Legitimate interest is not legitimate

With the long running arguments about tracking and replacements, such as Google’s Topics, the Belgium this week made a legal decision that has been obvious since the beginning of GDPR, that ad-tracking is not a legitimate interest and the advertising companies, including Google, Amazon and Microsoft, have to delete all of their tracking data on EU citizens collected through the (non-compliant) consent forms of IAB Europe - i.e. if a website uses the IAB’s cookie consent tool (Transparency & Consent Framework (TCF)), the consent is invalid, as their legal fallback of always having “legitimate consent” activated and the slider disabled is illegal, as legitimate consent is not valid, when it comes to data privacy under GDPR Article 5(1)a, and Article 6, when it comes to advertising tracking.

The DP watchdog also cited additional GDPR breaches, namely that: consent was not “properly requested”; there was not enough “transparency about what will happen to people’s data (articles 12, 13, and 14)”; there was a failure to “implement measures” to ensure data processing was compliant with the GDPR (article 24); and that IAB failed to respect the requirement for “data protection by design” (article 25).

Ouch, so the IAB’s TCF was illegal from the get-go. The data protection officer of the company has to be involved from the initial project conception onwards and they must ensure that the project adheres to the legal framework of GDPR, which sounds it like wasn’t the case here.

IAB Europe has argued that it can’t be held responsible for the alleged illegal practices of “RTB participants, as the TCF is completely separate from RTB.” The litigation chamber conceded that IAB Europe was not “a data controller in that context,” but maintained that because “TCF is the tool on which OpenRTB relies to justify its compliance with the GDPR,” it “plays a pivotal role as regards the OpenRTB.”

And this is why the users of OpenRTB are now in hot water.

TCF is a “consent solution” designed to help online ad-slingers to show they comply with the EU’s General Data Protection Directive (GDPR) and ePrivacy Directive when they process personal data or accessing and store information on a user’s device. Broadly, this includes cookies, ads IDs, ways to identify users’ devices and more. The data is then sold via real-time bidding (RTB), which automatically matches adverts with the viewers whom advertisers want to reach (based on data collected).

The litigation chamber ruled:

[A]ny personal data collected so far by means of a TC String in the context of the globally scoped consents, which is no longer supported by IAB Europe, shall be deleted without undue delay by the defendant. In addition, the Litigation Chamber orders the defendant to prohibit the use of legitimate interest as a legal ground for processing by the organisations participating in TCF in its current format, via its terms of use.

Not surprisingly, IAB said that they don’t believe the judges and the lawyers understand the law as well as they do and that the judges came to the wrong decision, because IAB understands the law better than professionals.

It also noted in a recent report it commissioned by GfK that “digital advertising in the EU generates annual revenues of €41.9bn, with growth of 12.3 per cent yoy,” that “behavioural targeting is used in 66 per cent of all digital advertising and contributes to 90 per cent of digital advertising growth,” and that “69 per cent of Europeans are willing for their browsing data to be shared for advertising, in order to access digital content such as news articles and online video, for free.”

Yeeess, so a self-funded report says people who can’t make their consent properly known through their tool anyway, don’t care about their data being used in this way.

Ryan has previously touted the benefits of contextual targeting , such as that used by privacy-focused search engine DuckDuckGo, citing a study showing a Dutch national broadcaster got more ad revenue when it stopped tracking users than it had netted when it followed them.

Johnny Ryan was previously at Brave. But this is in essence what I’ve been saying for years, the so-called targeting of advertising is pretty useless and contextual targeting (advertising based on what the site visitor is currently viewing) is more effective.

It has 2 months to submit a plan on how it will implement a compliant system to replace TCF (or change TCF to be compliant), if it fails to submit the plan in time, it will be fined 2,000€ a day. It has 6 months to implement the changes and be fully compliant.

In the US, advertisers are facing a similar threat in the new Banning Surveillance Advertising Act.


Wow, that seems like a big verdict if it holds up.

1 Like

Noted that the article said the IAB has 30 days to appeal. What’s the appeals situation in this court? Could this decision, and any resulting action, be delayed for years?

Given that the case was first lodged last summer, it looks like the Belgium justice system is relatively quick.