We are now in the process of making the Cloudflare Zaraz Consent Managegement Platform "compliant" with the IAB demands. It's mandatory in order to run Google Ads in Europe.
Their demands are completely countering privacy and will only make our CMP more hostile towards users and less privacy oriented. It's ridiculous. But they have this alignment with Google and so you have to do what they say.
Well, I guess hurry up with that alignment before the IAB is forced to scrap the entire system:
> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.
I tend to think these kind of things don't happen so fast, unfortunately. But if they are, I'd be full with joy to be making the PR that removes all that code.
It's been a while since I was reading through the specs so I could be wrong, but as far as I remember, you kinda had to "collect" the consent status server-side, which feels wrong (because sometimes there wasn't consent), and third-party vendors would get the full consent status even if it's irrelevant for them.
You could start be removing all tracking code from your site and code sharing with 3rd parties.
Boom, compliant (in that part) and not even a need for a consent form in the first place.
The you may add a feature to track and share with 3rds, but opt in. The you need the consent but can get it in a privacy friendly way.
Oh, but you “cannot” do this because the ads won’t work and you’ll loose profit? What you dont seem to realise is that this decision is already made for you by EU: with GDPR the eu made the decision that privacy is more important than your profit. You just have to face facts and stop trying to figure a way around it. Yes that means rethinking business models, but I would wager that had people known fully how they were tracked and profiled, they would not have done business with you in the first place thus your ad/tracking based business model was only valid through deception.
I honestly have no idea what you're talking about, which tracking code you want me to remove and in which of my websites you saw ads. I was never part of a company that had an ad/tracking-based business model, and in fact all my work in Zaraz is around making third-party online more transparent and permissions based so that scripts don't just run uncontrollably and that it would be possible to completely block their access to cookies, network etc. Your comment looks like you just came up with a fantasy story and replied to it instead... I mean, me losing profit because my ads won't work? what?
> "IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight. This decision will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry.”
If this turns out to be true it would be huge. But I'm (as always) skeptical of GDPR-related de facto enforcement, let's hope I'm wrong this time.
Note that "Google, Amazon, Microsoft, TikTok, and hundreds of other tracking-based online advertising companies rely on IAB Europe’s consent system, which Europe’s data protection authorities have already found to be in violation of the GDPR following our complaint."
If your "poor third-party ad networks who would think of them" cannot operate without dark patterns, abuse of cookie popups and malicious non-compliance, good riddance
> IAB Europe argued that it is not responsible under the GDPR as a “data controller” because it allegedly only sets the rules for how data should be used, but does not process the data itself. The Court rightly rejected this, and confirmed that IAB Europe, as management body for the TCF, is a “data controller” under the GDPR.
IAB stands for Interactive Advertising Bureau Europe [0]
I must be missing something here, what arguments could IAB Europe reasonable use to say they're not a controller?
Article 4 from the GDPR:
> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Seems so obvious that they're a controller by that definition (specifically a "Joint Controller" according to Article 26), even if "only sets the rules for how data should be used" would be true, that would put them inside the definition, so even by their own admission, they are a controller?
The IAB does not actually receive any personal data from anyone. It's pretty much a standards body who write specs for how consent can be granted, and how that consent is transmitted. It's all open, there are no secrets about how this operates.
So, it appears that anyone/company who writes a spec around data that may be considered PII is now a Data Controller.
If it is essential to their business, people can and will try to convince themselves and other people of just about anything, regardless of how ridiculous the arguments are.
I dug out the original ruling and skimmed the last part of it. I have probably misunderstood a bunch, it's very long.
But my tl.dr. as I understand it is that IAB provides a Transparency Consent Framework[2] to its users, which includes popup cookies.
They lost a case where they argued they don't have any responsibility ( to the degree that they didn't even have a Data Privacy Officer or had done a Data Privacy Impact Assessment) for providing the IAB compliance popups. These popups were used by others in order to do gain "consent" to do real time bidding ads (and probably other things), it might be that they also provided some level of RBT.
