| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by pixelkaiser 1602 days ago

The whole thing is based on them declaring the IAB the controller of PII data (in this case the consent string). If upheld all the things you list will apply because these are the responsibilities of data controllers as per GDPR. If the TCF string was not deemed PII data then there would not be a controller because the GDPR would not apply.

IMHO, if they were really serious about this, they would have to go after the actual controllers (not the inventor of the spec) - mainly the actual websites that implement these (misleading) banners in the first place. It's beyond me how they can qualify the IAB as a controller when they never collect, process or store any of TCF data.

If this wasn't so politically charged I'd say the IAB has a solid shot of getting this overturned in court.

1 comments

simpss 1602 days ago

this is just the first step. If the consent string wasn't PII, all the other data tied to the consent string would not be PII as well, because this is the cookie that brings all the data together.

So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.

Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.

pixelkaiser 1598 days ago

"Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply."

That is not correct. These companies use TCF because the GDPR applies. If it did not - they would not have to use it. The GDPR automatically applies as soon as cookies come into play - regardless of what is in the TCF string.

The main thing here is not that PII data comes into play but that the IAB is the controller. Until now the controller was/is the website that actually controls (and passes to 3rd parties) user data. That is why you have to agree to joint controller agreements if you want to integrate the TCF frameworks on larger web sites.

Some background in IPs: The ruling mentions the reason TCF is PII because it can be combined with IP addresses. No one challenges IP addresses as PII data anymore. There were many ruling that classify IPs as PII - specifically in Germany (even pre GDPR).