On March 7, 2024, the European Court of Justice (CJEU) issued a landmark ruling on digital advertising and the concepts of personal data and joint controllership under the General Data Protection Regulation (GDPR).

The CJEU held that i) character strings used to express users’ preferences collected via the Transparency and Consent Framework (TCF) of Interactive Advertising Bureau Europe (IAB) constitute personal data under the GDPR and ii) IAB acts as a joint controller with TCF participants for the processing of users’ preferences. While the CJEU upheld a broad interpretation of the notions of personal data and joint controllership under the GDPR, it also limited the concept of joint controllership by requiring that a joint controller exercises influence over specific processing operations.

Background

IAB is a federation representing the digital advertising and marketing industry at the European level. IAB has been developing tools to help stakeholders in the digital advertising industry comply with EU data protection rules. The TCF is a framework composed of policies, technical specifications, and terms and conditions developed by the IAB, which companies can use to inform users and obtain their consent about their data processing operations. In particular, the TFC facilitates recording user preferences (e.g., whether the user has given consent to the processing and sharing of his personal data for advertising purposes). These user preferences are encoded and stored in a “Transparency and Consent String” (TC String) and can be shared with organizations participating in the TCF (i.e., website publishers, consent management platforms, and ad tech vendors). Hence, they know what the user has consented to or objected to.

In 2019, the Belgian Data Protection Authority (DPA) received four complaints regarding the conformity of the TCF with the GDPR. Other organizations and individuals filed five similar complaints in Ireland, Poland, and the Netherlands. Since IAB has its main establishment in Belgium, the DPA acted as the lead supervisory authority. The complaints alleged that the TCF did not comply with the GDPR principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, and accountability. In February 2022, the DPA found that IAB’s TCF violated the GDPR and required IAB to present an action plan to bring the TCF into compliance within two months. Upon IAB’s appeal, the Belgium Court referred the case to the CJEU to clarify the concepts of personal data and joint controllership.

Key Takeaways

• The TC Strings constitute Personal Data. The CJEU held that the character strings used in the TFC to express users’ preferences constitute personal data. According to the CJEU, any information constitutes personal data under the GDPR if it relates to an “identifiable” person, and it is sufficient if the person can be identified “indirectly” using reasonable means. While the CJEU noted that the TC String may not, on its own, allow for the identification of a user, it can do so when associated with an identifier (e.g., an IP address). The CJEU further considered it irrelevant that IAB did not hold such an identifier, but another party (e.g., its members or consent management platforms), as IAB had reasonable means at its disposal to obtain the identifier (i.e., according to the CJEU, IAB was able to require its members to provide it upon request with all information necessary to enable it to identify a user).
• IAB is a joint controller for the processing of users’ preferences with websites, application providers, data brokers, and advertising platforms. The GDPR provides that a controller is the entity that defines the purposes and the means of the processing. The CJEU held that:
  1. IAB is a controller for processing the TC String to record user’s consent preferences in a TC String for the following reasons:
     1. IAB has a decisive influence on the purpose of the processing activities operated in the context of the TCF as it drew up the framework and set out the requirements for participation in it (e.g., through TCF policy documents and technical specifications) and
     2. IAB defines the means of processing as it sets the technical specifications related to the processing of the TC String. In particular, these specifications define the contents, storage, and sharing of the TC String, how consent management platforms are required to collect users' preferences, and how these preferences must be considered in generating the TC String.
     3. The CJEU clarified that it is irrelevant that IAB does not process the data itself or that it does not have access to the TC String. 
  2. When users' consent preferences are recorded in a TC String, IAB is not the only data controller but rather acts as a joint controller with other organizations participating in the TCF (e.g., website publishers, consent management platforms, and ad tech vendors).
• IAB is not a joint controller for further processing. IAB cannot be considered a joint controller for personal data processing activities that occur after TCF participants record users' consent preferences in a TC String (e.g., digital advertising, audience measurement, content personalization). This is unless there is clear evidence that the IAB has influenced the decision-making regarding the objectives and methods of these subsequent processes. Such interpretation is welcome as it puts some limits to the broad interpretation given by DPAs to the concept of joint controllership.

Conclusion

The Belgian Court of Appeal is set to review the case, taking into account the CJEU's ruling. This forthcoming decision may be pivotal for the ad tech sector, particularly regarding the TCF, which many companies rely on to comply with EU data protection laws. At the same time, in response to the Belgian DPA's 2022 ruling, IAB implemented a preliminary action plan, potentially softening the impact of the Belgian Court of Appeal's upcoming decision. The IAB announced that it will shortly publish an in-depth analysis of the consequences of the CJEU ruling.

All stakeholders in the ad tech sector should consider proactively reviewing their compliance practices and staying attuned to the IAB's forthcoming analysis and the upcoming Belgian Court of Appeal decision. These developments are poised to significantly influence the operational and legal frameworks of digital advertising across Europe.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis.

Joanna Jużak and Sebastian Thess contributed to the preparation of this Alert.