A couple of years ago, websites started to display cookie banners to visitors. Overnight, nearly every website in the world seemed to prompt you to accept cookies before continuing to read some content. On the one hand, it was annoying, but on the other hand, it meant websites cared about privacy, right? Wrong. Today, the Belgian Data Protection Authority published a draft decision stating that this system, designed by the Interactive Advertising Bureau (IAB) and used by massive companies such as Google, is illegal.
The IAB’s Cookie Consent System
The crux of the problem here is that a massive group, tasked with representing online advertising, developed a system which gave users the impression they had control over their privacy on websites when they really didn’t. All those times you clicked “accept” or “reject” cookies, it didn’t really matter.
The IAB tried to deny that pseudo-anonymous codes attributed to people browsing the web and apps was not “personal data”, making it fall outside of GDPR. They also denied they were a “data controller” under GDPR. They have a vested interest in ensuring the continued tracking of users by way of cookies was retained after GDPR. This is why they developed the cookie system which allowed people to opt in or out of cookies being dropped on their device. But a group of concerned data protection minds were concerned that the system didn’t have publics’ best interest in mind.
The Panoptykon Foundation, Stichting Bits of Freedom, Ligue des Droits Humains, Dr Jef Ausloos, Dr Pierre Dewitte, and Dr Johnny Ryan made up this group who’ve been on a long journey trying to get to the bottom of the problems with the IAB’s cookie consent system. Their work has led to today’s draft decision which states the IAB’s consent system is “misleading”. According to evidence from the Irish Council for Civil Liberties the “IAB Europe knew that conventional tracking-based advertising was ‘incompatible with consent under GDPR’ before it launched the consent system”.thattheir “Transparency and Consent Framework” (TCF), adopted by over 80% of European websites, impacting every user that visited since.
The End Of Cookie Banners
This should be the beginning of the end for cookies banners. Websites are fast learning that many solutions have been selling snake oil as data protection regulators play catch up to issue decisions outlawing dodgy approaches to user data. It pains me how slow moving data protection complaints are. I’ve been stuck with a complaint against the Catholic Church for years, with, along with the IAB complaint, dates back to 2018 and the introduction of GDPR.
Will this be the immediate end of cookie banners? No. But it’s absolutely the beginning of the end.
You’ll be able to follow the draft decision being updated through the the Irish Council for Civil Liberties website.