[HN Gopher] ECJ finds IAB Europe responsible for TCF consent spa...
___________________________________________________________________
ECJ finds IAB Europe responsible for TCF consent spam popups across
the Internet
Author : M2Ys4U
Score : 141 points
Date : 2024-03-07 11:16 UTC (11 hours ago)
(HTM) web link (www.iccl.ie)
(TXT) w3m dump (www.iccl.ie)
| filleokus wrote:
| > "IAB Europe has sought to evade its responsibility for this
| charade. But the European Court of Justice has set it straight.
| This decision will not only end the biggest spam operation in
| history. It will deal a mortal wound to the online tracking-based
| advertising industry."
|
| If this turns out to be true it would be huge. But I'm (as
| always) skeptical of GDPR-related de facto enforcement, let's
| hope I'm wrong this time.
| AJ007 wrote:
| Massive win for Google, Apple, Facebook. Really hard to see a
| future for third party ad networks.
| algo_trader wrote:
| > Massive win for Google, Apple, Facebook.
|
| Yes, that is true and under appreciated
|
| > Really hard to see a future for third party ad networks
|
| For now, what are biggest programmatic exchanges still going?
| I have been out of the loop for a while
| troupo wrote:
| Invalid conclusion stemming from a false premise.
|
| If your "poor third-party ad networks who would think of
| them" cannot operate without dark patterns, abuse of cookie
| popups and malicious non-compliance, good riddance
| kasey_junk wrote:
| You're replying to a comment as if it's suggesting ad
| networks are good. It's not. It's just stating, rightly in
| my opinion, that this is a huge win for those giant tech
| companies.
| p_l wrote:
| Note that Google, Amazon, Microsoft and others are also
| involved in this ruling: Google, Amazon,
| Microsoft, TikTok, and hundreds of other tracking-based
| online advertising companies rely on IAB Europe's
| consent system, which Europe's data protection
| authorities have already found to be in violation of the
| GDPR following our complaint.
| SiempreViernes wrote:
| Note that "Google, Amazon, Microsoft, TikTok, and hundreds of
| other tracking-based online advertising companies rely on IAB
| Europe's consent system, which Europe's data protection
| authorities have already found to be in violation of the GDPR
| following our complaint."
| WesolyKubeczek wrote:
| I think it's more of IAB being the gatekeeper than MS et al
| striking such deals voluntarily.
|
| If you are an online newspaper running ads in EU, you can't
| so much as sneeze without IAB's blessing. They are
| everywhere.
| iamacyborg wrote:
| Google and Facebook are desperately telling credulous idiots
| to sent them hashed personal data as if that's not still a
| massive GDPR risk.
| drgo wrote:
| why is it that only the EU seems to care about Internet privacy?
| mrtksn wrote:
| Not true at all, USA begin to care about it too with foreign
| companies(TikTok) gaining traction in the American market. Up
| until now, these tech giants were all American and therefore
| under American control in American jurisdiction. For EU, it was
| always the case that the dominant tech giants were foreign -
| only setting up shops in EU for tax purposes. Besides EU, other
| countries have protections in place too.
| diggan wrote:
| > Not true at all, USA begin to care about it too with
| foreign companies(TikTok) gaining traction in the American
| market
|
| I'm not sure banning foreign competitors count as "caring
| about internet privacy". Has there been anything lately to
| actually protect internet privacy in the US?
| troupo wrote:
| There's California's Consumer Privacy Act:
| https://oag.ca.gov/privacy/ccpa
| sph wrote:
| The US government's interest in TikTok is mostly a question
| of national security, not privacy.
|
| If they wanted to fight for privacy, they wouldn't have to go
| to China to find egregious mishandling of personal data.
| There are plenty of examples well within their borders.
| clawoo wrote:
| > Not true at all, USA begin to care about it too with
| foreign companies(TikTok) gaining traction in the American
| market.
|
| You can't seriously believe this. It's quite obvious that the
| TikTok debacle is mostly a protectionist measure for Facebook
| & Google who are looking to get their money's worth for their
| lobby.
| kkzz99 wrote:
| You may not know, but China has also adopted pretty elaborate
| privacy laws called Personal Information Protection Law(PIPL)
| which is pretty close to GDPR.
| piva00 wrote:
| And Brazil adopted the LGPD back in 2018, it's very similar
| to the GDPR.
