Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't know about everyone else but I'd like more context.

"Is responsible for the consent popups"... ok. What happens now?



I dug out the original ruling and skimmed the last part of it. I have probably misunderstood a bunch, it's very long.

But my tl.dr. as I understand it is that IAB provides a Transparency Consent Framework[2] to its users, which includes popup cookies.

They lost a case where they argued they don't have any responsibility ( to the degree that they didn't even have a Data Privacy Officer or had done a Data Privacy Impact Assessment) for providing the IAB compliance popups. These popups were used by others in order to do gain "consent" to do real time bidding ads (and probably other things), it might be that they also provided some level of RBT.

They lost and the court said they are jointly responsible and need to fix long list of things and pay 250k euro.

IAB then appealed and the appeals court deferred it to the ECJ, who has now said that yes they do have a join responsibility.

So as I understand it, this is sadly not the death-blow to valid or invalid consent popups. But at least it might improve the UX on them.

[1] https://web.archive.org/web/20240109014435/https://www.gegev... [2] https://iabeurope.eu/transparency-consent-framework/


Just to clarify... the IAB does not provide cookie popups. It does however provide a spec [0] for how these are supposed to operate. Website publishers then choose which popup vendor to use.

[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...


The step we need to take is find one such vendor which delivers non compliant popups, find the customers of those popups, take the 10 biggest ones and give them a nice big fine that's big enough to scare every other business into compliance.


If you (or anyone reading it) include yourself in that "we", you can help with taking that step by writing and/or donating to the nonprofits that are driving these cases. Like the ICCL that posted this article, or e.g. NYOB (https://noyb.eu/).


> On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the [IAB controlled] “TCF” consent spam system is illegal.[3] This decision meant that the entire online advertising had unlawfully processed the data of everyone in Europe for years.

> However, this was appealed at the Brussels Markets Court. [...]

> The Brussels Markets Court can now proceed to rule on the matter with certainty that IAB Europe is indeed responsible, and that the data concerned are protected by the GDPR.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: