Adtech Vendors Still Tracking EU Users Who Deny Consent via IAB’s TCF, Study Suggests

New research has raised new questions about the IAB Europe’s self-styled Transparency and Consent Framework, examines what happens after Internet users in Europe land on an ad-supported website and express their “privacy choices” — using a flagship ad industry consent management platform that is supposed to allow them to control the types of ads they receive (i.e. non-tracking vs. “personalized”) — (TCF). The TCF is already in hot water with data protection authorities.

The IAB Europe said last month that it expects to be found in violation of the EU’s General Data Protection Regulation (GDPR) — and that the framework would be found to be in violation as well. Although the IAB hoped to imply that, a few adjustments would be enough to address issues raised by the Belgian data protection authorities (DPA). We are still waiting for the Belgian authority’s final verdict to publish. However, its early results, published last year, revealed a litany of GDPR failings.

Despite this, the IAB has maintained that the TCF is operating as intended for the estimated 800-adtech suppliers who participate in the system, fiercely rejecting criticism. Townsend Feehan, the company’s CEO, recently dismissed concerns, telling Engadget “none of this [tracking] happens if the user says no.”

The latest data, however, casts doubt on the idea that if a user opts out of tracking/behavioral advertisements via the IAB’s TCF, the adtech sector would follow suit. This study looked at how the adtech ecosystem reacts to user signals that want just basic, non-tracking-based advertisements, as well, as to how ad vendors react when users say no to “personalized” ads.

The researchers discovered evidence that numerous adtech companies continue to track and profile Internet users even after they have expressly stated that they do not want tracking-based adverts. While previous studies have found issues with how publishers in the EU have implemented cookie consents, such as tracking cookies dropped before asking a site visitor for permission, this new study, conducted by adtech researcher Adalytics, focuses on the TCF framework itself, by looking at instances where ad-supported websites have faithfully reported users’ ad choices.

Problematic data flows therefore involve the adtech sector — and its claims for the TCF as a flagship compliance instrument — by implying that the framework fails to correctly represent and really respect users’ “privacy choices” after they are delivered to ad “partners.”

Although it is crucial to highlight that the researchers’ ability to view processing on adtech firms’ own servers is not confirmed by such an external study, there are certain limitations to what they were able to witness using Chrome Developer Tools. It is tough to gain a complete picture of what happens with people’s data after the ad tech ecosystem has it. However, that also cuts to the core of surveillance-based advertising’s challenge with complying with the GDPR —, which also demands, accountability, openness, and security when processing people’s data, as well as a solid legal reason to do so.

Even if the IAB’s TCF ignores the fundamental overarching issues, the fact that tracking cookies deleted and user data shared around when a person has clearly stated that it should not is, well, inconvenient. The researchers conducted tests in a number of EU countries, visiting websites they manually verified had correctly configured the framework to send the user’s consent string, selecting only basic ads; refusing personalized/tracking-based ads/profiling, and limiting the choice of adtech processor to a single vendor.

The testers also took care to object to “legitimate interests” in order to prevent their consent choices from being circumvented in this way. If the TCF worked as Feehan’s comments to Engadget earlier this month, suggest — that is, if users can simply say “no” to monitor via the TCF — the researchers would have expected to see data flowing exclusively in the way the individual had requested.

Instead, they discovered — in the vast majority of cases — data flows that were vastly different from the decisions that had been made. Several examples of tracking cookies placed before the user’s consent choices even signaled also detailed in the report. (However, they claim that such situations were removed from their research since they wanted to see what happened when a user submits their selections via the TCF.)