GDPR

CJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets

By / Blog /

CJEU clarifies GDPR rights regarding automated decision-making and trade secrets. On February 27, 2025, the court ruled that data controllers must give clear, accessible information about automated decisions impacting individuals, without sacrificing trade secrets. It emphasized the balance between data subject rights and commercial interests and stated national laws cannot broadly exclude access to data based on trade secrets. Companies must ensure transparency while still protecting proprietary information, aligning with the explainability requirements in the AI Act.

https://www.insideprivacy.com/gdpr/cjeu-clarifies-gdpr-rights-on-automated-decision-making-and-trade-secrets/

Europe GDPR Assessment Tools Market Size & Growth, 2033

By / Blog / ,

Europe's GDPR assessment tools market, valued at USD 210 million in 2024, is projected to grow to USD 990 million by 2033, with a CAGR of 18.83%. Increasing regulatory scrutiny and rising cybersecurity threats drive demand for these tools, which help organizations ensure compliance and mitigate risks. However, high implementation costs and integration challenges with legacy systems hinder growth, especially among SMEs. Opportunities exist in AI-driven solutions and cloud-based tools, as organizations prioritize data protection amid evolving privacy regulations. Key market players include IBM and Microsoft, reflecting a competitive landscape focused on innovation and compliance.

https://www.marketdataforecast.com/market-reports/europe-gdpr-assessment-tools-market

GDPR Damages Claims

By / Blog /

GDPR allows individuals to claim compensation for non-material damages, but quantifying these damages is challenging. A study of 255 court cases in Germany from 2018 to 2023 reveals that only 25% of claims are successful, with average claimed damages around €5,200 but awarded damages averaging €3,300. Sensitive personal data results in higher damage awards, indicating that companies face unpredictable liability risks.

https://www.taylorwessing.com/en/insights-and-events/insights/2025/02/gdpr-damages-claims

CNIL Releases Recommendations on AI and GDPR Compliance

By / Blog / ,

CNIL published recommendations on AI compliance with GDPR, emphasizing transparency and individual rights. Key aspects include providing timely, clear information at data collection, guidelines for handling data subject rights requests, and clarifying which AI models fall under GDPR. Organizations should ensure compliance while developing AI systems, focusing on flexibility in purpose limitation and data minimization, and implementing safeguards for personal data retention. Recommendations aim to balance legal obligations with innovation in AI.

https://natlawreview.com/article/cnil-publishes-recommendations-ai-and-gdp

Data Sharing Agreement (DSA)

By / D /

DSA: Legal document outlining terms for sharing data between parties. Ensures data privacy, security, usage rights, compliance with regulations, responsibilities, and liabilities. Protects both data providers and recipients.

Transparency and Consent Framework (TCF)

By / T / , ,

The digital advertising landscape continuously evolves, with new frameworks and regulations emerging to enhance user privacy and transparency. One such framework is the Transparency and Consent Framework (TCF) developed by the Interactive Advertising Bureau (IAB) Europe. The latest iteration, TCF 2.2, introduces significant changes to improve user control, transparency, and compliance with data protection laws like the GDPR and ePrivacy Directive.

Key Features of TCF 2.2

Removal of Legitimate Interest in Advertising and Content Personalization

In a significant shift, TCF 2.2 removes the use of “legitimate interest” as a legal basis for processing personal data for advertising and content personalization purposes. Publishers and vendors can now only rely on explicit user consent for these activities, aligning with regulatory guidance emphasizing the importance of unambiguous consent.

Improved User Information and Transparency

TCF 2.2 mandates using clear, user-friendly language and real-life examples to explain data processing purposes and features. This replaces complex legal terminology, making it easier for users to understand the implications of their consent choices. Additionally, Consent Management Platforms (CMPs) must now disclose the total number of vendors seeking legal grounds, providing users greater transparency.

Standardized Vendor Disclosure

Vendors must now provide additional details about their data processing activities, including the categories of data collected, retention periods, and legitimate interests involved (if applicable). This information empowers users to make more informed decisions about their data and enhances overall transparency.

Technical Updates

TCF 2.2 introduces technical specification updates, such as removing the “getTCData” command and introducing event listeners for framework implementation. The Global Vendor List (GVL) has also been updated to version 3, allowing vendors to declare URLs in multiple languages and provide additional information about data categories and retention periods.

Benefits of TCF 2.2

Increased User Trust and Control

TCF 2.2 empowers users to make informed choices about their data by providing clear and transparent information about data processing activities. The enhanced user control and transparency measures can help build trust and improve brand reputation for publishers and advertisers.