| prewett wrote:
| Good for China, but since they have CCP people in every group
| to report on people, neighbors in every community whose job
| it is to report on people, do things like WeChat dropping
| messages containing unwanted content, censor people's
| postings, I'm skeptical how much privacy people are really
| getting. Sure, maybe BigCo can't build a profile on you, but
| I'd much rather have BigCo know everything about me than the
| State. Especially when the State is totalitarian.
| esperent wrote:
| More and more countries are following the EU's lead. For
| example, Vietnam's PDPD is similar to GDPR (stricter in some
| ways) and is coming into force on July 1st:
|
| https://blog.didomi.io/vietnam-data-privacy-law-pdpd-everyth...
|
| However, I guess we won't talk much about Vietnam's new law on
| the English speaking web, whether it's successful or not.
| Purely because we don't talk or hear much of _anything_ about
| Vietnam 's internal policies on the English speaking web. While
| we will continue to discuss every tiny detail about the GDPR.
| PlutoIsAPlanet wrote:
| > While we will continue to discuss every tiny detail about
| the GDPR
|
| Because large legislation by the EU like the GDPR and DMA has
| the the Brussels effect.
|
| https://en.wikipedia.org/wiki/Brussels_effect
| toyg wrote:
| That's just because the GDPR applies to the richest market on
| Earth (by some metrics), which won't be the case for anything
| regarding Vietnam.
| overstay8930 wrote:
| The only metrics that say that are metrics that are fake,
| the US market is significantly larger than the EU market.
| toyg wrote:
| Call it second-largest, the point still holds.
| Propelloni wrote:
| Why would they be fake? Can't they just be wrong?
| lambersley wrote:
| In Canada, Personal Information Protection and Electronic
| Documents Act (PIPEDA) was updated in 2015 to require user
| consent not unlike GDPR( _)
|
| _ https://www.priv.gc.ca/en/privacy-
| topics/technology/online-p...
| secondcoming wrote:
| California has CCPA, Utah, Conneticut, Virginia and Colorado
| have Internet privacy laws.
|
| Canada has its own version of TCF.
|
| There are loads, and loads more are coming.
| alkonaut wrote:
| > Utah, Conneticut, Virginia and Colorado have Internet
| privacy laws
|
| No plans for a US federal regulation here? Wouldn't that save
| a lot of money and headache for everyone, if instead of
| complying with 50 different regulations you had one?
| secondcoming wrote:
| There is the concept of a 'US National' set of regulations
| too. IANAL, so I don't know if it's a Federal regulation.
|
| It's about to become increasingly tedious to be a website
| operator.
|
| https://github.com/InteractiveAdvertisingBureau/Global-
| Priva...
| overstay8930 wrote:
| The federal government has a lot less power than a lot of
| people think, there are limits to control over interstate
| commerce and nobody wants Google to be regulated like a
| telephone company.
| tcptomato wrote:
| You should google Wickard v. Filburn. The US Supreme
| Court ruled that the US government can regulate what you
| grow on your own land for your own consumption, because
| it affects inter-state trade.
| laserlight wrote:
| From the article:
|
| > IAB Europe argued that it is not responsible under the GDPR as
| a "data controller" because it allegedly only sets the rules for
| how data should be used, but does not process the data itself.
| The Court rightly rejected this, and confirmed that IAB Europe,
| as management body for the TCF, is a "data controller" under the
| GDPR.
|
| IAB stands for Interactive Advertising Bureau Europe [0]
|
| [0] https://www.eesc.europa.eu/en/policies/policy-
| areas/enterpri...
| diggan wrote:
| I must be missing something here, what arguments could IAB
| Europe reasonable use to say they're not a controller?
|
| Article 4 from the GDPR:
|
| > 'controller' means the natural or legal person, public
| authority, agency or other body which, alone or jointly with
| others, determines the purposes and means of the processing of
| personal data; where the purposes and means of such processing
| are determined by Union or Member State law, the controller or
| the specific criteria for its nomination may be provided for by
| Union or Member State law;
|
| Seems so obvious that they're a controller by that definition
| (specifically a "Joint Controller" according to Article 26),
| even if "only sets the rules for how data should be used" would
| be true, that would put them inside the definition, so even by
| their own admission, they are a controller?
| yxhuvud wrote:
| If it is essential to their business, people can and will try
| to convince themselves and other people of just about
| anything, regardless of how ridiculous the arguments are.
| toyg wrote:
| "It is difficult to get a man to understand something, when
| his salary depends upon his not understanding it!" - Upton
| Sinclair, 1934.
| secondcoming wrote:
| The IAB does not actually receive any personal data from
| anyone. It's pretty much a standards body who write specs for
| how consent can be granted, and how that consent is
| transmitted. It's all open, there are no secrets about how
| this operates.
