They are also totally annoying and I suspect there primary purpose was to annoy users and not actually comply with the GDPR. It was a way for these companies to fight the GDPR with a war of attrition. I'm glad you see with this round hasn't worked... Yet.
I suspect that based on this ruling, things will not get better, as in providing a less annoying user experience and more compliance with the GDPR. Instead I predict another round of pseudo compliance and a more annoying user experience. Eventually they'll start a policy campaign in earnest stating that the GDPR is unworkable.
Most ad-tech, and programatic advertising, is not compatible with GDPR. I think that is intentional on part of the EU - and something I am a fan of personally.
The industry needs to shift - contextual ads or other innovations - others have done this. They refused to self-regulate all these years and had opportunity to move away from their invasive practices.
My hope is that ever more aggressive enforcement will finally lead us to the point where the dams break and everyone scrambles to get compliant at once.
The sooner, the better. But I realize that the legal system needs to ramp up the pressure, they cannot start with company-destroying fines on day one.
These rulings and fines keep me in good spirits, because I think we're actually getting there. Slowly, but still.
I predict all of this to fail, at considerable expense for the IAB and its clients. The GDPR is popular amongst us EU residents.
My fear is that is legislation works in EU anything like it does in the US is that things that the people like but the corporations do not like... Well, corporate interests win out. I suspect that the whole reason the GDPR was allowed to pass was the corporations figured they could ignore it. Now finding out they can't they will fight in earnest.
I do hope I just being old and cynical and I'm ultimately wrong.
This ruling puts Google and FB in a much more powerful position - because they do not have to rely on standards like TCF to pass consent signals.
Instead of going after publishers and website owners who integrate these popups in the first place - they went after the inventor of the spec.
See also page 126 for a summary of the ruling. An editorial of my favourites:
> order the defendant to
> a. prohibit, via the terms of use of the TCF, the reliance on legitimate interests as a legal ground for the processing of personal data by organisations participating in the TCF
> d. take technical and organisational measures to prevent consent from being ticked by default in the consent interfaces
> e. force consent management platforms to adopt a uniform and GDPR-compliant approach to the information they submit to users
IMHO, if they were really serious about this, they would have to go after the actual controllers (not the inventor of the spec) - mainly the actual websites that implement these (misleading) banners in the first place. It's beyond me how they can qualify the IAB as a controller when they never collect, process or store any of TCF data.
If this wasn't so politically charged I'd say the IAB has a solid shot of getting this overturned in court.
https://iabeurope.eu/blog/want-to-join-the-iab-europe-team-n...
Even if you were to give IAB the greatest possible benefit of the doubt, the fact that they didn't appoint a data protection officer makes it clear just how little they care(d).
Unless you're fresh in the job market and still believe in the good of people, maybe.
I'm surprised that ICCL very assertively states that all data collected through TCF must be deleted. The Belgian DPA only mentions a €250.000 fine and gives IAB two months to present an action plan [2]. Interesting to see how this plays out. :)
[1] https://iabeurope.eu/all-news/apd-ruling-clears-way-for-work... [2] https://www.dataprotectionauthority.be/citizen/iab-europe-he...
2) In application of Article 100, §1, 10° DPA, order IAB Europe to permanently delete all TC Strings and other personal data already processed in the TCF from all its IT systems, files and data carriers, and from the IT systems, files and data carriers of processors contracted by IAB Europe;
Page 114.
[0] https://www.gegevensbeschermingsautoriteit.be/publications/b...
The maximum fine for such a breach is 4% of the company's global revenue.
Microsoft, in 2021, turned over $168Bn. Google turned over $181.69Bn. Amazon turned over a staggering $457.96.
Between them they had a combined turnover of $807.65Bn, making them liable for a fine of up to $32.3Bn per year (assuming revenue is flat and they all get hit for the maximum penalty and don't do any kind of damage limitation).
The EU general budget in 2019 was only €148.2Bn. So such a fine would actually cover nearly 20% of the running cost of a 27 member multilateral trading entity with a population larger than the United States.
