The bosses of eight of the world’s biggest online advertisers – the CEOs of Procter & Gamble, Unilever, Ford, GM, IBM, Mastercard, AT&T and Bank of America – have been given 14 days to stop using illegal consent pop-ups and delete all data gathered through them or face further action.
That is the stark warning issued by the Irish Council for Civil Liberties (ICCL) and Electronic Privacy Information Center (EPIC) following the recent ruling that the official IAB Europe adtech framework – used by Google and thousands of others – breaches GDPR.
The two privacy organisations insist these illegal consent pop-ups feature on 80% of the Internet.
They are also demanding that the companies immediately refrain from “consent spam” in the US based on the IAB framework, arguing that the practice plagued Europeans for years, and is now being expanded in the States, as part of an industry initiative these companies support – called “Programme for Responsible Addressable Media”.
The organisations say that, following the February 2 decision, any person whose personal data has been unlawfully processed as a result of these companies’ reliance on these consent pop-ups can take them to court under EU law.
The companies may be held liable for “the entire damage” caused by advertising technology firms working on their behalf, under Article 82(4) of the GDPR. In addition, the companies can also be fined 4% of their total worldwide turnover.
The letter to the CEOs states:
“Notice of default: delete all personal data collected through online advertising “TCF” system, and stop consent spam in US and elsewhere.
“We write on behalf of the Irish Council for Civil Liberties (ICCL) and the Electronic Privacy Information Center (EPIC). We draw your attention to the landmark decision of European data protection authorities of 2 February, which we enclose herewith…
“The decision requires that any personal data collected through the Transparency and Consent Framework (TCF) must be ‘no longer processed and removed accordingly’.
“This arises from the landmark decision of European data protection authorities of 2 February that the TCF infringes the following articles of Regulation EU 2016/679 (the GDPR): Article 5, Article 6, Article 12, Article 13, Article 14, Article 24, Article 25, Article 32, Article 44, Article 45, Article 46, Article 47, Article 48, and Article 49.[2] The Belgian Data Protection Authority took this decision in agreement with no less than 27 other EU supervisory authorities. Their decision is immediately enforceable.
“Therefore, we hereby serve notice to your company of these violations and request that you immediately cease using the TCF and OpenRTB and take immediate steps to delete all personal data that your company collected or otherwise processed in the context thereof.
“Second, and for the avoidance of doubt, the case law[3] of the European Court of Justice provides that a company that uses online advertising systems that process personal data to target advertising and to generate reports is a data controller in the meaning of Article 4(7) of the GDPR.
“Your company uses such systems in the European Economic Area (EEA). It is therefore a data controller, including for processing undertaken by diverse associated processors.”
The letter goes on to detail why the businesses must act, and concludes: “In view of the seriousness of the matters discussed above, please confirm you will take these actions no later than fourteen days hence.”
P&G, Unilever, Ford, GM, IBM, Mastercard, AT&T and Bank of America have yet to comment on the letter.
Related stories
Adtech framework is sunk; now firms must delete data
New IAB adtech framework ‘as flawed as the last one’
Big issues still to tackle in 2022: Online or off limits?
CMA action forces Google to delay demise of cookies
Privacy groups claim victory over looming adtech ruling
DMA wades into ICO row over axed adtech investigation
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
Adtech breach widens, two years after first complaints