Online pop-up consent system is illegal: EU regulators
Last updated on: 04 February,2022 09:30 am
The APD ordered all data gathered under the system to be deleted.
PARIS (AFP) - Industry-standard website pop-ups asking for consent for advertisers to gather data are illegal, European regulators ruled on Wednesday, a decision that could have seismic implications for websites across the continent.
Advertising industry body IAB Europe had developed the system to help its members remain within the boundaries of the EU’s sweeping 2018 regulation on data privacy.
But Belgium’s data authority, APD, said the system fell foul of the law on several fronts, in a ruling already approved by regulators across Europe.
The APD ordered all data gathered under the system to be deleted, fined IAB 250,000 euros ($280,000) and ordered it to formulate a plan within two months to rectify the problems.
IAB said in a statement they "look forward to working with the APD on an action plan" to ensure its system can continue.
But the trade body said the ruling was incorrect in its assertion that IAB was "controller" of the data -- a designation that makes it responsible for establishing oversight of data processing.
"We are considering all options with respect to a legal challenge," IAB said.
The pop-ups have become a ubiquitous presence on the web since the EU passed its GDPR regulation.
The law forced websites to ask for permission to gather and store data, with IAB’s system relying heavily on the idea of "legitimate interest" -- a part of the GDPR that allows companies to process data in a way the user would expect.
But the Belgian regulator said IAB’s use of data did not meet the "legitimate interest" test.
"People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads," said the APD’s Hielke Hijmans.
The Irish Council for Civil Liberties, one of the organisations behind the case, said the IAB’s system was on "80 percent of the European internet".
The Council said more than 1,000 companies would now have to delete data -- including firms like Google, Microsoft and Amazon.