They lost and the court said they are jointly responsible and need to fix long list of things and pay 250k euro.
IAB then appealed and the appeals court deferred it to the ECJ, who has now said that yes they do have a join responsibility.
So as I understand it, this is sadly not the death-blow to valid or invalid consent popups. But at least it might improve the UX on them.
Just to clarify... the IAB does not provide cookie popups. It does however provide a spec [0] for how these are supposed to operate. Website publishers then choose which popup vendor to use.
> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.[3] This decision meant that the entire online advertising had unlawfully processed the data of everyone in Europe for years.
> However, this was appealed at the Brussels Markets Court. [...]
> The Brussels Markets Court can now proceed to rule on the matter with certainty that IAB Europe is indeed responsible, and that the data concerned are protected by the GDPR.
"This Microsoft page you need to visit to download your file share your PII linked to your mandatory personal account to 728 partners ! We don't want you to know and certainly not to tell you, but the law forces us to"
You see that, and your problem is not "why do they need PII to let me do anything, nor "why are they giving my data to others", nor "why to SO MANY others", nor "why do they not want to tell me", no your problem is that they tell you. By describing the problem as "the law that force them" instead of "sharing so much with so many", you are saying of the two solutions available to fix that, you would prefer that they not tell you, instead of just not doing this mass sharing of PII anymore.
These banners are not what the law said had to happen. These banners are the mass sharing companies malicious compliance to get users to complain about the protection the law gives them instead of complaining about the original abuse that triggered it.
They're doing it this way because, as you show, it does work, people buy it and eat it.
The European Commission’s own website uses cookie consent banners. It seems disingenuous to call every single cookie banner malicious compliance when even the EU’s own committees are so confused by the law that they feel they need to use one too. The law is poorly written.
And they're collecting data about you without your knowledge or consent, with no mechanism for you to discover they hold data about you, or a mechanism to insist they correct or remove it.
I hate the system as it is —the "do not track" header should mean something— but I'll take a disclaimer, an explanation of how they plan to use my data, and an opt-out over the Wild West.
They're catching up but it'll be a while. The Federal HIPAAGLBACOPPAFERPABBQ are all pretty toothless and even the golden child, California's CCPA is a series compromises that doesn't accomplish that much.
You go to a coffee shop. First time you mention you want ethiopian blend blah blah. Next morning the barista confirms you want ethiopian blend before you even mention it. The morning after that there's no talking needed on top of "Good morning".
Coffee supplier now tells the barista he should promote some coffee and he gets paid for doing it + sales percentage.
The barista next morning promotes some bags of ethiopian blend to you to increase the conversion rate.
Replace said barista with a website.
You did not consent to anything and I'm not aware of any laws related to this.
Yeah it's a 60Hz country, it affects perceived vehicle and pedestrian/animal movement too - everything's noticeably a bit smoother to the eye, it takes a while to get used to it.
The first time I went there I spent about half the day in the park tossing frisbees to dogs just to marvel at how smoothly everything seemed to move.
I use Firefox, uBlock Origin and the annoyances filters. The internet feels just as smooth.
I visited the US and it took me a few months to stop receiving spam from businesses I interacted with. There were ads at the petrol pumps and in the bathrooms and basically everywhere else. There was little concept of consent wrt advertising and data collection, something I've come to take for granted.
It wasn't as bad as I make it, but it shows how our priorities might differ.
Named complainants include the estimable Dr. Johnny Ryan, doing God’s work again.
“People across Europe have been plagued by fake “consent” popups every day on almost every website and app since the GDPR was introduced almost six years ago”, said Dr Johnny Ryan of ICCL Enforce.
Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market. Up until now, these tech giants were all American and therefore under American control in American jurisdiction. For EU, it was always the case that the dominant tech giants were foreign - only setting up shops in EU for tax purposes. Besides EU, other countries have protections in place too.
> Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market
I'm not sure banning foreign competitors count as "caring about internet privacy". Has there been anything lately to actually protect internet privacy in the US?
The US government's interest in TikTok is mostly a question of national security, not privacy.
If they wanted to fight for privacy, they wouldn't have to go to China to find egregious mishandling of personal data. There are plenty of examples well within their borders.
> Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market.
You can't seriously believe this. It's quite obvious that the TikTok debacle is mostly a protectionist measure for Facebook & Google who are looking to get their money's worth for their lobby.
> Utah, Conneticut, Virginia and Colorado have Internet privacy laws
No plans for a US federal regulation here? Wouldn't that save a lot of money and headache for everyone, if instead of complying with 50 different regulations you had one?
More and more countries are following the EU's lead. For example, Vietnam's PDPD is similar to GDPR (stricter in some ways) and is coming into force on July 1st:
However, I guess we won't talk much about Vietnam's new law on the English speaking web, whether it's successful or not. Purely because we don't talk or hear much of anything about Vietnam's internal policies on the English speaking web. While we will continue to discuss every tiny detail about the GDPR.
You may not know, but China has also adopted pretty elaborate privacy laws called Personal Information Protection Law(PIPL) which is pretty close to GDPR.
Good for China, but since they have CCP people in every group to report on people, neighbors in every community whose job it is to report on people, do things like WeChat dropping messages containing unwanted content, censor people's postings, I'm skeptical how much privacy people are really getting. Sure, maybe BigCo can't build a profile on you, but I'd much rather have BigCo know everything about me than the State. Especially when the State is totalitarian.
Readit News
Their demands are completely countering privacy and will only make our CMP more hostile towards users and less privacy oriented. It's ridiculous. But they have this alignment with Google and so you have to do what they say.
> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.
Deleted Comment
You could start be removing all tracking code from your site and code sharing with 3rd parties.
Boom, compliant (in that part) and not even a need for a consent form in the first place.
The you may add a feature to track and share with 3rds, but opt in. The you need the consent but can get it in a privacy friendly way.
Oh, but you “cannot” do this because the ads won’t work and you’ll loose profit? What you dont seem to realise is that this decision is already made for you by EU: with GDPR the eu made the decision that privacy is more important than your profit. You just have to face facts and stop trying to figure a way around it. Yes that means rethinking business models, but I would wager that had people known fully how they were tracked and profiled, they would not have done business with you in the first place thus your ad/tracking based business model was only valid through deception.
If this turns out to be true it would be huge. But I'm (as always) skeptical of GDPR-related de facto enforcement, let's hope I'm wrong this time.
Yes, that is true and under appreciated
> Really hard to see a future for third party ad networks
For now, what are biggest programmatic exchanges still going? I have been out of the loop for a while
If your "poor third-party ad networks who would think of them" cannot operate without dark patterns, abuse of cookie popups and malicious non-compliance, good riddance
> IAB Europe argued that it is not responsible under the GDPR as a “data controller” because it allegedly only sets the rules for how data should be used, but does not process the data itself. The Court rightly rejected this, and confirmed that IAB Europe, as management body for the TCF, is a “data controller” under the GDPR.
IAB stands for Interactive Advertising Bureau Europe [0]
[0] https://www.eesc.europa.eu/en/policies/policy-areas/enterpri...
Article 4 from the GDPR:
> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Seems so obvious that they're a controller by that definition (specifically a "Joint Controller" according to Article 26), even if "only sets the rules for how data should be used" would be true, that would put them inside the definition, so even by their own admission, they are a controller?
So, it appears that anyone/company who writes a spec around data that may be considered PII is now a Data Controller.
"Is responsible for the consent popups"... ok. What happens now?
But my tl.dr. as I understand it is that IAB provides a Transparency Consent Framework[2] to its users, which includes popup cookies.
