Data Protection Authority investigation of our complaints finds that the IAB Transparency and Consent Framework infringes the GDPR.…
Press statement…
A big thank you to all of the RTB complainants for helping to get to this step.
@jimkillock @szymielewicz @gemmagaldon @bitsoffreedom @mikarv @LibertiesEU @Jausl00s @liguedh_be. Most particularly, thanks to @RaviNa1k.
I have left many out (for example, @PiDewitte). 22 complainants in 16 countries are involved in this.
The APD Inspectorate Service agreed with our complaints, and concluded that the IAB "TCF" allows companies to swap sensitive data about people even when this is not authorised. It says IAB Europe "neglects the risks that would impact on the rights and freedoms of data subjects”.
In addition, “The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data".
See this thread for a reminder of just how intimate RTB data can be. Example: LGBTQ+ people were profiled by a data broker using RTB data to influence a national election.
The APD Inspectorate Service also said “the Inspection Service believes that IAB Europe is trying to avoid its liability to the GDPR, constituting an aggravating circumstance”. #IABTCF #TCF #GDPR
It also found that IAB Europe had failed in the most basic aspects of GDPR compliance.

It reports that the privacy policy on IAB Europe's website is not compliant. (I filed a formal complaint about that in 2019…)
In addition, the APD found that IAB Europe failed in other basic GDPR compliance measures. Nor did it appoint a data protection officer, or maintain a registry of what it does with personal data, or have clearly defined controller/processor relationships with its own vendors.
This is significant for the IAB's attempt to market a variant of the TCF as a solution for the CCPA and CPRA.
@ashk4n @caprivacyorg
The IAB "Framework" is used by Google and others to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. Now, the APD-GBA is peeling this veneer off.
This is good news for publishers, which have had their audiences stollen from them for a decade, been subject to tracking based bot fraud, and subject to vast adtech taxes. Here's the view from a smart colleague working at the NYT.
For a 4 minute mini-documentary about RTB with the added bonus of my own crappy sound editing, watch this

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Johnny Ryan

Johnny Ryan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @johnnyryan

21 Sep
Today, we release new data on the consequences of the biggest data breach of all time: Real-Time Bidding. Two years after my complaint about the RTB privacy crisis, @DPCIreland has failed to end it.
Here is a list of the companies that Google sends RTB data to in Europe. It is 25 pages long!
(US list is longer, and has companies from many nations)…
Read 14 tweets
5 Sep
@robinberjon @therevoltingx @BrendanEich @samtingleff @acfou @kickstand @mrr619 @WolfieChristl @johnwilander @brave @random_walker While RTB is a vast external data breach (infringing GDPR Article 5(1)f in particular), Facebook, Google, etc. cross use data internally (infringing GDPR Article 5(1)b in particular). I set out this external / internal picture here.…
@robinberjon @therevoltingx @BrendanEich @samtingleff @acfou @kickstand @mrr619 @WolfieChristl @johnwilander @brave @random_walker There must be enforcement to stop infringement of the purpose limitation principle (companies operating unlawful internal data free-for-alls), and against infringement of the security principle (RTB’s big external data breach).
Read 5 tweets
18 Feb
The online advertising market requires both internal & external #GDPR enforcement.
@Brave's new submission to @CMAgovUK shows why we need to act against the vast RTB data breach, but also act against Google's internal data-free-for-all too.…
@brave @CMAgovUK Google, and Facebook, operate internal data free-for-alls that sustain their monopolies. In competition law, that's a problem. But it's also a problem in data protection law - and data protection law happens to have a handy *consumer-led* remedy!
@brave @CMAgovUK @Kartellamt @ICOnews It is tricky, because the vertically integrated platforms can hide behind three layers of infringement. Data protection authorities have to knock down all three. But once they do, the Googles and Facebooks have nowhere to hide.
Read 8 tweets
4 Feb
New report from @brave: people seeking help for addiction, disability, and poverty on council websites are profiled by private companies in the UK.…
@brave JavaScript inventor and @brave's CEO @BrendanEich calls on Elizabeth Denham @ICOnews to finally act against RTB and adtech in his foreword. Image
@brave @BrendanEich @ICOnews @simcd @IanCLucas @RaviNa1k @jimkillock @mikarv @jason_kint Our new report on how private companies surveil people seeking help for addiction, poverty, and disability is in The Guardian this morning. @sloumarsh has the story.…
Read 17 tweets
1 Aug 19
The CEO of the tracking industry lobby is throwing stones at a publisher group CEO for supporting the GDPR. But oddly, he cites an early research working paper in to an e-commerce (not publisher) revenue impact hit from the #GDPR.
Also, the tracking industry lobby group CEO counts Equifax, Acxiom (as featured in #TheGreatHack), and the rest of the major data brokers as his paying members, plus Facebook and other privacy harming companies.
Unanswered question: Was Cambridge Analytica an @IAB member? Most of Cambridge Analytica’s data sources are current @IAB members, as are other “data management platforms”. @r2rothenberg @alexpropes @jason_kint
Read 5 tweets
4 Dec 18
I have requested that Europe’s Competition Commissioner @vestager examine the online “behavioural” advertising market to prevent anticompetitive practices that disadvantage publishers, restrict innovation, and limit consumer choice.… #antitrust
Bloomberg's @Aoifewhite101 has the story here…
Here are some of the questions we ask the @EU_Competition to consider. Do online platforms leverage dominant positions in one line of business by cross-using user data accumulated in that line of business to dominate other lines of business too, rather than compete on the merits?
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!