Consent fatigue: IAB cookie tracking pop-ups illegal, say GDPR regulators; Australian privacy review even tougher, industry faces consumer opt-out stampede on data collection, behavioural tracking
The marketing and advertising industry's wholesale adoption of cookie consent pop-ups, designed by the IAB Europe to meet GDPR compliance on privacy, appears to have been entirely wayward and about to to be outlawed, sending brand owners, media companies and tech players scrambling. The move by European regulators comes just as Australia is set to face even tougher GDPR rules proposed in the Federal government's privacy review, released two weeks ago, which has been met with ambivalence by some parts of the industry.
What you need to know:
- IAB Europe says it believes Belgium's data protection authority will shortly release a decision that finds the entire system of cookie consent pop-ups are in breach of GDPR. And, as a result, IAB Europe is also in breach of the stringent data protection laws.
- The Australian government recently released a discussion paper ahead of a privacy overhaul, flagging major reform - some of which may go further than GDPR.
- UNSW Business School's Peter Leonard said Australian industry faces "significant jeopardy" under new proposals to the Privacy Act, particularly around "digital advertising practices".
- It means current practices such as credit card data being matched to online audience behavioural profiles by brand owners, and media and tech companies, will likely cease, said The Guardian Australia's Managing Director Dan Stinton.
- Per Stinton: "Our industry has largely operated on the premise that you can collect as much consumer data as you want, as long as you can't re-identify an individual."
- On the impending European decision, one of the complainants, Dr Johnny Ryan of the Irish Council for Civil Liberties said: “IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach at the heart of online advertising. We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform”.
Cookies crunched
The near ubiquitous pop-up cookie consent system created by the IAB – and adopted by Google last year, and longer by a vast majority of websites in Europe and Australia – looks set to be ruled illegal, breaching the region’s General Data Protection Regulation (GDPR). Brands and tech and media companies will have to rapidly rework their expectations for gaining consumer consent and disclosure for online data collection and use.
IAB Europe is now in the firing line with its widely adopted and contentious pop-up consent notice standards, this week releasing a pre-emptive statement warning it believes Belgium’s data protection authority (DPA) will soon find the organisation has breached GDPR. Belgium's ruling is expected to be adopted across Europe.
Australian companies have broadly adopted similar online user tracking disclosure and consent techniques but will face "significant jeopardy" under new proposals to the Privacy Act, according to UNSW Business School's Professor of Practice, Peter Leonard, who said the Federal Attorney General is essentially heading to a "beefed-up GDPR".
It means current practices such as credit card data being matched to online audience behavioural profiles by brand owners, and media and tech companies, will likely cease, said The Guardian Australia's Managing Director Dan Stinton. "Our industry has largely operated on the premise that you can collect as much consumer data as you want, as long as you can't re-identify an individual."
But under the proposed changes to Australian privacy law, geo-location tracking of users and personal and device identifiers are also set to face much tougher disclosure criteria and ultimately likely to trigger widespread public refusal of current data collection, profiling and sharing practices.
"We see over 80 per cent of consumers saying they don't want things like their unique IDs shared with other parties..." said Lauren Solomon, CEO of the Consumer Policy Research Centre, in a Mi3 podcast with Leonard, Stinton and former NSW Deputy Privacy Commissioner and now Principal at Salinger Privacy, Anna Johnston. "Our research shows 70 per cent of consumers saying they are accepting [consent] terms even if they are not comfortable with them. When we ask why, three quarters are saying it's because it's the only way to access the product ... it's a take it or leave it proposition."
Anna Johnston stated that under a new "fair and reasonable" test adopted from Canada by the Australian Federal Attorney General's privacy reform proposals, "anonymised" user information will face much tougher hurdles. "[Companies] need to apply that decision making to online behavioural tracking, for example, or pulling together things into your customer profiling, making decisions about how we profile our customers, how we market to them, how we spend our advertising dollar," she told Mi3.
"We know that individuals can be tracked online, targeted for advertising and misinformation campaigns. Too many of those kind of behaviours have escaped regulatory action because today they've been able to say 'well we didn't know who the person was at the other end of that IP address that we were targeting, therefor our privacy obligations don't exist. That's the big change."
UNSW's Peter Leonard, also principal at Data Synergies, warned the Australian privacy reforms "create some real potential exposures for businesses, particularly in respect of digital advertising practices."
Killing time
A key challenge for European and Australian industry is that it appears to have been lulled into false security by a lack of enforcement and rulings by regulators, three years after GDPR went live. That now looks set to change.
The impending – and potentially explosive – European decision comes about a year after the Belgian DPA found IAB Europe’s Transparency and Consent Framework (TCF) did not meet GDPR's legal standards. The TCF is the system that allows users to choose how their personal data is processed for digital advertising and measurement. The Belgian authority has spent the past year preparing its draft decision, which will have a wide-ranging impact on the European online advertising ecosystem.
“The draft ruling will apparently identify infringements of the GDPR by IAB Europe,” IAB Europe said in its statement. “But it will also find that those infringements should be capable of being remedied within six months.”
In its release, put out late on Friday afternoon, and not shared to the organisation's social media pages, IAB Europe said the decision is based on the Belgian DPA’s belief that TCF “TC Strings” – the actual digital signals that capture the user’s choices – are personal data and need to be treated as such. The authority apparently considers IAB Europe to be responsible for that data, but IAB Europe disagrees and cited "guidance from other DPAs up to now".
“IAB Europe has not considered itself to be a data controller in the context of the TCF. Therefore, it has naturally not fulfilled certain obligations that accrue to data controllers under the Regulation,” the organisation’s release said.
The Belgian DPA is expected to share its draft ruling with other European DPAs in the next couple of weeks. They will have 30 days to review it.
One of the complainants in this investigation, the Irish Council for Civil Liberties’ Dr Johnny Ryan, issued a statement over the weekend: “We have won. The online advertising industry and its trade body, 'IAB Europe', have been found to have deprived hundreds of millions of Europeans of their fundamental rights.”
Ryan is also spearheading a giant legal battle against the IAB and has argued Real Time Bidding is one giant data breach, as users’ behaviour, location and choices are broadcast to thousands of companies every day.
“Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal," said Ryan.
“IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach at the heart of online advertising. We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform”.
IAB Australia declined to comment on the decision.