The entire structure of online advertising in Europe is built on a foundation of illegal tracking. That was the ruling last week by the enforcement arm of the GDPR.
On Tuesday, the data protection authorities of the European Union ruled that the "consent pop-ups"—those horrifying notices that ask you incomprehensible questions about accepting cookies every time you go to a website—are illegal. Here's the full story.
Almost five years ago the EU passed something called the GDPR (General Data Protection Regulation) which was aimed at protecting citizens' privacy from the abuses of the data collection industry. The GDPR set certain standards for collecting and using online data, including the activities of online advertisers.
In order to comply with GDPR, advertisers had their trade association, the deceitful and disreputable IAB Europe, come up with a comedy classic called the “Transparency & Consent Framework” (TCF) which they pretended inoculated advertisers from actually complying with GDPR. The TCF is the bogus justification for what became those idiotic consent pop-ups.
This week, the data protection authorities ruled that the TCF is total bullshit and illegal. They ruled that it:
- does not keep personal data secure, as required by GDPR
- does not properly collect personal consent
- has not established a lawfully valid "legitimate interest" in collecting information
- fails to be transparent about what it does with peoples' data
- fails to see to it that data is processed in accord with GDPR guidelines
- fails to respect the GDPR requirement of “data protection by design”
Other than that, it's fucking great.
Kudos to the ICCL (Irish Council for Civil Liberties) for bringing this important case before the EU authorities. And a Nobel Prize for something to Dr. Johnny Ryan who relentlessly pursues personal privacy rights on behalf of all of us. You can watch Dr. Johnny talk to news broadcasters about this ruling here.
The next question is, what will this mean to the adtech industry? As we know, historically the adtech industry just sticks up its middle finger at regulators and does whatever the hell it wants. The regulators think they run things but their pathetic ineptitude and timidity has allowed the adtech industry to run roughshod over them and the public since the day GDPR was enacted.
One consequence of this ruling is that Google and everyone else in the online ad industry are required to burn all the data they've collected illegally. Google will comply with that when refrigerators fly.
The IAB Europe now has six months to correct the gross illegality of its TCF nonsense. What will it do? My guess, it will come up with some new horseshit that will take years to litigate while the adtech industry goes merrily along screwing the public. As usual, I hope I'm wrong.
The adtech industry, in particular Google and Amazon, have far too much money to give a flying shit about the chump change fines that regulators hand out for their criminal activities. To them it's just a cost of doing business. Facebook doesn't even bother to abide by TCF—they answer to no one.
Nothing will change until someone goes to jail.
The local angle
The irony in all this is that just as the IAB in the US is about to spam the world with its version of TCF, the EU regulators put a bullet in it.
In the US there are no laws against anything.The closest thing we have to regulation in the corrupt online ad industry is something called the CCPA (California Consumer Protection Act.) It is based largely on the GDPR and as far as anyone can tell has never protected anyone from anything (it will be replaced next year by another bowl of alphabet soup called the CPRA.)
The IAB in the US has taken the IAB Europe's illegal TCF formula and applied it as their bogus compliance with CCPA. They've also convinced the clowns, con men, and collaborators in the ANA, 4As, and big brands to implement the now discredited TCF under a new bullshit name, "Global Privacy Platform." Yeah, right.
Big picture: The arrogance of the tech and marketing industries in the US is so immense that the actions of regulators mean close to nothing. What is the most likely effect the ruling this week will have on data abuse in the U.S.? Counting backwards, what comes after zero?
Have I mentioned that nothing will change until someone goes to jail?
Dancing in the dark
The dance being done by regulators and the adtech industry is nothing more than performance art. The regulators sue, the crooks pay a little fine, and everybody goes back to business as usual.
There is no one in the world with a functioning brain who doesn't understand that the tracking-based adtech industry is a criminal racket of epic proportions. It is a giant worldwide scam—organized crime at a global scale involving virtually every major corporation, pretty sounding trade organizations, and the entire advertising, marketing, and online media industries. Even the IAB is on record as telling the European Commission that programmatic buying based on real-time bidding is "incompatible with consent under GDPR."
But too many people are making too much money. Nothing will change until someone... oh, never mind.
Bob Hoffman is the author of several best-selling books about advertising, a popular international speaker on advertising and marketing, and the creator of 'The Ad Contrarian' newsletter, where this first appeared, and blog. Earlier in his career he was CEO of two independent agencies and the US operation of an international agency.