The Cookie Clutter Crumbles: Ad Tech Industry’s Consent Framework Isn’t GDPR-Compliant

EU data protection authorities say data acquired through a consent framework favored by industry must be destroyed, writes David Carroll.

The only interaction many people have with the European Union’s far-reaching data protection regulation– known as the GDPR– is through annoying cookie consent popups that clutter websites with what feels like “consent spam.” Some of us dutifully dodge these buttons, which are often A/B optimized, dark-patterned, deceptive user interfaces that serve mainly to geolocate the user. The diabolical aggressiveness of these consent boxes varies based on your residency. Europeans enjoy the least awful types. Most of us habitually acquiesce in resignation.

But today’s ruling by the Belgian Data Protection Authority on behalf of EU member states– in a case 5 years in the making– demonstrates that many of these cookie consent popups have always been unlawful, at least the ones built upon its Transparency & Control Framework (TCF), which was championed by the ad tech industry’s trade group, IAB Europe. As a result, more than 1,000 companies that pay IAB to use TCF– including Google, Amazon, and Microsoft– all have to destroy the ill-gotten data collected. The GDPR has finally shown its teeth.

The complaint was brought by individuals representing a group of civil society organizations from Ireland, Poland, the Netherlands, and Belgium. For those of us in the US, this emphasizes the importance of the right of private action in holding technology companies liable for their data protection abuses. This is a particularly nasty flash-point for data privacy bills in Washington DC and statehouses around the country. It’s no coincidence that tech industry lobbyists strenuously object to this essential legal feature. Clearly, private action can be an effective means to prosecute companies for their wrongdoing when laws are on the books that stick up for the rights of data subjects more than data collectors, which is probably why industry hates it with a fiery passion.

I used the right of private action in the UK to challenge the Cambridge Analytica companies for abusing the data of US voters in connection with the 2016 US presidential election. This yielded the only criminal prosecution of the companies by their regulator, the Information Commissioner’s Office. Without the right of private action, that notorious swashbuckling voter analytics shop would have escaped any meaningful legal penalties as it hastily folded.

It’s becoming a stretch to give industry trade groups that represent ad tech, such as IAB Europe, the benefit of the doubt when they develop schemes like TCF knowing they they may not be compliant with the law. Following the ruling, IAB issued a tone-deaf statement saying it “clears the way for work developing TCF into a formal GDPR Code of Conduct.” The preference for self-regulation is apparently hard to shake.

The Belgian data protection authority's decision against the 'Transparency & Consent Framework' (TCF) is a huge blow to the data industry, who aims to make pervasive digital tracking appear GDPR compliant by forcing everyone to deal with meaningless 'consent' popups all the time.

— Wolfie Christl (@WolfieChristl) February 2, 2022

Crucial to this “momentous” decision is the remedy. Rather than issue fines that end up on balance sheets as the cost of doing business, the European authorities reached deep into their regulatory toolbox and pulled out a powerful mechanism to punish the IAB and its members: disgorgement of data. It’s difficult to imagine a more effective deterrent than requiring bad actors to destroy their ill-gotten gains.

Unfortunately though for the United States– which does not benefit from a national, horizontal, generalized data protection law, instead hindered by porous and deferential sectoral privacy laws– the ability of our default privacy regulator to seize illicit data has been hobbled by a conservative Supreme Court. Clearly, lessons must be learned from the world’s largest economic bloc, decades ahead of the US on establishing a potent data protection regime based on human rights and dignity rather than a finders-keepers-losers-weepers privacy stance, where pretty much anything goes and getting slapped on the wrist by the FTC is a badge of honor.

Today’s ruling is a major victory for the rights of data subjects in Europe, and it puts the surveillance capitalism industrial complex on notice. Privacy professionals and lawyers will have a field day delving into the nuances of the GDPR enforcers decision, but the big picture is coming into focus for the rest of us mere mortals. Manipulating people into consent and flouting the EU is not a sustainable business practice. The sooner that US industry lobbyists and lawmakers from both sides of the aisle decide that the protections established by the GDPR are the baseline for what is necessary to preserve privacy and put proper constraints on the free flow of data, the better.