Publishing giant Condé Nast has blamed the IAB’s Transparency & Consent Framework – developed by the industry body to help companies comply with data protection regulations – after being fined €750,000 (£657,000) by the French data protection authority CNIL for cookie consent failings.
The CNIL’s investigation, initiated following a complaint made by the Max Schrems-backed privacy group NOYB nearly six years ago, uncovered that the Vanity Fair French website was systematically placing non-essential cookies on users’ devices the moment they visited the site, even before they could register a consent choice on the required banner.
This practice directly contravenes European data protection legislation, which mandates that prior, informed consent must be obtained before any non-essential trackers are stored on a user’s device.
The most serious finding was that the illegal cookie deployment persisted even when a user explicitly selected the “reject all” option on the cookie banner.
This action rendered the user’s choice meaningless and demonstrated a clear failure to respect user autonomy and privacy preferences, CNIL ruled.
The fine was issued under Article 82 of the French Data Protection Act, the domestic implementation of the EU’s ePrivacy directive.
Condé Nast had previously received a formal order to comply with the rules in 2022, but subsequent investigations confirmed a continued failure to rectify the non-compliant practices, leading directly to the hefty fine.
According to the decision, the company acknowledged violations but cited technical errors, and blamed the IAB’s TCF for misleading information, and stated that the cookies in question fall under the “functionality” category.
The reformed adtech system was launched by IAB Europe in 2022 in response to a ruling that its previous framework was in breach of GDPR. Older versions of the IAB TCF are no longer valid, and the framework is currently in the process of transitioning to a newer version. As of November 20, 2023, only TCF 2.2 is valid, but a mandatory transition to the even newer TCF 2.3 will take place on February 28, 2026.
Condé Nast, meanwhile, claimed good faith and cooperative efforts, and also argued against the publicity of the sanction.
However, perhaps unsurprisingly NOYB has hailed the decision as yet another victory for its privacy crusade. In 2023, the CNIL fined Criteo €40m, while Google was fined €325m earlier this year. Other data protection authorities across Europe have also imposed fines following NOYB complaints, with the most recent penalty being a €100,000 fine issued by the Spanish AEPD against telecoms giant Euskaltel.
Related stories
Publishers call for consent rethink to bolster online ads
Brits expect data transparency not smoke and mirrors
It’s complicated: Consumers split on future of cookies
Cookies: ‘We’ve come too far to turn the car around now’
Now Google scraps easy opt out for third-party cookies
Only 8% of marketers face no first-party data issues
Be the first to comment on "Condé Nast fingers IAB consent tool after cookies fine"