IAB Europe suspends consent management firms as global privacy authorities signal tougher action

Website publishers and brands often promise the data they gather from people to build audience profiles and target ads is “consent-based,” but global data protection authorities say that consent is rarely meaningful. Meanwhile, the digital ad industry’s top trade group in Europe has already quietly launched its own crackdown on misleading approaches to gathering consent for tracking.

Data privacy was was on the agenda when data protection authorities of the G7 member countries — Canada, France, Germany, Italy, Japan, the U.K. and the U.S. — met in early September, and issued a dispatch that included a tough assessment of the way most websites get people to agree to tracking. 

Meaningful consent is frequently not obtained.
– G7 data protection authorities

“Meaningful consent is frequently not obtained,” they wrote in the September 9 communique, noting that “cookie walls” requiring people to agree to tracking to access content are misleading and complex. The privacy regulators said that when tracking notices feature design elements often referred to as “dark patterns” which can “trick users into providing consent,” they only reinforce the lack of control people have over their data. 

Some believe cookie tracking and data collection notices that highlight choices to accept cookies with more prominent or brightly colored buttons while obscuring options to reject tracking are using dark patterns.

The G7 representatives said they want something done about misleading consent systems. “Action is needed to ensure that web users are able to meaningfully control the processing of their personal data as they browse the internet, in tandem with promoting high standards of data protection by websites and acting to tackle harmful practices,” stated the meeting report. “Web browsers, software applications and device settings all have a role to play in enabling people to set and update their lasting privacy preferences and ensure that these are respected by websites.”

Warnings and suspensions by industry itself

In a rare move, the ad industry itself is dishing out its own tough love. The Interactive Advertising Bureau in Europe in the last six months has sent letters to approximately 10 companies that provide consent management services to website publishers, warning that they were not compliant with the industry’s voluntary Transparency and Consent Framework, according to Filip Sedefov, legal director for privacy at IAB Europe. That framework — which sets standards for managing the flow of data tracking consent throughout the digital ad supply chain and was designed for compliance with the GDPR — requires consent management platforms to present notices to people in a specific manner detailed by IAB Europe.

“If there is use of dark patterns, for example, we can sanction that,” Sedefov told Digiday.

If there is use of dark patterns, for example, we can sanction that.
Filip Sedefov, legal director for privacy at IAB Europe

The trade body has also suspended “one or two” consent management platform companies temporarily in the last six months for failing to abide by IAB Europe’s user interface guidelines, he said. The organization’s agreements with companies registered to use its consent framework prohibit IAB Europe from revealing the names of companies that received warning letters or have been suspended. Those suspensions, “are only active for as long as the issues are not fixed,” which may be only a matter of weeks, said Sedefov.

IAB Europe has conducted manual and automated monitoring of websites and their consent management systems, detecting infractions including failure to notify people in a way that appropriately informs them about data collection or purposes for data use by third parties or ad tech vendor partners. IAB Europe told members in 2020 it would be enforcing guidelines for implementing the consent framework standards, noting that “Non-compliant [consent management platform] implementations undermine the reputation of the [Transparency and Consent Framework] and expose participating organizations to serious legal risks.”

Still, IAB Europe’s own suggested approach for user interfaces for tracking notice and choice are not as strict as what some privacy advocates and regulators might prefer. While the trade group’s design guidance suggests that people should be able to click an “accept all” button in the initial notice shown, it recommends that companies need only present options to reject tracking on a subsequent page denoted by a button labeled vaguely, “manage settings.”

Privacy watchdogs have argued many common approaches are not good enough. “Clicking through cookie consent buttons is not meaningful consent,” said Jennifer King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence. For instance, she argued during an April workshop held by the Federal Trade Commission to address opaque user design tactics, that when an “accept” button is highlighted in advance, “you can argue that’s a dark pattern.” The FTC is the data protection authority representing the U.S. in the G7.

Stacey Gray, senior counsel at the Future of Privacy Forum, agreed that consent notice banners and pop-ups have “clearly been inadequate as a single solution for consumer privacy.” She added, “Cookie walls, notice fatigue, deceptive banner design (“dark patterns”), and the practical inability of expecting users to make informed choices, are all real problems that deserve better legal approaches.”

King said, “I would suggest we need to think at a higher level about the decisions we could make that have a more systemic effect on how our data is collected and used, instead of thousands of micro transactions that grind away at our patience.”

Sign up to get the day’s top stories at 6am eastern.