European watchdog: All data collected about users via ad-consent popup system must be deleted


Forum Addict
Aug 1, 2006
Huge decision against big adtech:

All data collected through the Transparency & Consent Framework (TCF) must now be deleted by the 1,000+ firms that pay international digital marketing and advertising association IAB Europe to use it. This includes Google's, Amazon's and Microsoft's online advertising businesses.
The Austrian analog to this Belgian Gdpr watchdog also ruled last month or so that there is currently no way to use Google analytics in a legal way in Europe. With is huge, because everyone has that on their website.
The basis for this was basically the fact that the data goes to the US and that the EU-US treaty (still called privacy shield?) is an utter joke compared to gdpr. Also US laws contradict basic gdpr rights. As far as I understood it this was specifically mentioning analytics, but would apply to all US based companies handling EU user data, really.
The key point here is the article 24 breach, which I think is worrysome for SaaS businesses far beyond AdTech: The IAB offers "cookie consent as a service", which can, but must not be combined with their RTB solution. So the IAB does not actually process any customer data, they literally only supply the consent.
So if someone supplying some UX element is responsible for what is happening to the data in the backend, that is highly worrysome - if we think about an online shop that includes personalized recommendation and results, that needs cookie consent. Many shops these days have a frontend component and a "headless" shop software doing the actual work from different suppliers. This ruling can be read that the frontend supplier, if it supplies a cookie consent form, being responsible for the third-party backend handling data in a GDPR-compliant way.
Oh yeah, that is gonna suck for SaaS providers if this is taken as precedent for other SaaS-uses. I honestly find it a bit weird to have "cookie consent as a service" - but then again, looking at wordpress and magento and the like, there's even tiny little plugins for everything.
It's often hard enough to explain to the users of those thing the limited scope of the application (e. g. only frontend, no backend integration at all), but may be even harder to have this distinction taken care of properly on a legislative level. let's see.
also regarding the analytics ruling from austria: it seems like nobody actually gives a shit what some lady in austria thinks. maybe the same with the belgians in this case? :D
That case^ is probably as much about an end run around weak Data Protection Commissioners.

Its taken three years for them to begin hearing the NYBO case against Google:


Facebook's discarding of the European Court of Justice (CJEU) rulings on EU-US data transfers
Its taken three years for them to begin hearing the NYBO case against Google:
Yeah it seems Ireland has decided to transition from an EU tax haven to a... EU data protection haven... anti-haven WHATEVER you know what I mean :D by just deliberately working slowly, not enforcing applicable law and dragging their feet - all in the name of keeping FAANG happy and complacent. fuckers.