We are now in the process of making the Cloudflare Zaraz Consent Managegement Platform "compliant" with the IAB demands. It's mandatory in order to run Google Ads in Europe.
Their demands are completely countering privacy and will only make our CMP more hostile towards users and less privacy oriented. It's ridiculous. But they have this alignment with Google and so you have to do what they say.
Well, I guess hurry up with that alignment before the IAB is forced to scrap the entire system:
> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.
I tend to think these kind of things don't happen so fast, unfortunately. But if they are, I'd be full with joy to be making the PR that removes all that code.
It's been a while since I was reading through the specs so I could be wrong, but as far as I remember, you kinda had to "collect" the consent status server-side, which feels wrong (because sometimes there wasn't consent), and third-party vendors would get the full consent status even if it's irrelevant for them.
You could start be removing all tracking code from your site and code sharing with 3rd parties.
Boom, compliant (in that part) and not even a need for a consent form in the first place.
The you may add a feature to track and share with 3rds, but opt in. The you need the consent but can get it in a privacy friendly way.
Oh, but you “cannot” do this because the ads won’t work and you’ll loose profit? What you dont seem to realise is that this decision is already made for you by EU: with GDPR the eu made the decision that privacy is more important than your profit. You just have to face facts and stop trying to figure a way around it. Yes that means rethinking business models, but I would wager that had people known fully how they were tracked and profiled, they would not have done business with you in the first place thus your ad/tracking based business model was only valid through deception.
I honestly have no idea what you're talking about, which tracking code you want me to remove and in which of my websites you saw ads. I was never part of a company that had an ad/tracking-based business model, and in fact all my work in Zaraz is around making third-party online more transparent and permissions based so that scripts don't just run uncontrollably and that it would be possible to completely block their access to cookies, network etc. Your comment looks like you just came up with a fantasy story and replied to it instead... I mean, me losing profit because my ads won't work? what?
Yep, the thing you wrote about IAB made me think Zaraz did something it doesnt. My bad. My comment was intended for people writing (and using) those horrible consent dialogs.
Edit: why you need to care about demands from IAB I dont know, but you probably have a reason
> "IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight. This decision will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry.”
If this turns out to be true it would be huge. But I'm (as always) skeptical of GDPR-related de facto enforcement, let's hope I'm wrong this time.
Note that "Google, Amazon, Microsoft, TikTok, and hundreds of other tracking-based online advertising companies rely on IAB Europe’s consent system, which Europe’s data protection authorities have already found to be in violation of the GDPR following our complaint."
If your "poor third-party ad networks who would think of them" cannot operate without dark patterns, abuse of cookie popups and malicious non-compliance, good riddance
You’re replying to a comment as if it’s suggesting ad networks are good. It’s not. It’s just stating, rightly in my opinion, that this is a huge win for those giant tech companies.
Note that Google, Amazon, Microsoft and others are also involved in this ruling:
Google, Amazon, Microsoft, TikTok, and hundreds of other tracking-based online
advertising companies rely on IAB Europe’s consent system, which Europe’s data
protection authorities have already found to be in violation of the GDPR
following our complaint.
> IAB Europe argued that it is not responsible under the GDPR as a “data controller” because it allegedly only sets the rules for how data should be used, but does not process the data itself. The Court rightly rejected this, and confirmed that IAB Europe, as management body for the TCF, is a “data controller” under the GDPR.
IAB stands for Interactive Advertising Bureau Europe [0]
I must be missing something here, what arguments could IAB Europe reasonable use to say they're not a controller?
Article 4 from the GDPR:
> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Seems so obvious that they're a controller by that definition (specifically a "Joint Controller" according to Article 26), even if "only sets the rules for how data should be used" would be true, that would put them inside the definition, so even by their own admission, they are a controller?
The IAB does not actually receive any personal data from anyone. It's pretty much a standards body who write specs for how consent can be granted, and how that consent is transmitted. It's all open, there are no secrets about how this operates.
So, it appears that anyone/company who writes a spec around data that may be considered PII is now a Data Controller.
It's not "anyone". It's an association of advertising companies with hundreds of members. They are literally responsible for drafting GDPR-breaking TCF.
If it is essential to their business, people can and will try to convince themselves and other people of just about anything, regardless of how ridiculous the arguments are.
I dug out the original ruling and skimmed the last part of it. I have probably misunderstood a bunch, it's very long.
But my tl.dr. as I understand it is that IAB provides a Transparency Consent Framework[2] to its users, which includes popup cookies.
They lost a case where they argued they don't have any responsibility ( to the degree that they didn't even have a Data Privacy Officer or had done a Data Privacy Impact Assessment) for providing the IAB compliance popups. These popups were used by others in order to do gain "consent" to do real time bidding ads (and probably other things), it might be that they also provided some level of RBT.
They lost and the court said they are jointly responsible and need to fix long list of things and pay 250k euro.
IAB then appealed and the appeals court deferred it to the ECJ, who has now said that yes they do have a join responsibility.
So as I understand it, this is sadly not the death-blow to valid or invalid consent popups. But at least it might improve the UX on them.
Just to clarify... the IAB does not provide cookie popups. It does however provide a spec [0] for how these are supposed to operate. Website publishers then choose which popup vendor to use.
The step we need to take is find one such vendor which delivers non compliant popups, find the customers of those popups, take the 10 biggest ones and give them a nice big fine that's big enough to scare every other business into compliance.
If you (or anyone reading it) include yourself in that "we", you can help with taking that step by writing and/or donating to the nonprofits that are driving these cases. Like the ICCL that posted this article, or e.g. NYOB (https://noyb.eu/).
> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.[3] This decision meant that the entire online advertising had unlawfully processed the data of everyone in Europe for years.
> However, this was appealed at the Brussels Markets Court. [...]
> The Brussels Markets Court can now proceed to rule on the matter with certainty that IAB Europe is indeed responsible, and that the data concerned are protected by the GDPR.
"This Microsoft page you need to visit to download your file share your PII linked to your mandatory personal account to 728 partners ! We don't want you to know and certainly not to tell you, but the law forces us to"
You see that, and your problem is not "why do they need PII to let me do anything, nor "why are they giving my data to others", nor "why to SO MANY others", nor "why do they not want to tell me", no your problem is that they tell you. By describing the problem as "the law that force them" instead of "sharing so much with so many", you are saying of the two solutions available to fix that, you would prefer that they not tell you, instead of just not doing this mass sharing of PII anymore.
These banners are not what the law said had to happen. These banners are the mass sharing companies malicious compliance to get users to complain about the protection the law gives them instead of complaining about the original abuse that triggered it.
They're doing it this way because, as you show, it does work, people buy it and eat it.
It helps not to have built a business fully dependent on third party ads
Edit: related, perhaps also interesting to an international audience
Tweakers in the Netherlands recently announced a return of tracking cookies after switching to context-based advertising a few years ago. The reason given was that advertisers simply don't have tools to work with this, they'd need to implement custom software to both deploy banners to Tweakers specifically and then also to measure banners' effectiveness (like by appending ?utm_source=banner7271 to the URL). None of this is rocket science, but if you can publish on thousands of websites with one click and Tweakers requires talking to your software development team first... they were losing out. Ad-free subscriptions were and are available by the way, but people aren't buying them enough (not even the tenth part) to get rid of ads altogether. Github apparently does have that luxury
The European Commission’s own website uses cookie consent banners. It seems disingenuous to call every single cookie banner malicious compliance when even the EU’s own committees are so confused by the law that they feel they need to use one too. The law is poorly written.
And they're collecting data about you without your knowledge or consent, with no mechanism for you to discover they hold data about you, or a mechanism to insist they correct or remove it.
I hate the system as it is —the "do not track" header should mean something— but I'll take a disclaimer, an explanation of how they plan to use my data, and an opt-out over the Wild West.
They're catching up but it'll be a while. The Federal HIPAAGLBACOPPAFERPABBQ are all pretty toothless and even the golden child, California's CCPA is a series compromises that doesn't accomplish that much.
You go to a coffee shop. First time you mention you want ethiopian blend blah blah. Next morning the barista confirms you want ethiopian blend before you even mention it. The morning after that there's no talking needed on top of "Good morning".
Coffee supplier now tells the barista he should promote some coffee and he gets paid for doing it + sales percentage.
The barista next morning promotes some bags of ethiopian blend to you to increase the conversion rate.
Replace said barista with a website.
You did not consent to anything and I'm not aware of any laws related to this.
Yeah it's a 60Hz country, it affects perceived vehicle and pedestrian/animal movement too - everything's noticeably a bit smoother to the eye, it takes a while to get used to it.
The first time I went there I spent about half the day in the park tossing frisbees to dogs just to marvel at how smoothly everything seemed to move.
Not really a joke, more PTSD having worked in this space for a few years. "29.97" is what everyone calls it, but the value is exactly 30000/1001 which cannot be represented as a floating point number, so you have to use rational arithmetic when dealing with framerates and timestamps on video (if you care about accuracy), ... and don't get me started on drop-frames, oy!
I use Firefox, uBlock Origin and the annoyances filters. The internet feels just as smooth.
I visited the US and it took me a few months to stop receiving spam from businesses I interacted with. There were ads at the petrol pumps and in the bathrooms and basically everywhere else. There was little concept of consent wrt advertising and data collection, something I've come to take for granted.
It wasn't as bad as I make it, but it shows how our priorities might differ.
Named complainants include the estimable Dr. Johnny Ryan, doing God’s work again.
“People across Europe have been plagued by fake “consent” popups every day on almost every website and app since the GDPR was introduced almost six years ago”, said Dr Johnny Ryan of ICCL Enforce.
Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market. Up until now, these tech giants were all American and therefore under American control in American jurisdiction. For EU, it was always the case that the dominant tech giants were foreign - only setting up shops in EU for tax purposes. Besides EU, other countries have protections in place too.
> Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market
I'm not sure banning foreign competitors count as "caring about internet privacy". Has there been anything lately to actually protect internet privacy in the US?
The US government's interest in TikTok is mostly a question of national security, not privacy.
If they wanted to fight for privacy, they wouldn't have to go to China to find egregious mishandling of personal data. There are plenty of examples well within their borders.
> Not true at all, USA begin to care about it too with foreign companies(TikTok) gaining traction in the American market.
You can't seriously believe this. It's quite obvious that the TikTok debacle is mostly a protectionist measure for Facebook & Google who are looking to get their money's worth for their lobby.
> Utah, Conneticut, Virginia and Colorado have Internet privacy laws
No plans for a US federal regulation here? Wouldn't that save a lot of money and headache for everyone, if instead of complying with 50 different regulations you had one?
The federal government has a lot less power than a lot of people think, there are limits to control over interstate commerce and nobody wants Google to be regulated like a telephone company.
You should google Wickard v. Filburn. The US Supreme Court ruled that the US government can regulate what you grow on your own land for your own consumption, because it affects inter-state trade.
More and more countries are following the EU's lead. For example, Vietnam's PDPD is similar to GDPR (stricter in some ways) and is coming into force on July 1st:
However, I guess we won't talk much about Vietnam's new law on the English speaking web, whether it's successful or not. Purely because we don't talk or hear much of anything about Vietnam's internal policies on the English speaking web. While we will continue to discuss every tiny detail about the GDPR.
You may not know, but China has also adopted pretty elaborate privacy laws called Personal Information Protection Law(PIPL) which is pretty close to GDPR.
Good for China, but since they have CCP people in every group to report on people, neighbors in every community whose job it is to report on people, do things like WeChat dropping messages containing unwanted content, censor people's postings, I'm skeptical how much privacy people are really getting. Sure, maybe BigCo can't build a profile on you, but I'd much rather have BigCo know everything about me than the State. Especially when the State is totalitarian.
> I'd much rather have BigCo know everything about me than the State
Sure, for the state to snoop on you, especially in the USA, they’re supposed to need judicial oversight and approval, which is arguably a better system, than having the state snooping on you without any oversight.
Is this still meaningful in a world where BigCo is snooping on you, and then able to sell that information to the state without any oversight?
Is there a point where BigCo should be treated as a part of the state, that’s just being funded partially by your tax dollars?
Is there a meaningful difference between the state building a snooping infrastructure itself, or outsourcing that to a private contractor who provides Snooping as a Service?
Yeah they also burn witches and stone adulterers. And some other sh*t.
Its amazing how those in the west worry more about a country that has no power on them instead of the psychos who can kidnap, torture or disappear them at whim.
Their demands are completely countering privacy and will only make our CMP more hostile towards users and less privacy oriented. It's ridiculous. But they have this alignment with Google and so you have to do what they say.