Cookie pop-ups, and the data behind them, ruled illegal

Hate pop-ups that interrupt your web browsing — and probably come with consequences you don’t fully understand? Well, there’s hope.

When Europe passed its ambitious law designed to protect consumer privacy, known as GDPR, many Internet users noticed only one impact — annoying pop-ups jammed with mini-privacy policies.  To any level-headed person, the small windows were an annoyance clearly designed to get in your way – and get a check in a box so companies could continue tracking your online travels. Consent spam, they have come to be called. Most users clicked click “agree” to get on with their day, effectively granting thousands of companies the ability to trade in intimate details of their digital lives.

A ruling by European regulators this week holds out the promise that consent spam and GDPR pop-ups will soon be gone. And so too could be gigantic databases of user information collected using this method, including giants like Microsoft and Google.

When GDPR – Europe’s General Data Protection Regulation — took effect, advertisers had to come up with a way to get user consent for data collection. The industry came up with something called the “Transparency & Consent Framework (TCF),” managed by the online advertising industry’s trade body, known as IAB Europe.  In order to prevent a massive disruption in the background magic which matches ad buyers to users several billions of times per day — a system known as real-time bidding — IAB Europe invented the system we now know as consent spam.

The pop-ups were a source of user frustration, but more critically, much sarcasm.  U.S. critics have been fond of saying GDPR made life even worse for Netizens, adding annoyance while hardly protecting their privacy.

That’s why this week’s ruling is significant to policy-makers and users alike.

Johnny Ryan, a fellow at the Irish Council for Civil Liberties and a principal complainant in the case, wrote on Twitter that the “popups were not a symptom of the law, but of the tracking industry attempt to undermine the law.” EU regulators now agree with him.

Belgian’s Data Protection Authority ruled this week that the pop-ups violated the spirit and the letter of the GDPR — Europe’s General Data Protection Regulation. The authority found: The consent spam fails to provide real transparency about what happens to user data; fails to ensure the data is kept secure and confidential; and fails to properly request consent.

In a statement, the ICCL said that the popups support “a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behavior, and the ensuing surveillance of data subjects.”

IAB Europe was fined and ordered to come up with a plan to fix its system within two months. Perhaps more important: data collected through the system must now be deleted.

When I interviewed Ryan for a podcast recently, he called real-time bidding the largest data breach of all time.  The legal finding could be very expensive for Big Tech: The ICCL says that it means “All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.”

“This has been a long battle”, Ryan said. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies”.

Indeed, privacy rulings take a long time.  The consent framework was originally found to be in violation of the GDPR back in October 2020.

IAB Europe has 30 days to appeal this latest ruling, which was supported by 27 other European privacy commissioners.

“We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry,” the IAB said. “We are considering all options with respect to a legal challenge.”

Just when might consumers start seeing fewer popups in their clickstreams? Or when might they learn their personal information, collected improperly, has been deleted? That remains to be seen. Chris Olson, CEO and founder of The Media Trust, wasn’t terribly optimistic that change would come quickly.  For starters, he’s worried the role of pop-ups might even expand as publishers try to lawyer their way into compliance with this ruling.  Also, much of the data that has been declared illegally collected has already been onpassed over and over, making it impractical to delete from the larger data collection ecosystem.

Here’s what he told me:

“With the Belgian Court’s judgment against the IAB TCF, what was once a matter of debate is now beyond dispute: the concept of CMPs does not meet the standards or spirit demanded by emerging data privacy legislation. In the long run, however, this ruling may prove to be a pyrrhic victory. First of all, users will not see consent pop-ups disappearing any time soon. The IAB has six months to revise its framework, and when it is finished, pop-ups may become even more unwieldy in the struggle to provide users with ‘sufficiently specific’ information.

“Second – while we expect big players to minimally comply with the TCF’s data deletion orders – in many cases it will be impossible to distinguish data that was gathered illegally from data that was obtained by legitimate means, and not always by accident. In all likelihood, much of the data collected under the TCF before this week will remain on the books, integrated into customer profiles, CRM and marking tools, etc. More concerning, advertisers and publishers won’t be able to control any data gathered by digital third parties without their permission.

“Today, the biggest risk to users’ data privacy does not come from advertisers who are struggling – however unsuccessfully – to comply with GDPR: it comes from unregulated vendors who neither seek consent, nor respect it. Until now, third parties have been an afterthought in most data privacy legislation, if they are even mentioned at all. Going forward, they must become a key part of the push to assure consumers of digital safety and trust.”

Meanwhile, for more: Ryan’s Twitter thread makes the ruling easy to digest

If you are more ambitious, you can read the full decision here.






Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1644 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.