In March, the CJEU issued a ruling (Case C-604/22 IAB Europe) that has sparked a lot of discussion. The ruling addresses certain practices related to online advertising in Europe, particularly the collection of personal data for the purpose of behavioural advertising.
Facts of the case
The Interactive Advertising Bureau Europe (IAB Europe) is a non-profit association that represents digital advertising and marketing businesses at the European level. IAB Europe's members include companies that generate significant revenue by selling advertising space on websites or applications. Several years ago the association developed the Transparency & Consent Framework (TCF) to promote General Data Protection Regulation (GDPR) compliance when using the OpenRTB protocol (a popular system used for "real-time bidding", which means it quickly and automatically auctions off user information to buy and sell ad space on the internet). The TCF consists of guidelines, technical specifications, instructions, protocols, and contractual obligations. The framework is designed to ensure that when users access a website or application containing advertising space, technology businesses representing thousands of advertisers can instantly bid for that space using algorithms to display targeted advertising tailored to the individual's profile.
Image by "storyset" (Freepik) |
The TCF was presented as a solution to bring the auction system into compliance with GDPR (para. 21, 22). However, before displaying targeted advertisements, the user's prior consent must be obtained. When a user visits a website or application, a Consent Management Platform (CMP) appears in a pop-up window. The CMP enables users to give their consent to collect and process their personal data for pre-defined purposes, such as marketing or advertising, or to object to various types of data processing or sharing of data based on legitimate interests claimed by providers, as per Article 6(1f) of the GDPR. The personal data relates to the user's location, age, search history, and recent purchase history (para. 24). In other words - the TCF facilitates the capture of user preferences through the CMP. And these preferences are coded and stored in a "TC string" (which is a combination of letters and characters), and then shared with organizations participating in the OpenRTB system, indicating what the user has consented/ objected to. The CMP places a cookie on the user's device, and when combined with the TC string, the IP address of the user can identify the author of the preferences. Thus the TCF plays a crucial role in the architecture of the OpenRTB system as it is the expression of users' preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisements (para. 25, 26).
Since 2019, the TCF model has faced numerous complaints to the Belgian Data Protection Authority (DPA) regarding its GDPR compliance. IAB Europe was criticized for providing users with information through the CMP interface that was too generic and vague, preventing users from fully understanding the nature and scope of data processing and thereby maintaining control over their personal data. Furthermore, IAB Europe was accused of failing to fulfil certain obligations of a data controller, including ensuring the lawfulness of processing, accountability, security, and adhering to data protection privacy by design and by default rules (more details about the proceedings can be found on the DPA's website). Consequently, the DPA concluded that IAB Europe did not meet its GDPR obligations and imposed an administrative fine of €250,000. Additionally, it mandated corrective actions to align the TCF with GDPR standards.
IAB Europe disagreed with the decision and challenged it before the Belgian court. According to IAB Europe, it should not be considered a data controller for recording the consent signal, objection, and preferences of individual users through a TC string. Thus the association should not be obliged to follow data controllers' obligations under GDPR. IAB Europe also disagreed with the DPA's finding that the TC string is personal data within the meaning of Article 4(1) of the GDPR. Specifically, IAB Europe argued that only the other participants in the TCF could combine the TC String with an IP address to convert it into personal data, that the TC String is not specific to a user and that IAB Europe cannot access the data processed in that context by its members (para. 28).
CJ's ruling
The Court has confirmed the key aspects of the DPA’s decision, emphasizing, among other things that:
1. the TC String holds information that pertains to an identifiable user and, thus, qualifies as personal data under Article 4(1) of the GDPR. Even if it doesn't contain any direct factors that allow the data subject to be identified, it does contain the preferences of a specific user relating to their consent to data processing. This information is considered to be related to a natural person (para. 43). If the information in a TC String is linked to an identifier, such as the IP address of the device, it could be possible to create a profile of that user and identify a particular person (para. 44). The fact that IAB Europe cannot combine the TC String with the IP address of a user's device and doesn't have direct access to the data processed by its members is irrelevant. As the Court stated, IAB Europe can require its members to provide it with the necessary information to identify the users whose data is being processed in a TC String (para. 48). This means that IAB Europe has reasonable means to identify a particular natural person from a TC String (para. 49).
2. IAB Europe, together with its members, is considered a 'joint controller' when it determines the purposes and ways of data processing. Why? According to the Court, the TCF framework aims to ensure that the processing of personal data by certain operators that participate in the online auctioning of advertising space complies with the GDPR. Consequently, it aims to promote and allow the sale and purchase of advertising space on the Internet by such operators. It means that IAB Europe has control over the personal data processing operations for its own purposes and, jointly with its members, determines the purposes of such operations (para. 62-64). Moreover, the TCF contains technical specifications relating to the processing of the TC String, such as how CMPs need to collect users' preferences, how such preferences must be processed to generate a TC String, etc. (para. 66). If any of IAB's members do not comply with the TCF rules, IAB Europe may adopt a non-compliance and suspension decision, which could result in the exclusion of that member from the TCF (para. 65). Therefore, the Court concluded that IAB Europe also determines the means of data processing operations jointly with its members (para. 68), so it meets the criteria of a data controller under Article 4(7) of the GDPR. However, this should not automatically make IAB Europe responsible for the subsequent processing of personal data carried out by operators and third parties based on information about the users' preferences recorded in a TC String (para. 74-76).
What could be the consequences of the ruling?
The Court confirmed that the IAB Europe, due to the role and significant influence it has over the processing of data by its members for the purposes of creating user profiles and targeting them with personalized advertising, should be held responsible for how this process is organized. And it is organized in a way that is hardly transparent to users. While it is up to the national court to ultimately examine the compatibility of the Belgian DPA's decision, it can be expected that the court will affirm the main conclusions of the Belgian authority's decision.
It appears unlikely that the CJ's ruling will lead to the elimination of the intrusive pop-ups on many websites, which often rely on dark patterns and manipulative techniques to coerce consent for data processing for marketing purposes. Nevertheless, the advertising industry should place a greater emphasis on enhancing transparency and providing users with more control over their personal data. This could include the development of more user-friendly and informative consent mechanisms, making it easier for users to understand what they are consenting to and how to exercise their rights over their data. The ruling is also expected to impose further restrictions on behavioural advertising practices, particularly those dependent on real-time bidding and the widespread sharing of personal data without explicit, informed consent from users.