IAB and the great GDPR violation

A week ago, we wrote about how one website in Austria might bring down Google’s entire analytics module. 

Today, we’re talking about IAB and how their consent pop-ups are actually in breach of GDPR. 

Let’s get to it. 

What are you talking about?

We went over GDPR a week ago, but here’s the brief explainer: GDPR is your right to be forgotten, your right to have access to your personal data, your right to know what happens to that data in the interim. Any company that has access to your personal data, no matter if it’s Amazon, a shopping website, or a blog, has to protect that data from leaks and cybersecurity breaches. 

Violating GDPR means a fine on the low-end of the scale, and cessation of all trading activity on the high end. 

It’s a pretty big deal. 

GDPR is one of the main reasons  you have to consent to cookies every time you visit a new website or if you look at websites on incognito mode. GDPR is why you find out if your data is stolen. 

And GDPR is why Austria has ruled that Google Analytics is illegal in Europe. 


Part of GDPR controls were you store your data and how you process that data. Any website that sends data from their website to a server in the United States runs the risk of violating GDPR – the primary protections that European countries place on data aren’t present in the United States, whose government can legally access any EU citizen data. 

What does this have to do with Europe?

Data is liquid gold. 

Non-profit organisations like noyb, Bits of Freedom, and Panoptykon Foundation know this. More importantly, they know that European law protects your data to a certain rigorous level. 

American data laws don’t have the same protections for third-party nationals. 

Since GDPR came into force in 2016, multiple organisations have filed complaints against websites that violate GDPR. One of their key arguments is that any data that’s sent to American servers is not protected by EU law, and therefore the website is in violation of GDPR. 

What’s IAB?

The International Advertising Bureau is an American business association that governs ad standards, conducts research, and supports the online advertising industry. It’s another nonprofit organisation, one that’s been around since 1996, and it’s the reason why there are advertising ‘standards’ for every ad format including video. 

There are 42 licensees in IAB, 27 of which are located in Europe. 

IAB Europe is the coalition of those 27 national IABs. 

It is also the creator of the Transparency & Consent Framework, one of the standardised pop-ups that crop up at the beginning of every new website to tailor how much data you want to provide the company, and give you a brief explanation of what that data is used for. 

International Advertising Bureau is in Europe, though. How is it illegal?

Being based in Europe isn’t enough to avoid GDPR violation. The Court of Justice takes GDPR violations extremely seriously, and it’s irrelevant where the website or server are placed. 

IAB didn’t just violate GDPR. It continuously violated GDPR by: 

  • creating advertising profiles and showing them personal ads without adequately obfuscating identifying and personal information such as sexual orientation and health data. 
  • making the privacy policy difficult to understand and available only in English. 
  • hiding the reason they’re collecting this data. 
  • not protecting the data it collects and not monitoring that websites which use IAB are compliant with GDPR. 
  • not hiring a data protection officer. 

So violating GDPR is bad. What does this mean for business owners?

Google Analytics getting called out on their GDPR violations is one thing: one very big, ground-shaking thing. The story about data is still developing, and the way it’s developing is telling us a lot about the future of how businesses will work with data. 

But it’s not just GA. Everything that has been put in place to patch-job the risks of data violation is coming under scrutiny – and for a lot of reasons, it’s being found wanting. IAB is just the latest mark – and if you’re keeping up with Google’s continuing problems with data, it’s not going to be the only GDPR-related business problem we’ll see this year.  

Businesses need to take care of consumer data. They need to invest in the proper protections for that data. 

And they might need to invest in a different way of collecting and maintaining consumer data. If the bigger, better-known methods such as Google Analytics and IAB are in violation of GDPR, companies need to be prepared for the moment when those companies have to severely amend or change the way these services work. 

Any advice for businesses who had to deal with the Google Analytics ruling and IAB in the same week?

Be prepared to get more news along these lines.

Everyone panicked for a few months when GDPR went into force. Then, when no one was fined 20m for not putting up a Cookie Policy popup, we collectively swept the issue under the carpet. This is why GDPR was created, and now we’re seeing its true effects. 

Consumers aren’t stupid. They already don’t like the amount of information that organisations have on them. Add in these big rulings – rulings that even the everyman on the street will understand once the websites he uses more often have to change to maintain GDPR protocol – and this is the kind of problem that’s only going to get worse before it gets better. 

That’s a good thing. 

Nobody’s telling you you can’t collect consumer data. Nobody is going to outlaw Google Analytics and IAB tomorrow. 

But start figuring out if you need all that wide scale, top-down data to begin with, and then go from there. 

If you need help knowing how to read it, we’re here for that. Let us know

Insights from our CEO

Industry insider knowledge and business leadership insights from Rik's mind to your inbox.

You can also connect with him on LinkedIn or schedule a call.

Thanks for subscribing.