This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Widely Used Online Opt-in Ad Framework Provider Violates EU Privacy Laws

Belgium and 27 other members of the EU have fined a major advertising industry clearinghouse 250,000 Euros for violating the GDPR.  The Interactive Advertising Bureau, in response to the roll-out of the GDPR in 2018, came up with an industry-wide framework to manage GDPR-compliant user consent/opt-in to online ads that is used on sites across the EU. The framework manages user consents and matches those consents with online ad buys. It was meant to help member companies (advertisers) achieve GDPR compliance, by processing and storing user choices in a centralized manner accessible to the industry, so that a user could opt in to advertising once and multiple advertisers could rely on that choice.

In mid-February, the IAB was found to be a "data controller" under the GDPR. This means that the data regulators involved have determined that IAB has direct responsibilities for the data that pass through its framework; it cannot claim merely to be a back-end service provider ("processor" in GDPR parlance) that is simply following directions from its customers.  

The decision comes at a time when privacy in advertising is set for big changes online: Google is planning to do away with third-party cookies in advertising on its platforms, which allow user tracking and personalized ad serving; and Google Analytics has come under fire for GDPR violations in recent weeks as well.  

Why This Matters

The decision sends a very strong signal about both online advertising -- that it is meant to carry the same privacy protections as any other transaction -- and about the role of service providers and processors online. Agencies and advertisers that have opted in to the IAB framework for their EU ad business should ensure that their use of the framework continues to meet GDPR requirements regarding the user data passing through the framework.  

Furthermore, the decision reinforces a growing trend in both the EU and the US: consumer privacy is no longer the sole responsibility of B2C companies. Back-end services are increasingly regulated, and increasingly subject to penalties for noncompliance. B2B companies should be aware of this trend and start to examine their data practices closely.  

On the heels of the recent decision from the Austrian Data Protection Authority that the use of Google Analytics violates the GDPR, and news from other authorities on the topic — including Norway’s DPA, Datatilsynet, advising companies to seek alternatives — Head of Cooley’s European Privacy and Data Protection Practice Patrick Van Eecke said the decision highlights that European data protection authorities are using 2022 to “clean the house.”

Tags

data security and privacy, insights, hill_mitzi