Online ad group fined for system violating EU privacy rules

3 Feb 2022

Image: © rustamank/

A consent pop-up tool used on websites was found to be in violation of GDPR.

Belgium’s data protection authority has slammed a €250,000 fine on IAB Europe, an online advertising group whose system is used by companies such as Google and Amazon, for violating EU privacy rules.

In a decision published yesterday (2 February), the Belgian watchdog said IAB’s ad-targeting tool is in breach of GDPR for how it collects and processes personal data.

IAB Europe has been asked to delete data illegally collected by this tool and has also been given two months to suggest a series of remedies to comply with EU law.

The ruling stemmed from a complaint coordinated by the Irish Council for Civil Liberties (ICCL). The ICCL raised concerns about IAB Europe’s Transparency and Consent Framework (TCF) and the real-time bidding system OpenRTB.

TCF is the system for consent pop-ups that is used on an estimated 80pc of websites in Europe, according to ICCL. The OpenRTB tool then facilitates real-time bidding, the process where user data is bought and sold by online advertisers.

The ICCL has regularly criticised the online advertising industry’s practices, and specifically real-time bidding, over data privacy issues.

‘Consent spam’

The Belgian data protection authority found that TCF infringes GDPR by failing to ensure personal data is kept secure and confidential and that consent is properly requested. It also called out the system for lack of transparency around what happen to users’ data.

“Users of a website or an application participating in the TCF are not given sufficient information about the categories of personal data collected about them, nor are they able to determine in advance the scope and consequences of the processing,” the watchdog said.

“The information given to users is too general to reflect the specific processing of each vendor, which also prevents the granularity — and therefore the validity — of the consent received for the processing carried out using the OpenRTB protocol.”

The authority added that IAB Europe “was aware of risks linked to non-compliance” with TCF and it found the organisation to be “negligent” in establishing the measures governing the implementation of TCF.

“[TCF] supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects,” it noted.

Dr Johnny Ryan, senior fellow at ICCL, said the decision followed “a long battle”.

“[It] frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies,” he added.

The decision by the Belgian authority was made in agreement with 27 other EU data protection authorities under GDPR’s one-stop-shop mechanism.

Companies such as Google have come under increased scrutiny in Europe over ad tracking and data collection policies.

Last week, the search giant proposed a new interest-based advertising system to replace third-party cookies and give users “meaningful transparency and control over data”, in a move that is seen to be a balancing act between privacy concerns with the demands of the ad industry.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic