EU cracks down on online ad tracking, FTC warns against data exploitation, and UK mulls "consent or pay" privacy model

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• The CJEU rules on digital ads and the Transparency and Consent Framework.
• The FTC makes some very strong statements about data collection and sharing.
• The ICO opens a consultation on “consent or pay”.
• What we’re reading: Recommended privacy content for the week.

CJEU delivers major digital advertising ruling on the IAB’s Transparency and Consent Framework

The Court of Justice of the European Union (CJEU) has delivered a landmark judgment on the Interactive Advertising Bureau Europe’s (IAB) Transparency and Consent Framework 2.0 (TCF), used by thousands of publishers to deliver targeted ads.

• The IAB developed the TCF as a framework to help publishers, Consent Management Platforms (CMPs), and adtech vendors to comply with the GDPR when delivering targeted ads via the Real-Time Bidding (RTB) process.
• In February 2022, after a complaint by campaigner Johnny Ryan and others, the Belgian Data Protection Authority (DPA) found that the TCF was incompatible with the GDPR and that the IAB was partly responsible for certain personal data collected under the framework.
• Following a reference from the Belgian Court of Appeal, the CJEU largely agreed with the DPA’s decision, holding that the IAB is a “joint controller” that processes personal data about millions of people’s consent preferences.

⇒ Explain the background to this case like I’m five.

When you visit certain websites and click “I agree” on a cookie banner, various companies bid on the opportunity to present you with ads via a process called “Real Time Bidding” (RTB). 

These companies base their bid on information about who you are, gathered via cookies and similar technologies.

This long-running dispute between Johnny Ryan and the IAB involves some seriously complicated technical and legal issues. But here are the basics (they are, admittedly, not comprehensible to most five-year-olds):

• IAB Europe (we’ll use “the IAB” as a shorthand) calls itself “the European-level association for the digital marketing and advertising ecosystem”.
• The IAB announced the TCF in 2017 as a voluntary framework to “enable websites, advertisers, and their ad technology” to provide notice and obtain consent for RTB activities in line with the GDPR. 
• A second version of the TCF was released in 2019, and TCF v2.2 was released in 2023.
• The majority of ad publishers and CMPs (who provide cookie banners) have implemented the TCF, along with adtech vendors facilitating the RTB process behind the scenes.
• These various advertising players deal with information about people’s inferred preferences, including what sorts of things they like and what kinds of people they might be.
• TCF participants also exchange information about whether (and to what extent) individuals have consented to these activities via a very important code known as the “TC String”.

⇒ Why is this “TC String” so important?

The IAB’s opponents claimed the TC String is personal data under the GDPR. 

The IAB said it wasn’t.

The Belgian DPA found that the TC String was personal data if combined with other information used to identify individuals—and found that because IAB could access to such information, it was a controller.

The DPA also found that the IAB was a joint controller with publishers, CMPs, and vendors in certain contexts. This was because the IAB set rules that affected how these organizations obtained consent for collecting personal data.

Finally, the DPA found that the IAB was a joint controller for personal data later processed in the RTB ecosystem.

This decision heaped many new legal obligations and responsibilities onto the IAB that the IAB did not want. So, the IAB appealed the Belgian DPA’s decision, leading to Thursday’s CJEU judgment.

⇒ What did the CJEU decide?

The CJEU largely agreed with the Belgian DPA:

• A TC String is personal data from the perspective of the IAB when linkable to other identifiers.
• Where the IAB sets technical specifications and rules around how TCF participants process consent-related data, it is a joint controller.
• But—the IAB is not automatically a joint controller for the further processing of personal data in the RTB ecosystem.

With that last point, the CJEU gives a narrower view of the IAB’s responsibilities than the Belgian DPA. Generally speaking, the IAB is not liable for what other parties do outside of the TCF’s rules, even if the personal data was collected pursuant to the TCF.

⇒ Will this case change how digital advertising works?

Not directly—although this is a highly significant ruling, the case now returns to the Belgian appeal court, which will apply the CJEU’s findings against the IAB. 

After the Belgian DPA decided its complaint, the IAB released v2.2 of the TCF. But this new framework arguably does not resolve all the issues with the previous version and could face fresh challenges.

Essentially, the walls are closing further in on the messy world of online advertising—and actors at every stage of the process are grappling with the implications.

Federal Trade Commission: ‘Browsing and location data are sensitive data. Full stop.’

The US Federal Trade Commission (FTC) has published a blog post exploring recent enforcement activities and giving a strict interpretation of the law.

• The FTC’s blog post examines three recent enforcement actions against X-Mode, InMarket, and Avast.
• The agency outlines its rigorous approach to privacy enforcement, warning businesses against invasive business models and marketing practices.
• The post includes some frank statements from the FTC, including, “Browsing and location data are sensitive. Full stop.”

⇒ What are the lessons for privacy professionals in the FTC’s blog post?

After exploring its recent enforcement activities, the FTC provides the following three takeaways:

1. “Browsing and location data are sensitive. Full stop.”
2. Companies don’t have a “free license to market, sell, and monetize people’s information” beyond what is necessary to “provide their requested product or service.”
3. Businesses should not allow “incentives”, the ability to “match data to particular people”—or allow their “bottom line” to outstrip privacy safeguards.

⇒ Does the FTC actually have a legal basis for making these assertions?

The agency’s approach to privacy enforcement is undoubtedly bold. 

The FTC Act does not explicitly identify browser or location data—or any other types of data—as “sensitive”. The FTC asserts this based on its interpretation of the law—perhaps reasonably, given what such information can reveal about people.

The agency justifies its views on privacy protections with reference to three recent enforcement actions, against InMarket, X-Mode, and Avast.

⇒ What happened in those cases?

X-Mode and InMarket are both “data aggregators”. The FTC found that both companies sold location data without appropriate notice or consent, sometimes revealing consumers’ visits to sensitive locations.

Avast is an antivirus company. The FTC found that Avast collected data about its users’ browsing activities and sold the data in an identifiable form—while allegedly misleading consumers about its activities.

We’ve covered the X-Mode and Avast cases in previous editions of the Privacy Corner. But what’s most important is how the FTC applies them more broadly. So be sure to read the agency’s blog post in full (naturally after reading this newsletter).

UK data protection regulator seeks your views on ‘consent or pay’

The UK’s Information Commissioner’s Office (ICO) has issued a “call for views” on “consent or pay business models” that sets out the regulator’s “emerging thinking” on the topic.

• The ICO published a joint white paper with the Competition and Markets Authority (CMA) last year, strictly interpreting “dark patterns” in cookie banners and other online mechanisms.
• Last November, the regulator wrote to 53 of the UK’s top 100 websites asking them to change their cookie banners. On 31 January, the ICO reported that 38 companies had since made the required changes.
• The call for views comes following Meta’s switch to a “consent or pay” policy across the European Economic Area (EEA). The ICO appears open to the validity of this controversial business model under the GDPR.

⇒ Didn’t the ICO recently say you need a “reject all” button on the first layer of every cookie banner?

Yes. After being inactive on cookies enforcement since the invention of cookies, the ICO confirmed a rather strict interpretation of how the GDPR’s consent requirements relate to the ePrivacy Directive’s rules on cookies and similar technologies.

In its letter to major UK websites, the regulator makes clear that it will only accept cookie banners that make rejecting cookies as easy as accepting cookies.

⇒ Is that possible under a “consent or pay” system?

It is hard to square some of the ICO’s statements around cookie consent. For example, the ICO says:

• Online services must offer “a free choice about whether to receive personalized ads”.
• Cookie banners should not “deny access to a service unless users consent to personalized ads”.
• Consent must be “capable of being withdrawn without detriment”.
• “In principle, data protection law does not prohibit business models that involve ‘consent or pay’”.

Negotiating the legal and business conflicts in this area is challenging. However, it seems unlikely that a consent-or-pay process would be compatible with the ICO’s strict interpretation of the GDPR’s consent definition.

The ICO’s consultation closes on April 17, 2024—have your say here .

What We’re Reading

• The Shifting Privacy Left Podcast : Debra Farber talks anonymization, consent, and data subject rights with Jake Ottenwaelder from Integrative Privacy.
• Top 20 Privacy Engineering Resources : Debra J Farber (again) collates a fantastic list of privacy engineering articles, podcasts, and courses for Privado.ai
• A new era of US privacy policy? National security restrictions on personal data transactions : Cobun Zweifel-Keegan discusses last week’s executive order.