|
| So, it appears that anyone/company who writes a spec around
| data that may be considered PII is now a Data Controller.
| troupo wrote:
| It's not "anyone". It's an _association_ of advertising
| companies with hundreds of members. They are literally
| responsible for drafting GDPR-breaking TCF.
|
| Why are you surprised they are held responsible?
| throwaway2562 wrote:
| Named complainants include the estimable Dr. Johnny Ryan, doing
| God's work again.
|
| "People across Europe have been plagued by fake "consent" popups
| every day on almost every website and app since the GDPR was
| introduced almost six years ago", said Dr Johnny Ryan of ICCL
| Enforce.
|
| Grateful to have him onside
| nottorp wrote:
| I don't know about everyone else but I'd like more context.
|
| "Is responsible for the consent popups"... ok. What happens now?
| SiempreViernes wrote:
| > On 2 February 2022 the Belgian Data Protection Authority, in
| agreement with 27 other EU data protection authorities, ruled
| that the [IAB controlled] "TCF" consent spam system is
| illegal.[3] This decision meant that the entire online
| advertising had unlawfully processed the data of everyone in
| Europe for years.
|
| > However, this was appealed at the Brussels Markets Court.
| [...]
|
| > The Brussels Markets Court can now proceed to rule on the
| matter with certainty that IAB Europe is indeed responsible,
| and that the data concerned are protected by the GDPR.
| gnyman wrote:
| I dug out the original ruling and skimmed the last part of it.
| I have probably misunderstood a bunch, it's very long.
|
| But my tl.dr. as I understand it is that IAB provides a
| Transparency Consent Framework[2] to its users, which includes
| popup cookies.
|
| They lost a case where they argued they don't have _any_
| responsibility ( to the degree that they didn 't even have a
| Data Privacy Officer or had done a Data Privacy Impact
| Assessment) for providing the IAB compliance popups. These
| popups were used by others in order to do gain "consent" to do
| real time bidding ads (and probably other things), it might be
| that they also provided some level of RBT.
|
| They lost and the court said they are jointly responsible and
| need to fix long list of things and pay 250k euro.
|
| IAB then appealed and the appeals court deferred it to the ECJ,
| who has now said that yes they do have a join responsibility.
|
| So as I understand it, this is sadly not the death-blow to
| valid or invalid consent popups. But at least it might improve
| the UX on them.
|
| [1]
| https://web.archive.org/web/20240109014435/https://www.gegev...
| [2] https://iabeurope.eu/transparency-consent-framework/
| secondcoming wrote:
| Just to clarify... the IAB does not provide cookie popups. It
| does however provide a spec [0] for how these are supposed to
| operate. Website publishers then choose which popup vendor to
| use.
|
| [0] https://github.com/InteractiveAdvertisingBureau/GDPR-
| Transpa...
| alkonaut wrote:
| The step we need to take is find one such vendor which
| delivers non compliant popups, find the customers of those
| popups, take the 10 biggest ones and give them a nice big
| fine that's big enough to scare every other business into
| compliance.
| amne wrote:
| I visited US a couple of years ago and to this day I still think
| of how smooth all the websites felt over there.
| oliwarner wrote:
| And they're collecting data about you without your knowledge or
| consent, with no mechanism for you to discover they hold data
| about you, or a mechanism to insist they correct or remove it.
|
| I hate the system as it is --the "do not track" header should
| _mean_ something-- but I 'll take a disclaimer, an explanation
| of how they plan to use my data, and an opt-out over the Wild
| West.
|
| They're catching up but it'll be a while. The Federal
| HIPAAGLBACOPPAFERPABBQ are all pretty toothless and even the
| golden child, California's CCPA is a series compromises that
| doesn't accomplish that much.
| amne wrote:
| You go to a coffee shop. First time you mention you want
| ethiopian blend blah blah. Next morning the barista confirms
| you want ethiopian blend before you even mention it. The
| morning after that there's no talking needed on top of "Good
| morning".
|
| Coffee supplier now tells the barista he should promote some
| coffee and he gets paid for doing it + sales percentage.
|
| The barista next morning promotes some bags of ethiopian
| blend to you to increase the conversion rate.
|
| Replace said barista with a website.
|
| You did not consent to anything and I'm not aware of any laws
| related to this.
| kwhitefoot wrote:
| The barista didn't put your ID in a globally available
| database.
| 15457345234 wrote:
| Yeah it's a 60Hz country, it affects perceived vehicle and
| pedestrian/animal movement too - everything's noticeably a bit
| smoother to the eye, it takes a while to get used to it.
