Today’s IAB statement

The consent framework timeline

In May 2017, the IAB acknowledged “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario”, and wrote that RTB would be “incompatible with consent under GDPR” as a result.[1]  

In April 2018, the IAB launched its Transparency & Consent Framework.[2]

Then in May 2018, the IAB again acknowledges that “transparency and consent may not be seen as valid”. This is because, “…there is no technical way to limit the way data is used after the data is received by a vendor for … bidding”.[3]

In today’s statement the IAB claims that its acknowledgement in May 2017 was “true at the time, but has changed since”. But this timeline makes it inescapably clear that both before and after the launch of its consent mechanism, the IAB acknowledged there was no way to control who receives what data, or what they do with those data once received.

The core of the complaint

The IAB misrepresents the argument at the core of our complaint, which is about the security of sensitive personal data in the advertising ecosystem. The IAB claim that the system as it exists would only be illegal if a few bad actors chose to act outside the law. We claim that the insecurity of this system and the mass transmission of sensitive data to thousands of vendors is a feature, not a bug. As such, the entire ecosystem is in breach of core data protection principles, and regulators have to proceed with a holistic view if they have any hope of bringing it within compliance.

The IAB might paint a rosy picture of an industry keenly seeking compliance, but the economic incentives designed into this ecosystem are for actors to gather, retain and re-use highly sensitive data. Indeed, vendors are “strongly recommended”[4] by the IAB to include data such as a User ID, which can single individuals out. We have highlighted the kind of sensitive data on website types, such as that concerning incest or medical status, that these frameworks facilitate the transmission of. The IAB have themselves highlighted one month after the release of their Transparency and Consent Framework that it is likely to legally fail when there are ‘thousands of vendors’ involved, ‘without regard for limiting purposes per vendor’.[5] Yet this is precisely how the industry operates.

The IAB highlight that within the current state of the system, there is ‘no technical way to limit the way data is used after the data is received from a vendor’.[6] There is also no effective way for individuals or society and regulators more broadly to oversee this data use. This is unacceptable for a technology transmitting sensitive information from websites and from apps, and as the IAB acknowledged in their documentation, it has not changed since their Transparency and Consent Framework has been introduced.

Fixing advertising

We want to make online advertising work better and safer.

There is a technical way to make RTB operate safely, which we suggest: to remove or truncate personal  data, especially sensitive or highly identifying personal data, within a bid request that the IAB and Google standards prescribe or even ‘strongly recommend’. This is an essential tweak. If a system has insecurity at its core, regulators need to understand and assess how its core could be changed to make it compliant, not to try to add polish to a deeply flawed system.

We have asked regulators to investigate the flaws at the heart of this entire ecosystem, which the IAB and Google both play the key roles in orchestrating. It is quite clear to us that the idea that the illegalities that might be found upon a detailed regulatory examination have struck a sensitive nerve with the IAB in this case—and that itself should motivate authorities to take a closer look at this pervasive and insecure piece of online infrastructure.


The IAB claims that it “consistently tried to outline the counter arguments and correct information, mentioned above, to the claimants”. In fact, we have received no communication from the IAB on this matter.

[1] IAB report attached with Townsend Feehan’s E-mail to European Commission Directorate General for Communications Networks, Content and Technology, June 2017 (URL:, p. 3.

[2] “Transparency & Consent Framework specification launches global as industry participation increases”, IAB Europe, 25 April 2018 (URL:

[3] “Pubvendors.json v1.0: Transparency & Consent Framework”, IAB Europe / IAB TechLab, May 2018 (, p. 5.

[4] “AdCOM 1.0”, IAB TechLab, November 2018 (URL:

[5] “Pubvendors.json v1.0: Transparency & Consent Framework”, IAB Europe / IAB TechLab, May 2018 (, p. 5.

[6] “AdCOM 1.0”, IAB TechLab, November 2018 (URL: