Time to say goodbye to ‘I consent’ cookie pop-ups?

Belgian data protection authority close to ruling on the tracking consent device

The consent device, where cookies and other third party tracking are explained to online consumers, is the brainchild of IAB Europe, the association for digital marketing and advertising. Photograph: iStock
The consent device, where cookies and other third party tracking are explained to online consumers, is the brainchild of IAB Europe, the association for digital marketing and advertising. Photograph: iStock

Almost every internet user contends with them but the current form of “I consent” cookie pop-ups may be approaching their last clicks.

On Friday, the Irish Council for Civil Liberties (ICCL) welcomed a pending move by the Belgian data protection authority to find the method in breach of the law.

The consent device, where cookies and other third party tracking are explained to online consumers, is the brainchild of IAB Europe, the association for digital marketing and advertising.

While it believes it has time and scope to remedy whatever problems emerge in the final ruling, ICCL alleges the system facilitates the “biggest data breach ever recorded”.

READ SOME MORE

"IAB is spinning this as if there is a solution. There isn't," its data rights expert Johnny Ryan told The Irish Times.

IAB issued a statement on Friday saying it was informed by the APD, Belgium’s data protection authority, that it was close to finalising a draft ruling on the use of its Transparency and Consent Framework (TCF).

IAB describes the TCF as the only consent solution “built by the industry for the industry” to ensure digital advertising stays in compliance with GDPR (General Data Protection Regulation) rules introduced in 2018. As well as cookies, this includes the storage and use of advertising and device identifiers, and other tracking technologies.

Shared

The draft ruling, according to IAB, is expected to be shared with other European data protection authorities in the next two to three weeks, although Belgium is the lead body. Following that, a final ruling may be issued or the matter could be referred to the European Data Protection Board for a binding decision.

“The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe,” the company said.

While sources in the online advertising sector stress the process is at a very early stage, the ICCL believes the writing is on the wall for the pop-up option screens.

“IAB Europe designed the misleading ‘consent’ pop-ups that feature on almost all European websites and apps,” it said. “These pop-ups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.”

The ICCL believes that because the tracking-based advert system – called Real-Time Bidding – broadcasts internet users’ behaviour and real-world locations to thousands of companies, billions of times a day, the obligated protection of data is rendered impossible.

Mark Hilliard

Mark Hilliard

Mark Hilliard is a reporter with The Irish Times