Johnny Ryan, chief policy and industry officer at Brave, filed a complaint late Tuesday with the Irish data protection commission arguing that the cookie wall on IAB Europe’s website is “illegal” under the General Data Protection Regulation (GDPR).
The IAB Europe’s site gives visitors three options: agree to the use of cookies and third-party tracking; click for more info on how the site and its third-party partners process data; or click to read IAB Europe’s privacy policy.
But unless they hit “I agree” to cookies and tracking, visitors can’t navigate to the actual website. It’s a classic cookie wall.
In February, the Dutch data protection authority issued guidance to say cookie walls are not compliant with the GDPR, because “take-it-or-leave-it” doesn’t constitute real consumer choice.
Ryan’s complaint might sound like just a quibble or even just a little ironic, but there’s a lot more going on here, he said.
“The GDPR guidance that IAB Europe has issued to the industry is completely incorrect,” Ryan said.
In 2017, IAB Europe’s GDPR implementation working group drafted a paper about consent advising member companies that it’s okay to use consent walls, but this position is based on a misinterpretation of the law, Ryan said.
According to the GDPR, if there any duplicative statutes between itself and the ePrivacy Directive, the latter takes precedent.
IAB Europe is using that fact to claim that ePrivacy, which allows for more leniency in the use of cookie walls in certain cases, applies when it comes to gathering consent on a website, rather than the GDPR, which outlaws them. In his complaint, Ryan alleges that this position is an overreach and a misunderstanding of how the law is meant to function.
“They’re saying that a narrow allowance in the ePrivacy Directive is somehow duplicated as an obligation in the GDPR – which it isn’t,” Ryan said. “Either they don’t understand how European data protection law works or they’re pretending not to, for some reason.”
IAB Europe struck back on Wednesday to clarify its position, noting that neither the GDPR or ePrivacy Directive prohibits the operator of a website from making access to their site conditional on consent for cookies or related data processing.
With regards to the complaint’s broader accusations regarding the IAB Europe’s position within the digital advertising industry, the trade org threw a little shade at how Brave, Ryan’s employer, makes money.
“Their current model blocks ads served transparently by the partners a publisher chooses to monetize their content and instead injects their own ads, coercing a publisher to give up a share of their revenue in the process,” IAB Europe said in a statement. “As a result, it is in Ryan’s interest to position himself as an arbiter of privacy standards.”
Ryan took issue with the accusation. “Brave simply blocks all tracking,” he told AdExchanger. “If a user then opts to switch on Brave’s private ads, then Brave gives publishers a 70% revenue share for those ads – far more than publishers otherwise receive – and gives users a 15% share, taking only 15%.”
This isn’t Ryan’s first complaint with an IAB entity in his crosshairs, or his first beef with the organization at large.
Ryan originally questioned IAB Europe’s consent guidance back in 2017, when it was first issued and before he was employed by Brave. More recently, he and a group of other privacy advocates filed complaints with data protection authorities in the United Kingdom, Ireland and Poland against the IAB Tech Lab calling for regulators to crack down on the practice of real-time bidding.
