The GDPR and the IAB: The Recent Ruling and its Key Takeaways

Earlier this year, the Belgian Data Protection Authority found the International Advertising Bureau (IAB) to be in violation of several articles of the European Union’s (EU) General Data Protection Regulation (“GDPR”). The ruling contained several stipulations that are likely to have widespread effects across the online space, especially in digital advertising, both in the US and abroad. This ruling is one of many recent developments signaling that digital advertising as a whole must move in a direction of unequivocal consent. It is becoming increasingly clear that opt-in value exchange models that recognize a user’s choice are the way forward — which is central at Permission.io.

The key issue at stake in the ruling was one of the IAB’s main tools, a cookie consent string system called the Transparency and Consent Framework (TCF). Though cookies are already in the process of being deprecated and are likely to be fully by 2023, they are still largely in use. The TCF was (and still is) widely utilized within the digital advertising space to assist businesses and advertisers with GDPR compliance. The TCF tool signals advertising partners regarding thetracking preferences a person had selected upon being prompted by the site. However, there were internal flaws in the TCF’s methodology. The IAB claimed the tool and its methods were compliantdue to a “legitimate interest” exception within GDPRt. This was found not to be the case.

There were several key findings in the ruling. First, legitimate interest could not be considered an adequate legal basis for data processing under the IAB’s TCF. Second, the IAB’s privacy policy was neither understandable nor transparent enough. This also meant the consent received was not valid since it was not “sufficiently free, specific, informed, and unambiguous.” This is especially important for businesses to note, so that they may examine the type of consent they are receiving and how it can be classified. Furthermore, the IAB had claimed to be a data processor — a body which processes data on behalf of a data controller, as opposed to being a data controller themselves. A data controller is a body that determines the purposes of the data which it handles and the means of processing it. Yet, the IAB was found to be classified as a joint controller, which led to responsibilities that it should have upheld, such as conducting sufficient compliance monitoring amongst its clients. In the same vein, the IAB did not keep a register of its processing operations. And, finally, the IAB did not sufficiently cooperate with investigations or appoint a data protection officer.

So what can businesses who believe themselves compliant (or who may now have concerns) do given this new information? First, businesses should be extra diligent in the clarity of their external documentation and communications, such as privacy policies and cookie consent banners. They should also keep well-maintained records of their data processing operations and any efforts they have made to that end.

Most importantly, the linchpin of the issue is the concept of consent and its manifestation in the online environment. People still feel as though they have no choice but to give their consent to data processors, receiving nothing in exchange but exploitation. Their consent, as the Belgian Data Protection Authority noted, is insufficiently free and unambiguous. This leads to the natural assumption that the best model to utilize within advertising is unequivocal consent — outright permission.

A valid and innovative way to achieve such consent is through opt-in value exchange. After Apple released iOS 14.5, for example, Flurry found that 96% of users opted out when prompted near lunch, and around 62% of users opt out regularly now. That being said, research found that 79% of consumers may be willing to share their personal and preference data for a reward, meaning that the number of opt-outs would decrease to manageable levels. Consumers may accept more concrete compensation in return for not opting out. In fact, 75% of consumers say they want to be rewarded for engagement beyond making purchases.

Opt-in value exchange rewards can come in many different forms. One potential option for businesses looking to advance theirWeb3strategy is to offer cryptocurrency rewards, as interest in cryptocurrency continues to grow across all generations. Companies seeking this option can run their advertising campaigns with Permission.io’s crypto-rewards platform and obtain consent from users to engage and share their data in exchange for a tokenized reward. By running permission-based, rewarded campaigns, companies can motivate action in a compliant way and at the same time build engaged audiences with users who are truly interested in receiving their content. By incorporating opt-in value exchange strategies, companies can obtain meaningful consent and get ahead of the major changes that will inevitably result from this ruling, the full aftereffects of which are greatly anticipated.