One of CleanApps.Org main goals is to provide the information and insight you need to get your apps approved and successfully marketed in all relevant app marketplaces. Belgium’s Data Protection Authority (DPA) handed down a decision on 2 February 2022 declaring the Interactive Advertising Bureau (IAB) of EU in violation of existing standards for how publishers acquire consent to collect and use personal data from customers. They have ordered that all data collected through consent popups must be immediately deleted. 

This is just the latest in a series of decisions that have tightened the restrictions on how prospects can be tracked, and how their data shared. The app market methods for gathering actionable data from potential buyers have already undergone massive changes due to Artificial Intelligence and the ability to crunch massive amounts of data.  

The GDPR decision is a big deal. The entire tracking industry follows IAB’s consent system for guidance on staying compliant with GDPR and this decision will affect advertising algorithms from Google, Bing, and thousands of private companies that publish and advertise apps. The decision rules that cookie consent popups have been used to deprive millions of Europeans of their basic data rights. The Belgian DPA Chairman of Litigation said that IAB’s Transparency and Consent Framework (TCF) as it currently stands is “incompatible with the GDPR due to an inherent breach of the principle of fairness and lawfulness.”

Wait, what? The whole idea behind the IAB was supposed to help align stake holders with GDPR compliance regulations! What went wrong? 

The IAB/TCF failures were found to be systemic:

  • Failed to keep personal data secure and confidential.
  • Failed to properly request consent and uses an online tracking-based “real time bidding” marketers that is opaque to the public.
  • Failures in compliance for data protection by design and inadequate protection of international transfers of data.
  • IAB negligence underscored their failure to maintain proper records, conduct data protection impact assessments, and a failure to appoint a Data Protection Officer.

The Belgian DPA levied a fine against IAB Europe for €250,000 and a mandate to:

  • Within two months, propose changes that make info collection compliant.
  • Make the changes within 6 months.
  • Immediately and permanently delete data that has been gathered with the current TCF protocols. This affects the online advertising tech giants Google, Amazon, and Microsoft and more than one thousand companies that pay to use TCF to stay compliant.

Dr Johnny Ryan of the Irish council for Civil Liberties initiated the real-time bidding system in 2018. As one of the chief complainants now, he said, “This has been a long battle. Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.” 

For more on this GDPR/IAB decision:


Irish Council for Civil Liberties