> their fine is 250k euros
massive disconnect between reality and imaginary worlds.
When the EU sets a maximum fine level, that's there to give their courts discretion to drop the hammer on companies that have clearly been abusive. Expected practice there is more generally to lead with something that's more of a warning. Then, if they do it again, they can escalate toward the maximum.
The 32.3 billion figure there was the maximum possible fine for the combination of Microsoft, Google, and Amazon. Personally, I'm unclear on whether anyone besides IAB is currently being fined, but in either case, the point here appears to be to send the message "what you're doing isn't OK, clean it up now" rather than "all your revenue are belong to us".
For now.
Personally I'd refuse to add a dark pattern cookie dialog, but I'm in the privileged position of being able to switch jobs.
But regardless, I'd probably send the ethics hotline an email saying that regulations are violated. Perhaps I'd send an email to the relevant regulator too, just in case.
This isn't something that's inflicted on us by web developers (on the whole); it's done by accountants. So fines are the most appropriate remedy.
No judge wants to impose a fine that bankrupts a company; but fines that start gently, but double after each offence, are much more likely to cause the accountants to smell the coffee.
Discussing how we can make achievable improvements now is also important.
Hey, lets have sex.
<Silence>
WARNING: DO NOT ATTEMPT
You seem to have gotten confused as to the fundamental nature of consent.
See the problem is it isn't put in writing. Putting things in writing gets people to pay attention.
I implemented GDPR consent management for some US publishers with EU exposure. As part of this I evaluated vendors and various systems like the IAB framework.
IMHO it was clear it was not compliant. It could never know the potential adtech it was going to load in advance (and therefore could not ask someone to consent), and it still allowed ads/adtech/trackers to load in page before asking for consent.
They ignored anyone who pointed this out.
The writing has been on the wall for a long time that GDPR informed consent is to be interpreted in a narrow sense (i.e. actually being informed, not just clicking). And we know EU legal measures often take a long time but can bite hard. So here we are now!
[Edit]: Note that the decision can be appealed - so it's going to be a long while before we get a final verdict.
Of course with underfunded government privacy enforcement bodies, that process takes a long time. And then there is Ireland.
The problem I think until now has basically been that sites that rely on tracking ads know they are in violation. They don't want to comply, because it would be too costly.
Basically, a meeting at one of these businesses (I'm imagining) has a conversation where people say "Ok what do we do about the cookies? Unless we at least write the X and Y and Z tracking cookies, we can't keep the lights on so we cant't risk users just clicking 'Reject all' and getting dumb ads. What should we do? I think we should use that dark pattern dialog which leaves X Y and Z on for 75% of visitors who just click the biggest button. That at least buys us some time. If regulators complain we can always change it".
A regulation that was scary enough would see sites prefer shutting down over using a dark pattern. For that to happen, the fines not only need to be big enough to be fatal to the business, they have to actually go further and be personal fines to key employees.
In particular, the random number should be a point on an interval that is split into regions proportional to the size of the companies, so bigger companies are more likely to be selected.
Is there a name for such a weighted random system? It seems like it could be used in some non-deterministic electoral systems too (which isn't as bad an idea as it sounds).
Companies will think twice about their approach of "claim compliance until proven otherwise and then take the wrist slap".
Put CEOs in prison and you'll see lasting change. As long as they can harm billions of people and only pay a modest fine in return, they will not change.
What would happen is that most of these major tech companies would simply ban all EU users.
If the EU wants to be shut out of most of the tech world, fine. Because that would absolutely be the result of if all "tracking" was effectively blocked or stopped.
From a technical point of view, the tracking scripts are often loaded to begin with (where your IP address & browser fingerprint is already leaked) and declining tracking merely "asks them nicely" with no guarantee they'll obey the signal or whether the already-collected data (from just loading the script) will be deleted.
Edit: Apparently it's been picked up since last time I looked: https://www.theverge.com/2022/2/1/22911965/yahoo-japan-europ...
