IAB Europe – Fine (Belgium, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
IAB Europe was found to have tracked users with cookies without getting their permission. This matters because it shows that companies need to be clear and honest about how they use cookies on their websites. Website operators should ensure they provide clear cookie information and allow users to make informed choices.
What happened
IAB Europe used third-party cookies without obtaining user consent.
Who was affected
Website visitors whose browsing activities were tracked by IAB Europe's cookies.
What the authority found
The Belgian data protection authority found that IAB Europe violated GDPR rules on legality, transparency, and user consent.
Why this matters
This decision highlights the importance of transparency in cookie usage. Website operators should review their cookie policies to ensure they comply with consent requirements.
GDPR Articles Cited
The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for the sale and purchase of advertising space on the Internet. When users visit a website that contains an ad space, technology companies, through an automated auction system, can bid in real time for that ad space to display personalized advertising. When users visit a website for the first time, an interface appears through which they can consent to the collection and sharing of their personal information or object to various types of processing. As part of the TCF, a consent management tool appears during this process. The tool allows the user to object to certain types of data processing. The TCF registers the user's preferences through the tool by generating a TC string and sends it to all partners participating in the OpenRTB system. Based on this TC string, user profiles are compiled, which are then passed on to advertisers. This makes it visible to them what kind of data processing the users have agreed to. Within the scope of its investigation against IAB, the DPA identified a number of violations of the GDPR. It found that the TC strings already constituted personal data and therefore IAB was required to have a legal basis for processing these data. However, IAB was unable to demonstrate any such legal basis. In addition, IAB did not properly inform users about the functioning of the TCF. For example, the information provided to users was too generic and vague to understand the scope of the data processing. Furthermore, IAB had not maintained a register of its processin
Violations (4)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for IAB Europe in BE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
2 February 2022
Authority
Autorité de Protection des Données
Enforcement Tracker ID
ETid-1051
About this data
Cite as: Cookie Fines. IAB Europe - Belgium (2022). Retrieved from cookiefines.eu
Last updated: