The Belgian DPA fined the IAB Europe as information provided to the data subjects was too generic and incomplete regarding processing of data or their right to object to it.
The Belgian DPA has found that the Interactive Advertising Bureau Europe (IAB Europe) did not meet its transparency obligations under the GDPR (Articles 12, 13, and 14 of the GDPR). The DPA found that the IAB Europe's Transparency and Consent Framework (TCF) provided to users was too generic and did not enable them to give specific and informed consent, which is required for consent to be considered valid. Additionally, the large number of adtech vendors that could potentially receive users' personal data further complicated the matter, making it difficult for users to be fully informed and for the IAB Europe to comply with its transparency and information obligations under the GDPR. To address these issues, the DPA has required TCF-registered Consent Management Platforms (CMPs) to take a harmonised and GDPR-compliant approach to providing information to users through their interface. This includes ensuring that any information provided about data processing is precise, concise, and understandable to prevent users from being surprised by subsequent processing of their personal data by parties other than publishers or IAB Europe.
The Interactive Advertising Bureau Europe has been fined €250,000 by the Belgian DPA for several GDPR violations, including not complying with transparency and information obligations and failing to implement appropriate measures to ensure personal data security. Additionally, the company did not keep records of processing activities, conduct a DPIA, or designate a DPO. The DPA has set a deadline of 6 months after the validation of an action plan for the company to implement the necessary measures.
Johnny Ryan, Pierre Dewitte, Jeff Ausloos, La Ligue des Droits de l'Homme, Bits of Freedom & Katarzyna Szymielewicz (complainants) and IAB Europe
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.