Laughable really. How the hell do you reconcile all this data and make the bean counters happy that yes: this is the data we collected through the popups over the years.
If you're not familiar with Northern European culture, I'm quite sure the companies can expect literal inspectors in their offices expecting clear answers to where the data is and what was done with it. They will be pleasant but firm, focused and unswerving. Infractions and evasions will be carefully noted. These notes will then form the basis of further lawsuits. These people are not fucking around.
You do inspections. You demand proves of compliance, and when said proves are deemed inadequate you sanction them until something adequate is provided.
Like everything else with law its fuzzy and ongoing.
If you then get a letter from the regulator stating that you were in violation, and have to delete some data, and you answer that you did, and signed it -- then you're likely up to criminal charges if that was a lie.
This is not a line most executives are comfortable with crossing.
If any subsequent GDPR shenanigans come up, and they found you intentionally lied to the regulators, you're in some deep shit.
There might or might not be auditors visiting you after the first letter. If you lie and are found out, your career is over, and you might wind up in prison.
It's not perfect for enforcing privacy, but it's much better than not having such a ruling.
Enforcement isn't the real crux of the issue, it's that for some reason it's uncouth to come out and say: this regulation is targeting known liars that we should expect to ratfuck the system as hard as possible.
If that was the commonly accepted understanding of those conmen, enforcement methodology would get solved quickly. Which is why they work so hard to not be seen as ratfuckers.
Engineering leaders now have ammo to push back against illegal roadmaps foisted on them.
[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
For example, HN probably collects my IP address under LI. Now it may be illegal for it to do that.
Nearly every website opens with an annoying cookie popup, often blocking the content (or reducing it to a fraction of my screen on mobile).
I've never once clicked "Yes, track everything", except by accident when tricked into it by deceptive UI (eg. a button designed to look more inviting than its less invasive counterpart).
I get that wasn't the intent, and there are less intrusive ways for companies to comply. But the result we ended up with is a mess.
It was about the practical effects that came about after the legislation was introduced. I hardly believe webmasters around the world coordinated a premeditated, mass conspiracy to annoy their visitors. I rather think the mess results from a misunderstanding on the part of businesses about what is actually required by the various legislation, complacence by the poor chap who's just trying to publish a site, and, yes, dark patterns on the part of platforms providing elements of the stack.
e.g. Those annoying banners aren't needed if you construct your site to not use cookies at all, until they're actually required for functions a user explicitly requests. Platforms have no business asking for my consent in the first place to cookies they know darn well do not serve any bonafide interest for the user.
While the outcome isn't optimal (for the moment) we now at least see what's happening.
Actually it's the website operators that did that. The GDPR doesn't mandate all these cookie popups.
GDPR declared war on trackers. The popups is the trackers fighting back. We are civilians caught in a warzone. I for one hope that GDPR wins; but there's a way to go yet.
> there are less intrusive ways for companies to comply.
These intrusive ways are companies not complying. This is what is currently being litigated, an industry pulling out all the stops to not comply with the GDPR.
This ruling is a major victory along the way.
Then we could just set it in our browser settings.
On one hand our Data Protection Authority gets that done and on the other hand the European commission is about to start legal action against Belgium for GDPR infringements https://www.brusselstimes.com/news/belgium-all-news/173086/e...
And we just passed a law that permits our IRS to have our bank account's data.
And there is an ongoing project to store and register citizens' health data in one single database, available to insurers and government agencies.
Over the last year there's been drama and real concern around the DPA https://iapp.org/news/a/belgian-dpa-director-resigns/ with director resigning and claiming pressure from the authorities post resignation (as PI rummaging through here trash bins).
We have a guy who single handedly decides if databases projects are OK with GDPR and privacy laws and he's the one providing the software solutions.
Belgian surrealism at its finest.
I know there are people from the north on HN, I wonder what are their view on these matters ?
No. Freely and unambiguous given informed consent means that the users need to actually be able to understand what they consent to. Encrypting the information in a 500 page novel, obfuscating it beyond human ability to understand or interpret it, is not informed consent.