Reduced Compliance Risks

Complying with TCF 2.2 can help publishers and vendors mitigate the risk of fines and penalties from data protection authorities for non-compliance with privacy laws like the GDPR. Adhering to the framework's requirements demonstrates a commitment to data protection and can strengthen overall compliance efforts.

Improved User Experience

The user-friendly language and real-life examples introduced in TCF 2.2 aim to improve the user experience by helping individuals understand the implications of their consent choices. This can lead to more informed decision-making and potentially higher consent rates.

Implementation and Use Cases

TCF 2.2 is relevant for publishers, advertisers, and vendors operating in the digital advertising ecosystem, particularly those targeting users in the European Economic Area (EEA) and the United Kingdom. Implementing TCF 2.2 is crucial for ensuring compliance with data protection laws and meeting user expectations for transparency and control over personal data.

Publishers and vendors must update their systems and processes to align with the new TCF 2.2 specifications by November 20, 2023. This may involve updating consent management platforms (CMPs), revising user interfaces, and training staff on the new requirements.

Comparison with Previous Versions

While TCF 2.2 builds upon the foundation laid by previous versions, it introduces significant changes to address evolving regulatory guidance and user expectations. Critical differences from TCF 2.1 include removing legitimate interest for advertising and content personalization, enhanced user information and transparency requirements, and standardized vendor disclosure obligations.

Conclusion

The introduction of TCF 2.2 represents a significant step forward in the digital advertising industry's efforts to prioritize user privacy, transparency, and control over personal data. TCF 2.2 aims to build trust, improve user experiences, and mitigate compliance risks for publishers and vendors operating in the digital advertising ecosystem by aligning with regulatory guidance and addressing user concerns.

https://iabeurope.eu/transparency-consent-framework/

Interactive Advertising Bureau (IAB)

By / I / , ,

The Interactive Advertising Bureau (IAB) has emerged as a leading industry organization dedicated to promoting growth, innovation, and best practices in the ever-evolving digital advertising landscape. Founded in 1996, the IAB has played a pivotal role in shaping the standards and guidelines that govern the online advertising ecosystem.

IAB's Mission and Objectives

The IAB's primary mission is to empower the media and marketing industries to thrive in the digital economy. To achieve this, the organization focuses on several key objectives:

  1. Developing Industry Standards: The IAB is at the forefront of creating and maintaining technical standards, guidelines, and best practices for digital advertising. These standards ensure consistency, interoperability, and transparency across the industry.

  2. Promoting Growth and Innovation: By fostering collaboration and knowledge-sharing among its members, the IAB aims to drive innovation and growth in digital advertising. This includes exploring new technologies, platforms, and business models.

  3. Advocating for Industry Interests: The IAB serves as a collective voice for the digital advertising industry, advocating for favorable policies and regulations that support its growth and development.

  4. Conducting Research and Education: The organization conducts extensive research and provides educational resources to help its members stay informed about industry trends, best practices, and emerging technologies.

Key Initiatives and Programs

Transparency and Consent Framework (TCF)

One of the IAB's most significant initiatives is the Transparency and Consent Framework (TCF), which aims to help publishers, advertisers, and technology vendors comply with data protection laws like the GDPR. The TCF provides a standardized approach to obtaining user consent for data processing and ensures transparency about how personal data is used for advertising purposes.

IAB Tech Lab

The IAB Tech Lab is a dedicated division focused on developing and maintaining technical standards for the digital advertising industry. It works on various projects, including the OpenRTB protocol for real-time bidding, the ads.txt initiative to combat ad fraud, and the VAST standard for video ad serving.

IAB Learning and Certification Programs

The IAB offers a range of learning and certification programs to help professionals in the digital advertising industry enhance their skills and knowledge. These programs cover programmatic advertising, data and analytics, and digital media sales.

Research and Thought Leadership

The IAB conducts extensive research and publishes reports, whitepapers, and case studies on various topics related to digital advertising. These resources provide valuable insights and data-driven analysis to help industry professionals make informed decisions.

Membership and Governance

The IAB is a membership-based organization, with members ranging from publishers, advertisers, agencies, and technology companies. The organization is governed by a board of directors and various committees, ensuring that the interests of all stakeholders are represented.

Conclusion

The Interactive Advertising Bureau (IAB) has played a crucial role in shaping the digital advertising industry by developing standards, promoting innovation, advocating for industry interests, and providing educational resources. The organization drives transparency, interoperability, and best practices in the ever-evolving digital advertising landscape through initiatives like the Transparency and Consent Framework (TCF) and the IAB Tech Lab.

https://www.iab.com
https://iabeurope.eu

Google reCAPTCHA

By / G / , ,

Google reCAPTCHA Enterprise is an advanced bot and fraud detection service that helps protect websites from automated attacks and abuse. Implementing reCAPTCHA Enterprise can significantly improve your website's security and integrity.

Benefits of reCAPTCHA Enterprise

Some key benefits of reCAPTCHA Enterprise include:

  • Effective protection against bots, scraping, credential stuffing, fake account creation, and other attacks
  • Adaptive risk analysis engine that distinguishes humans from bots
  • Score-based system to assess risk levels of traffic
  • Integration with multi-factor authentication and other countermeasures
  • Detailed analytics into threats and suspicious activities
  • Ability to tune the service to your website's specific needs

By leveraging over a decade of experience defending websites, reCAPTCHA Enterprise provides robust protection tailored for enterprises.

Implementing reCAPTCHA Enterprise

To implement reCAPTCHA Enterprise:

  1. Create reCAPTCHA keys in the Cloud Console specific to your site. Choose score-based keys.
  2. Install the keys in your web app using the reCAPTCHA Enterprise JavaScript API. This allows for collecting user behavior signals.
  3. Integrate with your backend to verify reCAPTCHA tokens and create risk assessments.
  4. Interpret assessment scores to take appropriate actions, like allowing users with low-risk scores or requiring additional verification for risky traffic.
  5. Tune your site-specific model by annotating assessments to improve risk analysis accuracy.

With the JavaScript API handling user interactions and the backend verifying tokens, integrating reCAPTCHA Enterprise is straightforward.

Privacy Considerations

Critical considerations for Google reCAPTCHA Enterprise's privacy protection and GDPR compliance:

  1. Data processing: reCAPTCHA Enterprise commits to only processing customer data according to instructions, as outlined in Google's Data Processing Addendum and reCAPTCHA Enterprise Service Specific Terms.
  2. Data collected: Only hardware, software, and risk analysis data are collected. It is not used for personalized advertising or other purposes.
  3. Security measures: Google takes measures to protect customer data, as described in its Security White Paper.
  4. GDPR compliance: Google states reCAPTCHA Enterprise can assist customers in complying with GDPR requirements related to processing personal data. However, Wide Angle Analytics note using reCAPTCHA may still pose GDPR issues even with consent.
  5. Transparency: reCAPTCHA Enterprise provides visibility into what data is used for risk assessments. However, Arkose Labs note it lacks analytics and data insights compared to alternatives.
  6. Consent requirements: Sources disagree on whether reCAPTCHA Enterprise requires user consent under GDPR. Google says it does not, but FreePrivacyPolicy and Wide Angle Analytics argue consent is still required due to data collection.

In summary, while Google claims that reCAPTCHA Enterprise assists with GDPR compliance, there are still open questions about data collection, consent requirements, and transparency. Implementing reCAPTCHA Enterprise requires thoughtful privacy and compliance planning to bridge potential gaps. Comparing alternative CAPTCHA services more aligned with “privacy by design” principles may also be prudent.

https://cloud.google.com/recaptcha-enterprise/docs/faq

So, What About reCAPTCHA v2 and V3 and GDPR Compatibility

There is no clear consensus on which reCAPTCHA version is most compatible with GDPR between v2, v3, and Enterprise. Here is a summary:

reCAPTCHA v2:
– Collects more user data than necessary, posing GDPR compliance issues related to data minimization and purpose limitation principles.
– Requires consent under GDPR, which undermines its effectiveness for spam protection.

reCAPTCHA v3:
– Arguably, it improves privacy compliance by eliminating user challenges but still collects user data and lacks transparency.
– Consent requirements remain unclear.

reCAPTCHA Enterprise:
– Google claims it assists with GDPR compliance, but experts note open questions about consent requirements and data collection.

Based on the unclear and conflicting guidance, there is no definitive recommendation on which reCAPTCHA version is most GDPR compliant. Organizations should carefully assess their specific use case, risk tolerance, and legal obligations when deciding which version to implement, if any.

GDPR Compliant CAPTCHA Services

Some popular GDPR-compliant CAPTCHA services:

  1. captcha.eu – A European CAPTCHA service that does not use tracking cookies or store personal data. It claims to be fully GDPR compliant.
  2. Friendly Captcha – An alternative to Google reCAPTCHA designed for GDPR compliance. It uses cryptography instead of tracking users or storing personal data.
  3. MTCaptcha – Claims its captcha plugin and admin portal are GDPR compliant. It does not record personally identifiable information and encrypts logs.

The key aspects that make these CAPTCHA services more GDPR compliant are:

  • Not using tracking cookies or pixels
  • Not storing or processing personal identifiable information
  • Encrypting any logs or data
  • Operating entirely within the EU with no data transfers outside
  • Offering transparency into data practices

https://cloud.google.com/security/products/recaptcha-enterprise

Scroll to Top