A European privacy regulator has sided against the Interactive Advertising Bureau Europe in a dispute over its “transparency and consent” framework, which aims to offer companies a mechanism to comply with Europe's broad privacy law.
The Belgian Data Protection Authority stated that the transparency and consent framework “fails to comply with a number of provisions” of the General Data Protection Regulation.
The agency fined IAB Europe around $208,000 and gave the organization two months to present a plan to bring the framework into compliance, and another four months to revise the framework.
The transparency and consent framework is intended to serve as a standardized technology for notifying consumers about data collection, obtaining their consent, and informing online ad companies about consumers' decisions.
The Belgian regulator found fault with the framework for several reasons, including that it obtains consent through a pop-up notice that doesn't give people enough information.
“The information provided to users through the [consent management platform] interface is too generic and vague to allow users to understand the nature and scope of the processing,” the agency stated. “Therefore it is difficult for users to maintain control over their personal data.”
The agency also said IAB Europe was itself a “data controller” -- and therefore subject to the same privacy requirements as other data controllers.
“IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user,” the regulator said. “This means that IAB Europe can be held responsible for possible violations of the GDPR.”
The decision, issued Wednesday, stems from numerous complaints by privacy advocates, including the Irish Council for Civil Liberties.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, previously called the “transparency and consent” framework “a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach in at the heart of online advertising.”
The IAB Europe stated Tuesday that the “purported infringements” are capable of being remedied in six months.
The group added that it rejects the finding that it's a “data controller” and is “considering all options with respect to a legal challenge.”