ToS are not currently under the same requirement of Freely and unambiguous given informed consent. They just require consent, which for now has been interpreted to mean basically anything that a lawyer want it to mean. People have given away their spiritual souls and first born child in ToS, through the ability to enforce such contracts is open to debate.
- "First, the consent of the data subjects is currently not given in a sufficiently specific, informed and granular manner"
- "Second, the legitimate interest of the organisations participating in the TCF is outweighed by the interests of the data subjects, in view of the large-scale processing of the users’ preferences (collected under the TCF) in the context of the OpenRTB protocol and the impact this can have on them."
- "In the absence of systematic and automated monitoring systems of the participating CMPs and adtech vendors by the defendant, the integrity of the TC String is not sufficiently ensured, since it is possible for the CMPs to falsify the signal in order to generate an euconsent-v2 cookie and thus reproduce a "false consent" of the users for all purposes and for all types of partners. As indicated above248, this hypothesis is also specifically foreseen in the terms and conditions of the TCF" - no way to verify consent
- "The Litigation Chamber also finds that the current version of the TCF does not facilitate the exercise of the data subject rights, especially taking into consideration the joint- controllership relation between the publisher, the implemented CMP and the defendant. " - no way to revoke consent, or request your data
As to why the system ran for so long: yes, enforcement is (too) slow.
- Many complaints were made to several European DPAs in 2019.
- Litigation commenced 13 October 2020
- Interim Decision 8 January 2021, amended 23 February 2021
It looks like IAB made a lot of procedural complaints when it became clear their arguments were rejected
[0] https://www.gegevensbeschermingsautoriteit.be/publications/b...
I hope that they get fined billions for keeping it illegal for so long but I doubt it.
You can of course retain outside help to advise you but there's no guarantee that they are right and many of the consultancies and providers were incentivized to compete on maximum opt ins. Maybe the CMPs and the adtech companies can fight it out in court over whether the CMPs misled the adtech companies or they just gave the adtech companies options which the adtech companies misused.
The ruling is not just "fix your language", though that's what the industry will be incentivized to try, again. They all bandwagoned on hiding secondary opt out checkboxes under "legitimate interest" and this wrist slap tells them it's not ok:
> Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)
> Fails to respect the requirement for “data protection by design” (Article 25 GDPR)
The route to complying is clear. Don't track without opt in. Know where the user data is going, not just "whichever vendor happens to be in the winning ad". Don't use dark patterns to encourage the opt in. It's the industry's attempts to bury its head in the sand because it hurts their bottom line and their search for increasingly convoluted workarounds that is making this complicated.
I guess it is the opposite. GDRP requires clear and understandable text in privacy policies.
We call that a privacy agreement. But having a proper privacy agreement that lists what data is collected and what happens with it is far from the only part of the ruling
But put those civil servants in a committee in Brussels with not as much short term pressure, and they can work out regulations that achieve the right thing.
There's your error. GDPR is not about online advertising.
Things regulated by GDPR:
* CCTV in public spaces.
* Medical records.
* Employment records that businesses keep about their employees.
* Credit reports.
* Government records like voter databases and housing information.
* Trawling public business filings to send direct-mail spam.
* The loyalty card issued by your grocery store which tracks your purchases.
* The CRM database used by the sales guys in your SaaS company to keep track of hot leads.
GDPR regulates a wide array of data collection, and outright banning is not the correct solution for most of them. So it's about what obligations are attached to data collection and processing. Online advertising is only a small part of what's being regulated.
Even online, there are modes of data collection which are permissible. E.g. collecting anonymous site statistics for your own internal use. The obligations get harder and harder to satisfy when your business practice is to spread data hither and yon to whomever will pay a nickel for it.
Actually, this is not left blank at all...
--------------------
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Keep your consent requests separate from other terms and conditions.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Make it easy for people to withdraw consent and tell them how.
Avoid making consent to processing a precondition of a service.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The idea was to let users decide for themselves, case by case, whether they wanted the tradeoff of being tracked for the rewards (including things like saving your preferences).
