Digital ad ruling by CJEU finds IAB Europe 'joint controller' for consent in TCF processing

The Court of Justice of the European Union has delivered its judgment in Case C-604/22 IAB Europe v Gegevensbeschermingsautoriteit, involving questions around the processing of personal data by IAB Europe, the digital marketing and advertising association, through the use of its Transparency and Consent Framework (TCF). The framework is employed across the online advertising industry, particularly in relation to targeted online advertising and real time bidding (RTB).

The CJEU said that – in contrast to how the TCF is currently set up – IAB Europe would need to be considered as a joint controller. However, the joint controllership only relates to the record of whether the user has consented (or not opted out) and does not extend to subsequent processing by website and app providers for online advertising purposes.

As a consequence, the TCF must be adapted and businesses using the TCF for online advertising purposes may need to implement changes to their cookie consent mechanism as well as their related policies and agreements.

Targeted online advertising

RTB is a method of targeting online advertising at website and app users. It involves advertisers bidding automatically for digital advertising space, and the ad of the winning bidder being displayed to an end user – all in the space of milliseconds. IAB Europe developed the TCF with the aim of allowing adtech companies involved in RTB to provide a level of transparency and establish a lawful basis for their processing in line with the requirements imposed by the General Data Protection Regulation (GDPR) and e-Privacy Directive.

"Cookie" banners are a familiar feature that pop-up when visiting a website or using an app – and many of these banners are based on the TCF. They aim to allow the user to express their preferences easily in relation to various advertising-related purposes. Under the TCF, once a user’s consent (or lack of it) and preferences are collected, the preferences are encoded and stored in a transparency and consent (TC) string, which is then shared with data brokers and platforms participating in RTB. When this happens, a cookie is placed on the user’s device, allowing the TC string to be linked with the cookie and the user’s internet protocol (IP) address.

Personal data dispute

Privacy campaigners in Belgium and other countries complained that the TCF involved unlawful processing of their personal data by IAB Europe. The Belgian Data Protection Authority agreed and fined IAB Europe. The decision was appealed by IAB Europe, which led to the Court of Appeal in Belgium asking the CJEU for clarification on how to interpret the GDPR in relation to the TC string and IAB Europe’s role in the data processing. With the CJEU having now given answers to the specific questions asked, the case will return to the Belgian court, which is bound by the CJEU's decisions and must apply them in reaching its final ruling.

The CJEU's ruling

Looking at its own case law, the CJEU said that "information" will relate to an end user where it is "linked" to an "identifiable person", which is someone who can be identified either directly or indirectly. Because identification can be indirect, it doesn't have to be the information itself that allows the person to be identified: personal data can be attributed to someone through the use of additional information. It is also not necessary that all the information enabling identification is in the hands of one party. Given that the TC string can be associated with the user's IP address, through which the user can be identified, the CJEU took the view that the TC string in combination with other data like the IP address constitutes personal data.

The CJEU also said that it is irrelevant that IAB Europe cannot itself access the personal data or combine the TC string with a user's IP address, given that its members have to, under IAB Europe's own rules, provide it with all the information allowing it to identify the users whose data are in the TC string in any event. By having this information, the CJEU said that the IAB Europe may have "reasonable means" of identifying someone from the TC String.

As for the question of the controller and joint controller, the CJEU emphasised that if IAB Europe has influence over the processing for its own benefit and determines the purposes and means of that processing it will be a controller. If two or more controllers jointly determine the purposes and means of processing, they will be joint controllers. They must each satisfy the definition of "controller", but a joint controllership does not necessarily mean that there is equal responsibility between or among them. In fact, they could each be involved at different stages of the processing and to different degrees. They also don't each have to have access to the personal data concerned.

The TCF was developed to promote and enable the buying and selling of advertising space online. It sets out rules relating to the processing of the TC string that IAB Europe's members have to accept in order to join. These members include TCF adtech vendors, TCF consent management platforms and publishers deploying TCF-compliant choice mechanisms to website or app users.

Given that IAB Europe prescribes the standardised manner in which those involved in the TCF can access users' preferences recorded in the TC string, it could be said that IAB Europe does exert influence over the processing for its own benefit and determines, with its members, the purposes of the processing. In that situation, it must be a joint controller under the GDPR, according to the CJEU. It remains unclear, however, whether such joint controllership relates to the numerous bilateral relationships between IAB Europe and each of its members or to one hollistic relationship, connecting all members of the network and IAB Europe.

However, the CJEU said that IAB Europe's joint controllership with its members does not extend to the subsequent processing carried out by those members or third parties, such as website or app providers, data brokers and advertising platforms, because (subject to the factual findings of the Belgian Court of Appeal) it appears that IAB Europe is not involved in that stage of processing. The CJEU, therefore, distinguished between the processing carried out by IAB Europe's members under the TCF and the processing that they (and other third parties) subsequently carry out, that is targeting advertising at users based on their preferences.

It is important to note that the CJEU has not ruled on whether the consent form provided by IAB Europe meets the legal requirements stemming from the GDPR, particularly regarding sufficient levels of transparency. This issue continues to be an ongoing challenge for entities participating in the TCF that act as controllers (for example, publishers and adtech vendors), since the data processing operations are complex and certain elements of IAB Europe’s consent wording cannot be amended (albeit they can be supplemented to a certain extent by a controller's own explanations).

Implications for adtech

Both sides in this case are claiming a win: IAB Europe interprets it as a finding that it has only a "limited role" in the TCF, as it is not a controller of subsequent data processing, and the Belgian DPA says that IAB Europe is a "(joint) controller of users' preferences for online advertising", as it had argued. Meanwhile, privacy campaigners are claiming that this decision undermines the current digital advertising status quo and that the industry will be forced to change profoundly.

The true effect of the decision won't be known until the Belgian Court of Appeal rules on the case. However, it is now known that the TC string combined with other data like an IP address constitutes personal data and that, despite not actually being involved in RTB or in digital advertising itself and simply being the party that developed the standards for the industry, IAB Europe is nonetheless a joint controller, at least in relation to the construction and use of the TC string, if not in relation to subsequent processing.

The CJEU's decision takes a particularly broad interpretation when a party can be said to "determine the purposes and means of the processing of personal data", particularly in an assessment of whether joint controllership under the GDPR arises. IAB Europe's role as a sector organisation providing a framework and setting technical standards was deemed sufficient here, despite the advertising association not itself accessing the personal data in question. This will be of particular interest to industry organisations carrying out similar roles in other sectors.

Osborne Clarke comment

As a consequence of the judgment, businesses that participate in the TCF that act as controllers (for example, publishers and adtech vendors) will need to:

• Amend the wording of their legal texts. Both the consent template wording shown to end users and all applicable data protection notices should refer to the TC string (including the storage of the user’s preferences) as a data category covered by the consent; and declare IAB Europe to be a joint controller together with the provider of the respective website.
• Conclude a joint controllership agreement in accordance with article 26 GDPR with at least IAB Europe. It is expected that IAB Europe will provide its members in the near future with its own template. It should be closely monitored whether or not the conclusion of a bilateral agreement between the business participating in the TCF and IAB Europe will be considered sufficient by the supervisory authorities or courts; and
• Provide users with the details of the essence of the joint control agreement (as per article 26(2) GDPR).

IAB Europe has already provided an action plan to the Belgian Data Protection Authority and, in practice, it may be the case that IAB Europe provides further details to members about how to approach each of the above in due course.