Northdoor comment:
The Interactive Advertising Bureau (IAB) Europe’s cookie consent framework, used by thousands of European companies, including Google, is likely to be found in violation of GDPR.
If the ruling by the Data Protection Authority finds IAB Europe has breached regulation, it will invalidate every consent platform that uses the framework with huge consequences.
After a year of investigations, the Data Protection Authority (DPA) is in the final stages of drafting a ruling on the IAB Europe’s Transparency and Consent Framework (TCF). Initially highlighted by the Belgian DPA, the TCF is the tracking pop-up used by almost all European websites and apps to manage cookie consent.
The TCF was intended to be an industry standard for keeping tabs on users who have opted in or out of ad tracking, helping to ensure adherence to GDPR. However, the DPA is expected to find that the framework actually violated GDPR’s transparency guidelines, processing very sensitive data without explicitly gaining user consent.
The TCF is not the first widely used application to come under suspicion of not adhering to GDPR. Earlier this year Zoom video calls were highlighted by a German DPA as possibly breaching GDPR rules. This trend of widely used applications coming under regulatory scrutiny should be of real concern for all companies. Keeping track of a constantly changing regulatory landscape is not easy, especially when control of data practices often fall between roles within organisations or are left to individuals to manage.
If the ruling goes ahead, European advertisers will not just need to quickly find alternative tracking solutions but will also need to contend with possible further restrictions to consumer data.
If the ruling by the Data Protection Authority finds IAB Europe has breached regulation, it will invalidate every consent platform that uses the framework with huge consequences. Share on XA decision against IAB Europe would invalidate every consent management platform that uses the framework by making cookies collected by publishers, unconsented. This would impact thousands and thousands of companies across Europe.
For example, most European advertisers would be unable to use cookie attributes to target customers for campaigns. It would also negatively impact a large number of companies that rely on mobile tracking and targeting and send all companies scurrying to find alternative, compliant, tracking solutions.
Essentially, IAB Europe has deprived hundreds of millions of people their fundamental rights and we would expect the DPA to come down hard on the industry and implement further, more stringent conditions on data collection and use.
It highlights the seriousness which DPAs across Europe are taking GDPR breaches and protecting the public’s data. It also proves companies cannot be complacent with their approach to GDPR and need to be constantly assessing their adherence.