Belgian Data Protection Authority says online advertising violates European privacy laws

A crucial part of the mechanism in which online advertising is sold and displayed on the Internet in the European Union violates European privacy laws, according to the Belgian Data Protection Authority (DPA).

A new report conducted in response to multiple complaints shows that this mechanism, called the Transparency and Consent Framework (TCF), fails to comply with a number of provisions of the EU’s General Data Protection Regulation (GDPR).

The complaints began in 2019 and are directed against IAB Europe, the European-level association for the digital marketing and advertising ecosystem who developed the framework.

“When users visit a website, or use an app that contains an advertising space, technology companies representing thousands of advertisers can bid behind the scenes in real time for that advertising space through an automated auction system using algorithms, in order to display targeted advertising specifically tailored to that individual's profile,” the Belgian DPA explained. 

On the user’s end, the part of this process they see is usually a pop-up window asking them which cookies they would like to consent to, and whether or not they’d like to see advertisements customised to their interests based on which cookies they’ve shared with other websites and companies in the past.

“The processing of personal data (eg capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness,” said Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian DPA.

“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Order must be restored in the TCF system so that users can regain control over their data.”

‘Vague’ and ‘generic’ explanations are a violation of transparency

The Belgian DPA’s investigation found that contrary to IAB Europe’s claims, they’re “acting as a data controller with respect to the registration of individual users’ consent signal,” accessing information linked to an identifiable user and therefore possibly violating the GDPR. 

Concerns were also raised about the transparency of the mechanism. “The information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF,” the report found. 

“Therefore it is difficult for users to maintain control over their personal data… The TCF may lead to a loss of control of their personal information by large groups of citizens.”

The Belgian DPA has imposed a €250,000 fine to IAB Europe, and is giving it two months to present an action plan that would bring its activities into compliance with European privacy laws. 

“Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online,” said David Stevens, Chairman of the Belgian DPA.

“Online privacy and the fight against too intrusive forms of advertising is an important priority for us.”