The tracking industry didn't want to be banned and wouldn't give up without a fight, so they looked for a loophole in this fake consent spam.
So how do you define, in law, when a person legitimately wants a company to process their personal information, and when it should count as illegal tracking? The GDPR actually makes an attempt at defining this (doesn't just leave it blank), but many adtech companies just ignore this and break that law. See the article for an example.
How much data is being collected through these pop-ups?
So now they're being asked to delete their records of who opted in or out, because that data was illegitimately acquired.
[edit] This could also have implications regarding data collected through other systems based on the assumption that an opt-in was valid.
I'm also a local guide on Google Maps with a real photo, and my real name on the profile.
No different than getting spam snail mail that gets delivered to every house. Sure - you toss it in the recycling every week but someone will read it eventually and it’s basically nothing for the company to send out.
If no one wants to pay for your product, the market has spoken. Too bad.
We must correct the insanity and digital economic imbalance that spyware businesses have created.
According to who, you?
> It’s spyware.
How is it spying when the people are freely giving away their data?
> If no one wants to pay for your product, the market has spoken. Too bad.
Very true, however it's not clear how a truism about something else relates to the topic? Was this supposed to be persuasive about collecting digital data?
> We must correct the insanity and digital economic imbalance that spyware businesses have created.
Fair enough, but that entails not creating or fostering an imbalance by constantly providing the internet with your personal information.
Spyware is illegal. So it’s just a matter of defining the data collection practices of internet companies as spyware.
>How is it spying when the people are freely giving away their data?
It’s not “freely given away” when you need a team of attorneys to understand what you’ve agreed to and you have no audit rights. Point me to the public FB page where they clearly and easily define all points of data they collect.
> Fair enough, but that entails not creating or fostering an imbalance by constantly providing the internet with your personal information.
Quite absurd to take this position after big tech companies ruined the internet economy with their spyware model. Is it your position that these companies were just responding to consumer demand to unknowingly give up their data in exchange for free services?
>Very true, however it's not clear how a truism about something else relates to the topic?
The only reason we have this spyware economy is because tech companies thought it easier to grow their enterprise off spyware than selling a legitimate product at a price.
The ruling has proved that no, people are not freely giving away their data. One of the infringing issues is that the system "Fails to properly request consent."
If a business model depends on spying on users, it's not sustainable, and moreover, it's illegal in the EU. People are not giving their data away freely if they have a) no way of understanding the consequences of clicking a single button, b) get tricked into consenting using dark patterns, and c) their refusal to consent isn't even obeyed (TCF loads tracking scripts before users can consent).
In general, one of the requirements of the GDPR is that all information on usage of provided data has to be written in simple, comprehensible terms. Please tell me how you knew the implications of giving consent on a IAB site, namely your data being shared and sold across thousands of companies. If even techies fail to understand that, how can anyone expect that of ordinary people, our parents, kids?
It should be clear that with a law like the GDPR in effect, the IAB is acting unlawfully.
Or, to put it more briefly: "How is it spying when the White House employees freely hung up our gift painting with the bug in it on their wall?"
And at this point the free market can’t resolve this. The spyware model has absolutely ruined the internet economy. There is no way to compete against a spyware company with a paid product.
Is it "spyware" if I get someone to install it so that I can track my own activities?
Is it "spyware" if it is someone else's idea to install it and get data related to me but I know about it and I am OK with it?
> Collecting and selling digital data is not a legitimate business enterprise.
a whole international industry, legislators across the planet, entrepreneurs, employees, voters, users and clients disagree.
> If no one wants to pay for your product
who doesn't want to pay for the product?
It's not like the GDPR was one guy's idea that got formalized into law overnight. It's has its roots in existing data protection legislation that is decades old as well as previous, failed attempts (ePrivacy directive aka cookie law), so there's equally a significant number of people who disagree with nonconsensual data collection.
Just browsing a website shouldn't be grounds to start tracking users.
Plagued Europeans? Are they seeing additional consent pop ups beyond the ones all the rest of us are tortured with?
Anyway, I'd prefer if we had privacy laws like this in the US too.
We use a consent pop up for non-advertising related cookies. And I'm trying to figure out if we are no longer in compliance.
I expected the answer is site and consent management system dependent, so where I really couldn't avoid one of these sites, I'd manually object to all legitimate interest first before pressing it. Such a PITA and probably pointless ultimately, but hey..
Only half joking here.
> All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.
It's not just that they need to find new ways to screw users. It's that since they screwed users, they also must lose their ill-gained data. Which will probably be a nice deterrent against them pulling the same shit again.
Edit: loose -> lose
At best the companies will have to delete months of data, the rest being stale or already fed through some ML loop that extracted any useful value from it.
In effect this just encourages them to keep this practise going. This has to be treated like fraud.
Why isn’t anyone going to prison for this? Happens regularly with fraud.
This ruling should make it a lot harder for advertisers to hide behind the IAB though. One would hope that opens members up to more substantial fines in the future.
Unfortunately, there are reasons they want these cookies on there so badly that justify the cost to figure out how to comply with the policy and try again.
I mean, if you take a news website like The Independent, there's not a chance in hell that a competent design and engineering team would sign off on all the bullshit that is dumped on top of the page. It's always added on at runtime.
I wonder if this judgment opens them up to civil suits.
Attribution in advertising is something which can last months for some products, and it's doubtful that a large proportion of companies import from GA and will lose their ability to gauge current performance compared to the past.
The U.S. is never going to accede that its intelligence agencies cannot access data gathered by its Tech Giants. All claims and soothing words to the contrary are a false belief.
My town messed up on one of the billboards, though, and for a while commuters got to see "Booze it and Loose It!", which conveys a somewhat more carefree message.
there is no data collected via TCF:
https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
CMPs are the popups that save the preferences and thus enable the collection of the data.
IAB only provides a spec.
The TCF is a spec, the industry agreed on this spec, built implementations and used it as justification of tracking. I think it's fair to call data collected by ads loaded under the idea that a valid implementation of the spec was proof of GDPR consent as "data collected through the TCF".
Anyway, this is the press release, not the ruling. See C.2 of the ruling if you want to nitpick the way this is actually being ordered.
https://www.gegevensbeschermingsautoriteit.be/publications/b...
If the true purpose of ads is just an innocent venture in creating beneficial user experiences with helpful suggestions, then we can improve that system by orders of magnitude by getting rid of distortions associated with paid placement.
Then we can reap all of the benefits without having to worry about the experience being compromised by the distorting effects of self-interest, associated with privileged placement in exchange for payment.
If only. Generally they just manage to show me ads to buy more of the stuff I just bought. Or something I looked at and decided not to buy.
So the screwing is not done by the advertisers but by the kind of ads and the third party access to data.
Also companies like Google seem to have a very clear stance wrt to both, while companies like FB in the past have been pivotal in political landslides, screwed-over level personalized political influencing...
Users are getting screwed by IAB, because IAB does their best to remove users that freedom.
This is going to be fun.
Not if the consent form looks like this:
[Register] [Accept]
I really hope also pass at least the part of DSA where they make terminal signals for opting out of tracking legally binding.
Yes, the logic is frustrating: the big advertising companies have been trying malicious compliance for political reasons. It’s not like they couldn’t build better systems if they were trying to honor the intention of the law.
However, if DNT/GPC (which can signal opt out but not much else) becomes legally binding (as they very well might, with DSA), that'd be a huge win for me personally, because I don't see my self ever consenting, and reading consent dialogs isn't worth my time.
As I understand it, GPC is already legally binding in California thanks to CCPA.
I guess the big corporations didn't like it and lobbied for the next-worst thing, the cookie popups, hoping that it would become a big failure.
I love that idea. Something like Apple's nutrition labels but with check boxes next to data uses. However this is only good if it's legally enforceable since there is no API that would prove/verify data is used the way it's been given permission to.