They lost a case where they argued they don't have any responsibility ( to the degree that they didn't even have a Data Privacy Officer or had done a Data Privacy Impact Assessment) for providing the IAB compliance popups. These popups were used by others in order to do gain "consent" to do real time bidding ads (and probably other things), it might be that they also provided some level of RBT.
They lost and the court said they are jointly responsible and need to fix long list of things and pay 250k euro.
IAB then appealed and the appeals court deferred it to the ECJ, who has now said that yes they do have a join responsibility.
So as I understand it, this is sadly not the death-blow to valid or invalid consent popups. But at least it might improve the UX on them.
[1] https://web.archive.org/web/20240109014435/https://www.gegev... [2] https://iabeurope.eu/transparency-consent-framework/
[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
> However, this was appealed at the Brussels Markets Court. [...]
> The Brussels Markets Court can now proceed to rule on the matter with certainty that IAB Europe is indeed responsible, and that the data concerned are protected by the GDPR.
You see that, and your problem is not "why do they need PII to let me do anything, nor "why are they giving my data to others", nor "why to SO MANY others", nor "why do they not want to tell me", no your problem is that they tell you. By describing the problem as "the law that force them" instead of "sharing so much with so many", you are saying of the two solutions available to fix that, you would prefer that they not tell you, instead of just not doing this mass sharing of PII anymore.
These banners are not what the law said had to happen. These banners are the mass sharing companies malicious compliance to get users to complain about the protection the law gives them instead of complaining about the original abuse that triggered it.
They're doing it this way because, as you show, it does work, people buy it and eat it.
https://commission.europa.eu/index_en
I hate the system as it is —the "do not track" header should mean something— but I'll take a disclaimer, an explanation of how they plan to use my data, and an opt-out over the Wild West.
They're catching up but it'll be a while. The Federal HIPAAGLBACOPPAFERPABBQ are all pretty toothless and even the golden child, California's CCPA is a series compromises that doesn't accomplish that much.
Coffee supplier now tells the barista he should promote some coffee and he gets paid for doing it + sales percentage.
The barista next morning promotes some bags of ethiopian blend to you to increase the conversion rate.
Replace said barista with a website.
You did not consent to anything and I'm not aware of any laws related to this.
The first time I went there I spent about half the day in the park tossing frisbees to dogs just to marvel at how smoothly everything seemed to move.
Hence the 29.97 FPS for TV ...
I visited the US and it took me a few months to stop receiving spam from businesses I interacted with. There were ads at the petrol pumps and in the bathrooms and basically everywhere else. There was little concept of consent wrt advertising and data collection, something I've come to take for granted.
It wasn't as bad as I make it, but it shows how our priorities might differ.
(I wish I was kidding, though it is not such a common occurence)
“People across Europe have been plagued by fake “consent” popups every day on almost every website and app since the GDPR was introduced almost six years ago”, said Dr Johnny Ryan of ICCL Enforce.
Grateful to have him onside
I'm not sure banning foreign competitors count as "caring about internet privacy". Has there been anything lately to actually protect internet privacy in the US?
If they wanted to fight for privacy, they wouldn't have to go to China to find egregious mishandling of personal data. There are plenty of examples well within their borders.
You can't seriously believe this. It's quite obvious that the TikTok debacle is mostly a protectionist measure for Facebook & Google who are looking to get their money's worth for their lobby.
Canada has its own version of TCF.
There are loads, and loads more are coming.
No plans for a US federal regulation here? Wouldn't that save a lot of money and headache for everyone, if instead of complying with 50 different regulations you had one?
https://blog.didomi.io/vietnam-data-privacy-law-pdpd-everyth...
However, I guess we won't talk much about Vietnam's new law on the English speaking web, whether it's successful or not. Purely because we don't talk or hear much of anything about Vietnam's internal policies on the English speaking web. While we will continue to discuss every tiny detail about the GDPR.
Because large legislation by the EU like the GDPR and DMA has the the Brussels effect.
https://en.wikipedia.org/wiki/Brussels_effect
Deleted Comment
Deleted Comment