|
| The first time I went there I spent about half the day in the
| park tossing frisbees to dogs just to marvel at how smoothly
| everything seemed to move.
| ifwinterco wrote:
| _Cries in PAL_
| sschueller wrote:
| At least you got a few more lines...
| jjgreen wrote:
| _Yeah it 's a 60Hz country_
|
| Hence the 29.97 FPS for TV ...
| jcotton42 wrote:
| Not sure if I'm missing a joke or something but the 29.97
| is from two things.
|
| 1. TV was 60i (interlace), which equates to 30p
| (progressive)
|
| 2. The missing 0.03 frames is due to how color NTSC works
| https://www.youtube.com/watch?v=InrDRGTPqnE
| amne wrote:
| I love it. :)))
| nolok wrote:
| "This Microsoft page you need to visit to download your file
| share your PII linked to your mandatory personal account to 728
| partners ! We don't want you to know and certainly not to tell
| you, but the law forces us to"
|
| You see that, and your problem is not "why do they need PII to
| let me do anything, nor "why are they giving my data to
| others", nor "why to SO MANY others", nor "why do they not want
| to tell me", no your problem is that they tell you. By
| describing the problem as "the law that force them" instead of
| "sharing so much with so many", you are saying of the two
| solutions available to fix that, you would prefer that they not
| tell you, instead of just not doing this mass sharing of PII
| anymore.
|
| These banners are not what the law said had to happen. These
| banners are the mass sharing companies malicious compliance to
| get users to complain about the protection the law gives them
| instead of complaining about the original abuse that triggered
| it.
|
| They're doing it this way because, as you show, it does work,
| people buy it and eat it.
| zokier wrote:
| GitHub solved the cookie banner question the right way
| https://github.blog/2020-12-17-no-cookie-for-you/
| Aachen wrote:
| The long and short of their solution:
|
| > removed all non-essential cookies
|
| It helps not to have built a business fully dependent on
| third party ads
|
| Edit: related, perhaps also interesting to an international
| audience
|
| Tweakers in the Netherlands recently announced a return of
| tracking cookies after switching to context-based
| advertising a few years ago. The reason given was that
| advertisers simply don't have tools to work with this,
| they'd need to implement custom software to both deploy
| banners to Tweakers specifically and then also to measure
| banners' effectiveness (like by appending
| ?utm_source=banner7271 to the URL). None of this is rocket
| science, but if you can publish on thousands of websites
| with one click and Tweakers requires talking to your
| software development team first... they were losing out.
| Ad-free subscriptions were and are available by the way,
| but people aren't buying them enough (not even the tenth
| part) to get rid of ads altogether. Github apparently does
| have that luxury
| raverbashing wrote:
| I mean, if your phone or browser doesn't catch fire from all
| the popups and js ads. And the newsletter popups
|
| (I wish I was kidding, though it is not such a common
| occurence)
| yoavm wrote:
| We are now in the process of making the Cloudflare Zaraz Consent
| Managegement Platform "compliant" with the IAB demands. It's
| mandatory in order to run Google Ads in Europe.
|
| Their demands are completely countering privacy and will only
| make our CMP more hostile towards users and less privacy
| oriented. It's ridiculous. But they have this alignment with
| Google and so you have to do what they say.
| SiempreViernes wrote:
| Well, I guess hurry up with that alignment before the IAB is
| forced to scrap the entire system:
|
| > On 2 February 2022 the Belgian Data Protection Authority, in
| agreement with 27 other EU data protection authorities, ruled
| that the [IAB controlled] "TCF" consent spam system is illegal.
| yoavm wrote:
| I tend to think these kind of things don't happen so fast,
| unfortunately. But if they are, I'd be full with joy to be
| making the PR that removes all that code.
| secondcoming wrote:
| What demands affect privacy?
| yoavm wrote:
| It's been a while since I was reading through the specs so I
| could be wrong, but as far as I remember, you kinda had to
| "collect" the consent status server-side, which feels wrong
| (because sometimes there wasn't consent), and third-party
| vendors would get the full consent status even if it's
| irrelevant for them.
| troupo wrote:
| Sounds like an attempt at fingerprinting (like DNT was used
| for fingerprinting)
| sam_lowry_ wrote:
| Zaraz? Good name for a product. Kudos.
| yoavm wrote:
| Thank you! The name was there prior to the acquisition but
| Cloudflare were cool enough to let us keep it.
___________________________________________________________________
(page generated 2024-03-07 23:01 UTC)