The CJEU has issued its ruling in Case C-604/22 | IAB Europe.
Companies, brokers and advertising platforms, which represent thousands of advertisers, can bid in real time, behind the scenes, to acquire online advertising space to display advertisements which are tailored to a user’s profile. However, before such targeted advertisements can be displayed, it is necessary to obtain the user’s prior consent to the collection and processing of their personal data (concerning, for example, their location, age and search and recent purchase history) for purposes such as marketing or advertising, or with a view to sharing the personal information with certain providers. The user can also object to that collection and processing.
IAB Europe is a Belgian non-profit association which represents undertakings in the digital advertising and marketing sector at European level. IAB Europe has created a solution which it argues is compliant with the GDPR. Users’ preferences are encoded and stored in a string composed of a combination of letters and characters referred to as the Transparency and Consent String (TC String), which is shared with personal data brokers and advertising platforms so that they know what the user has consented or objected to. A cookie is also placed on the user’s device. When they are combined, the TC String and the cookie can be linked to that user’s IP address.
In 2022, the Belgian Data Protection Authority ruled that the TC String constitutes personal data under the GDPR and that IAB Europe had been acting as data controller without fully complying with the GDPR. The Belgian regulator imposed various corrective measures as well as an administrative fine. IAB Europe appealed that decision to the Belgian courts, which referred the case to the Court of Justice for a preliminary ruling.
In its judgment, the Court of Justice confirmed that the TC String contains information concerning an identifiable user and therefore constitutes personal data under the GDPR. Where the information contained in a TC String is associated with an identifier, such as the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her. The CJEU also said that IAB Europe must be regarded as a ‘joint controller’ under the GDPR. Subject to the verifications which are for the Belgian courts to carry out, IAB Europe appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and to determine, jointly with its members, both the purposes of those operations and the means behind them. However, the CJEU also said that without prejudice to any civil liability provided for under national law, IAB Europe cannot be regarded as a controller under the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String, unless it can be established that IAB Europe has exerted an influence over the determination of the purposes and means of those subsequent operations.