IAB Europe, TCF and NOYB’s War On Cookie Banners
This week’s guest editor for the IAB Europe blog is IAB Europe’s Legal Director, Filip Sedefov. At IAB Europe, Filip is the subject matter lead for privacy & data protection, overseeing the GDPR legal compliance programme, including the Transparency & Consent Framework (TCF). Filip shares his views on the cookie banner complaints sweeping Europe. Filip disseminates the arguments put forward by NOYB, discussing the TCF’s value as a GDPR and ePrivacy compliance tool to help combat future complaints.
This week, consumer organisation NOYB led by Max Schrems announced that it has sent out over 500 draft GDPR complaints to European organisations, aimed at ending the “cookie banner terror” in the EU. NOYB is targeting companies which it says deliberately make it hard to opt out of tracking cookies. According to NOYB, a total of 560 draft complaints across 33 countries have already been issued and organisations have been notified of NOYB’s intention to submit formal complaints to competent data protection authorities (DPAs) where they do not take steps to remedy the alleged compliance failures. NOYB claims it will issue a total of over 10.000 similar complaints by the end of the year.
Most of the complaints appear to target European digital publishers that deploy Consent Management Platforms (CMPs) on their properties in order to comply with essential ePrivacy and GDPR transparency and user choice requirements. Although IAB Europe does not have access to the complaints themselves, it appears the arguments put forward by NOYB center on a failure by data controllers to obtain valid user consent through the use of cookie banners that allegedly lack reject options, make use of so-called dark patterns to manipulate the user into consenting, or prevent the user from easily withdrawing consent.
Cookie banners or notices, implemented on behalf of digital publishers by consent management platforms (CMPs), enable users to express preferences with regard to how their personal data is handled by the website they are visiting. They have become an essential legal tool for publishers and their technology partners to comply with the requirements of the GDPR and the ePrivacy Directive.
IAB Europe’s TCF in the context of the NOYB complaints
IAB Europe is, like NOYB, fully committed to ensuring that user rights are upheld and that organisations within the digital advertising ecosystem are well aware of, and comply with, their data privacy obligations. That is, after all, why IAB Europe’s Transparency and Consent Framework (TCF), which establishes a minimum standard for disclosures and options provided to the user, was created.
In the main, NOYB’s interpretation of the GDPR and the TCF Policies appear quite aligned. (A number of the allegations put forward by NOYB are, in fact, points on which the TCF is silent or where it provides flexibility – for example, use of legitimate interests, implementation of a “reject all” option, or colour and contrast of calls to action.) The Framework itself was explicitly designed in a way that sets a high minimum standard for the industry and helps data controllers comply with those requirements that benefit from a significant level of harmonised interpretation. Individual local DPAs may have differing interpretations on specific aspects, however. Examples include the Danish DPA (Datatilsynet), which requires a “reject all” option in the initial CMP user interface (UI) layer or the Dutch DPA (Autoriteit Persoonsgegevens), which takes the view that legitimate interests as a legal basis are unavailable for digital advertising purposes. In these cases, organisations should naturally be aware of and implement such more stringent requirements, as necessary, in addition to their implementation of the TCF.
In light of the above, IAB Europe remains confident in the TCF’s value as a GDPR and ePrivacy compliance tool. NOYB’s scrutiny of compliance with the GDPR should, in fact, benefit publishers who have made the investment of implementing the TCF, since persistent non-compliance by other actors may confer an unfair commercial advantage and damage the image and reputation of the industry. We strongly encourage NOYB to recognise these points of alignment and adjust the focus of its actions accordingly.
What is essential to ensure here is that those organisations that have taken significant steps to, for example, provide users with detailed, accurate and specific information prior to asking for their consent, are not reprimanded for complying with their obligations under the law or deterred from implementing standards that allow them to do so. Similarly, digital publishers should not be chastised for or prevented from communicating the value exchange that they propose to their users through their CMP, especially in instances where they depend heavily on advertising to monetise and derive value from their content. Tools like the TCF help standardise the way the information is presented and the controls available to users in ways that enable them to relatively quickly and over time become familiar with how to best digest the information provided and express their preferences in each instance where they are called upon to do so.
