In a damning verdict, the Belgian Data Protection Authority ruled the illegality of IAB cookie consent banners. Also known as Transparency and Consent Framework, the system lacks security, transparency, and disregards our choices by abusively claiming a “legitimate interest” in turning our No to online surveillance into a Yes.
If the Belgian Authority already sent a “warning shot” in November 2020, their decision looks more like an ultimatum. The Belgian decision was issued under the GDPR consistency mechanism and is supported by 21 EU data protection authorities. This leaves the adtech industry with no place left to hide: the IAB will have to drop their endless line of denials, deceits, and face the harsh reality in front of them. They were given a few months to completely redesign their adtech system and solve what are seen as radical and fundamental failures to comply with the GDPR.
This ruling comes as a result of the Adtech RTB complaint that was lodged in the UK and Ireland by Jim Killock from the Open Rights Group, Micheal Veale from UCL and Johnny Ryan now at the Irish Council for Civil Liberties. It feels bittersweet to compare the success of our EU adtech coalition partners against the failed approach that the Information Commissioner’s Office and the UK Government have taken in this field.
Indeed, the ICO resisted calls to enforce the law against the IAB and the adtech industry, despite issuing an update Report in 2019 that largely anticipated what the Belgian DPA have