European regulators have dealt a blow to one of the digital ad industry’s most vocal advocates, the Interactive Advertising Bureau, declaring that its privacy measures which are meant to safeguard consumer data don’t pass legal muster. The ruling out of Europe on Friday was a significant rebuttal of practices set up by IAB Europe and threatens to undermine the way digital advertising is conducted, not only overseas but in the U.S., according to industry watchers.
The EU regulators said they “found serious GDPR infringements in the system Google and others use to legitimize online tracking,” according to the announcement of findings against the IAB.
Later Friday, IAB Europe CEO Townsend Feehan responded in a blog post that characterized the ruling as a “preliminary” view with “no binding effect.” IAB Europe disputed the findings. “We respectfully disagree with the APD’s apparent interpretation of the law,” Feehan’s post said. (APD is the Belgian data protection authority.)
“If upheld, the APD’s interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers,” the post said.
The decision calls into question the IAB’s ability to design frameworks for internet advertising that satisfy the regulators enforcing recent laws like the EU’s General Data Protection Regulation, which was implemented in 2018. The U.S. has seen similar laws emerge, like the California Consumer Privacy Act. The new laws are trying to establish clearer rules about the types of data that companies can collect, and make companies get consent from consumers to use that data.
Consumers have seen the changes, especially on websites, where they see more notices from companies requesting permission to track their online behavior. The EU’s ruling found that the IAB’s solution for getting permission, which was widely adopted, including by Google, does not meet legal standards.