where people say &quot;Ok what do we do about the cookies? Unless we at least write the X and Y and Z tracking cookies, we can&#x27;t keep the lights on so we cant&#x27;t risk users just clicking &#x27;Reject all&#x27; and getting dumb ads. What should we do? I think we should use that dark pattern dialog which leaves X Y and Z on for 75% of visitors who just click the biggest button. That at least buys us some time. If regulators complain we can always change it&quot;.<p>A regulation that was scary enough would see sites prefer shutting down over using a dark pattern. For that to happen, the fines not only need to be big enough to be fatal to the business, they have to actually go further and be personal fines to key employees.

Whoopsie daisy! I&#x27;m sure IAB&#x27;s err was a total storm-of-the-century, couldn&#x27;t ever have been expected, failure of their otherwise iron clad commitment to honoring and respecting digital user privacy.

Anybody wants to shed some light what exactly was illegal at the consent popups? I think Google, Microsoft and others use all different&#x2F;branded popups, so I would want to know what the problem is there.

I can&#x27;t find any English language news about it, but Yahoo Japan are going to withdraw a bunch of services from Europe in April including webmail and news. They&#x27;re citing GDPR costs.<p>Edit: Apparently it&#x27;s been picked up since last time I looked: <a href="https:&#x2F;&#x2F;www.theverge.com&#x2F;2022&#x2F;2&#x2F;1&#x2F;22911965&#x2F;yahoo-japan-europe-offline-regulations-compliance-gdpr" rel="nofollow">https:&#x2F;&#x2F;www.theverge.com&#x2F;2022&#x2F;2&#x2F;1&#x2F;22911965&#x2F;yahoo-japan-europ...</a>

&gt;EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.<p>Laughable really. How the hell do you reconcile all this data and make the bean counters happy that yes: this is the data we collected through the popups over the years.

So, how long until at least one online media giant realizes that not tracking their users and good old display ads are the easy way out?

I don&#x27;t understand the findings. The TCF system doesn&#x27;t collect personal information. The spec is at [0]. CMPs are the popups responsible for creating the TCF string. The IAB provides a spec for how these should operate, but does not supply one of its own. These can absolutely misbehave, and the IAB has previously notified the adtech industry about known misbehaving CMPs.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;InteractiveAdvertisingBureau&#x2F;GDPR-Transparency-and-Consent-Framework&#x2F;blob&#x2F;master&#x2F;TCFv2&#x2F;IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;InteractiveAdvertisingBureau&#x2F;GDPR-Transpa...</a>

To be frank, the practical result of GDPR is that it made my browsing experience worse.<p>Nearly every website opens with an annoying cookie popup, often blocking the content (or reducing it to a fraction of my screen on mobile).<p>I&#x27;ve never once clicked &quot;Yes, track everything&quot;, except by accident when tricked into it by deceptive UI (eg. a button designed to look more inviting than its less invasive counterpart).<p>I get that wasn&#x27;t the intent, and there are less intrusive ways for companies to comply. But the result we ended up with is a mess.

Incredible.<p>On one hand our Data Protection Authority gets that done and on the other hand the European commission is about to start legal action against Belgium for GDPR infringements <a href="https:&#x2F;&#x2F;www.brusselstimes.com&#x2F;news&#x2F;belgium-all-news&#x2F;173086&#x2F;european-commission-general-data-protection-regulation-gdpr-legal-action-belgium-frank-robben" rel="nofollow">https:&#x2F;&#x2F;www.brusselstimes.com&#x2F;news&#x2F;belgium-all-news&#x2F;173086&#x2F;e...</a><p>And we just passed a law that permits our IRS to have our bank account&#x27;s data.<p>And there is an ongoing project to store and register citizens&#x27; health data in one single database, available to insurers and government agencies.<p>Over the last year there&#x27;s been drama and real concern around the DPA <a href="https:&#x2F;&#x2F;iapp.org&#x2F;news&#x2F;a&#x2F;belgian-dpa-director-resigns&#x2F;" rel="nofollow">https:&#x2F;&#x2F;iapp.org&#x2F;news&#x2F;a&#x2F;belgian-dpa-director-resigns&#x2F;</a> with director resigning and claiming pressure from the authorities post resignation (as PI rummaging through here trash bins).<p>We have a guy who single handedly decides if databases projects are OK with GDPR and privacy laws and he&#x27;s the one providing the software solutions.<p>Belgian surrealism at its finest.<p>I know there are people from the north on HN, I wonder what are their view on these matters ?

Americans think they can ignore the GDPR because it doesn&#x27;t apply to them. Guess again. Moreover, other countries outside the EU are modeling their own, new legislation on the GDPR. Eventually, the US private sector will be forced to implement the GDPR for convenience&#x27; sake. The only issue will be the finding that because of built-in,NSA&#x2F;FBI backdoors, data sent to the US cannot be secured under any circumstances.

Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal following complaints coordinated by ICCL. EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.

Here is what I don&#x27;t understand. They clearly mean to ban online tracking. They make the laws. But instead of making a law that makes tracking illegal, they make a law that says you must consent, and leave blank what consent means. Then they make rulings about what consent means that amount to &quot;it is illegal to collect data for tracking.&quot; Why not just ban tracking and be done with it?

&gt; EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.<p>How much data is being collected through these pop-ups?

I seem to be the only HN user who really does not care at all if I am tracked. Judging from the horrible quality of ads I get, they&#x27;re infinitely far away from reaching an accurate model of my behavior.

earlier discussion here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29121848" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29121848</a>

Collecting and selling digital data is not a legitimate business enterprise. It’s spyware.<p>If no one wants to pay for your product, the market has spoken. Too bad.<p>We must correct the insanity and digital economic imbalance that spyware businesses have created.

These GDPR banners have made the internet a worse place for most users IMO, there needs to be an easy way to consent to all tracking and skip the banners across all sites. I&#x27;m fine with this being opt in, but it should be easy to do on a &quot;normal&quot; browser (like chrome or edge including mobile) without the need for an extension. Forcing everyone to deal with these things is bad.

&gt; EU data protection authorities find that the consent popups that plagued Europeans for years are illegal.<p>Plagued Europeans? Are they seeing additional consent pop ups beyond the ones all the rest of us are tortured with?

Can someone explain to me what the actual ruling is? Is the agency in question out of compliance, their specific implementation of a consent pop up, or the entire concept of a consent popup?<p>We use a consent pop up for non-advertising related cookies. And I&#x27;m trying to figure out if we are no longer in compliance.

Those popups did teach one good thing: when you see &quot;legitimate interest&quot; you know you&#x27;re about to get scammed.

Oh no, I carefully trained google and Facebook to only show me ads about home renovation products by accepting cookies on specific webshops :&#x2F;<p>Only half joking here.

My favorite part is:<p>&gt; All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.<p>It&#x27;s not just that they need to find new ways to screw users. It&#x27;s that since they screwed users, they also must lose their ill-gained data. Which will probably be a nice deterrent against them pulling the same shit again.<p>Edit: loose -&gt; lose

Hopefully the deletion includes both backups and any ML models trained on that data.

Coming up next: Full page with mandatory reading (through eye scanning which will require camera access with popup consent for camera access). Followed by a 10 Quizzes to test your understanding for what you consented for. Then an email&#x2F;ID verification to confirm your identity and consent.<p>This is going to be fun.

Finally! Some people keep arguing that GDPR is toothless and unenforced, but I think it&#x27;s just that it takes time to tame the wild west. It&#x27;s work in progress, and that progress is looking ok.<p>I really hope also pass at least the part of DSA where they make terminal signals for opting out of tracking legally binding.