Arguments put forward in the NOYB complaints
There is merit in the approach adopted by NOYB in developing automated tools for auditing CMP compliance at a time when auditability and accountability at scale in the online context are essential to enable effective enforcement of the GDPR. IAB Europe has itself developed a monitoring and enforcement programme that sanctions instances of non-compliance with the TCF standard for those organisations that have signed up and committed to implementing its requirements. (More information on IAB Europe CMP compliance programme, can be found here.)
We encourage NOYB to focus its actions on those organisations whose CMP implementations demonstrate flagrant disregard for users’ right to information and choice and, in particular, where existing industry standards that represent a harmonised interpretation of EU law are not implemented, or are implemented incorrectly. In this context, while we note alignment with many of the interpretations put forward in the complaints (as is obvious from the content of the TCF policies), we would posit that, at least some such arguments reflect interpretations that cannot be reasonably claimed to be applicable throughout the EU. We take a look at some of the points put forward by NOYB (based on its press release), below.
Reject all option on the first CMP UI layer
While the updated Guidelines on consent from the EDPB explicitly recognise that “layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other” (para. 69), such guidance does not impose any explicit obligation for a “reject” option to be provided to the user in an initial layer in this context. Some guidance from national DPAs, such as the Datatilsynet in Denmark, has set out such an obligation, but the requirement is far from being a unanimously agreed interpretation of GDPR provisions. France’s Commission nationale de l’informatique et des libertés (CNIL), which is often erroneously cited as having made this a hard requirement in its latest Recommendation, in fact only requires it where an “Accept all” option is provided and, anyway, explicitly accepts that there may be other ways of enabling the user to refuse consent (such as closing the CMP interface) as long as the method of achieving this is made sufficiently clear to the user.
Use of legitimate interest as a legal basis under GDPR
In line with the requirements of the ePrivacy Directive, it is clearly illegal, under EU law, to store and/or access information on the user’s device on the basis of a legitimate interest. As a result, if a user rejects ePrivacy consent, processing under a legitimate interest that requires such device access would be illegal. Conversely, however, where consent for storage and access operations has been granted by the user or where storage and access is not technically required, there appears to be no valid reason to make the legitimate interest legal basis unavailable to data controllers, if and when the legal requirements for leveraging that legal basis under the GDPR (such as conducting a legitimate interest assessment, including a balancing test) have been complied with.
While WP29 and EDPB have noted that it may be “difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes”, there is, contrary to what is suggested in the NOYB complaints, neither a generalised nor an explicit prohibition on the use of legitimate interest whatsoever, for example where such an interest is adequately justified, or where it does not involve “intrusive profiling and tracking”.
Use of pre-ticked boxes
In the context of gathering consent from the user, the use of pre-ticked options is an undeniable violation of EU law, clearly called-out by the EDPB (see para. 79 of Guidelines on consent) and in CJEU case-law (see the ruling case C-673/17, Planet49). In line with this interpretation, the TCF policies for example, explicitly mandate that the default choice be “no-consent”, “no opt-in” or “off”. Where CMPs registered for TCF and operating within its scope fail to implement this, they are in clear breach of the standard’s requirements and of EU law.
Use of dark patterns
Use of dark patterns involving deceptive button contrast, size or colour should obviously be avoided to ensure that the user is fully aware of, and able to exercise, their rights. While there is no agreed on definition of “dark patterns”, the TCF has, in order to fight against such practices, adopted explicit policies that require user options in CMP interfaces to be clearly visible, legible, have matching text treatment, as well as a minimum contrast ratio. We firmly believe that where TCF policies are complied with in this respect, the requirements of the law are satisfied.
Article 7(3) GDPR states that “it should be as easy to withdraw as to give consent”. While surfacing a consent banner or notice every single time a user visits a webpage to remind them of their ability to withdraw consent is synonymous with bad user experience, it is undeniable that user’s should be reminded of their right to do so at regular intervals and that, in any case, the option to update their preferences, including to withdraw consent, should be available and easily accessible at all times. For example, the TCF contains a requirement that the user be reminded of their rights at least every 13 months and that an easily accessible link should be available to allow them to withdraw their consent as easily as it was to give it, notably by including a call to action for the user to signal such withdrawal.