Formal GDPR complaint against IAB Europe’s “cookie wall” and GDPR consent guidance.
A formal complaint has been filed with the Irish Data Protection Commission against IAB Europe, the tracking industry’s primary lobbying organization.
Dublin, Ireland, 3 April 2019 — a formal complaint has been filed with the Irish Data Protection Commission against IAB Europe, the tracking industry’s primary lobbying organization.
Tracking and cookie walls
Visitors to IAB Europe’s website, www.iabeurope.eu, are confronted with a “cookie wall” that forces them to accept tracking by Google, Facebook, and others, which may then monitor them. Dr. Ryan has complained to the Irish Data Protection Commission that this is a breach of the GDPR, which protects people in Europe from being forced to accept processing for their data for any purpose other than the provision of the requested service.
“One should not be forced to accept web-wide profiling by unknown companies as a condition of access to a website”, said Dr Johnny Ryan of Brave. “This would be like Facebook preventing you from accessing the Newsfeed until you have clicked a button permitting it to share your data with Cambridge Analytica.”
Simon McGarr of McGarr Solicitors, who has worked on data protection cases for Digital Rights Ireland, represents Dr Ryan in his complaint. Mr McGarr said “Where companies rely on consent to process people’s data it is critical that this is more than a box ticking exercise. For consent to be valid, it must be freely given, informed, specific and unambiguous. There’s nothing intrinsically good or bad in cookie technology – what matters is ensuring it’s applied in a way which respects individuals’ rights.”
Challenging IAB Europe’s industry guidance on the GDPR
The complaint to the Irish Data Protection Commission will also test IAB Europe’s GDPR guidance to the online advertising industry. IAB Europe has put itself forward as a primary designer of the online tracking industry’s data protection notices. It has told major media organizations, tracking companies, and advertising technology companies that they can sidestep the GDPR, and rely instead on the ePrivacy Directive, which IAB Europe has interpreted as more lax in protecting personal data.
IAB Europe has widely promoted the notion that access to a website or app can be made conditional on consent for data processing that is not necessary for the requested service to be delivered, despite the clear requirements of the GDPR, and statements from several national data protection authorities, that say otherwise.
“This complaint will make it plain that the media and advertising industry should not rely on IAB Europe for GDPR guidance”, said Dr Ryan.
Excerpts from the complaint:
Paragraph 3 sets out three causes for concern.
…Dr Ryan’s personal data was unlawfully processed by IAB Europe as a result of the IAB Europe cookie wall on its website.
ii. IAB Europe has provided inadequate information about what is being consented to, what data will be processed for which purpose, and how data rights can be exercised. No consent based on the ‘cookie notice’ provided can meet the requirement for ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’
iii. IAB Europe has put itself forward as the primary designer of the online advertising industry’s data protection notices, and has widely promoted the notion that access to content can be made conditional on consent for data processing that is not necessary for the requested service to be delivered. This makes our client’s complaint one of both a systemic, as well as personal, nature.
Paragraph 6 sets out what the Data Protection Commission is requested to do:
i. Issue a formal decision in response to our client’s complaint.
ii. To invoke its powers under Article 58 of the GDPR to order IAB Europe to cease processing any personal data collected or obtained, and in all instances where IAB Europe relies on the complained-of cookie wall consent to give colour of law to such processing.
iii. If required, to seek mutual assistance under Article 60 et al of the GDPR from the DPA of IAB Europe’s jurisdiction of establishment, Belgium.
iv. Open a systemic investigation of the compatibility of IAB Europe’s guidance on the issue of cookie walls with EU Data Protection laws.
Paragraph 12 sets out further problems in IAB Europe’s approach to consent
IAB Europe does not provide information about what data are collected for what purpose, and what legal basis is relied on for that purpose. IAB Europe’s policy notice says “we may rely on one or more of the following legal bases, depending on the circumstances”. It is therefore not possible to for a visitor to the website to know what legal basis is used for what purpose. Nor does IAB Europe provide information about which data are collected for what specific purpose.
- Screenshot of IAB Europe cookie wall
- Screenshot of text shown when a person clicks “more info” on IAB Europe cookie wall