CJEU rules on the IAB's GDPR compliance and their transparency & consent framework (CTF).

(CJEU decision. 07 March 2024.) Written by Derek Ray Havelock.

IAB Europe, a non-profit association in Belgium representing the digital advertising sector, created the Transparency & Consent Framework (TCF) to help websites and applications legally process user data. This framework aims to ensure GDPR compliance during Real Time Bidding (RTB), a system for buying and selling online advertising space through instant auctions based on user profiles. The TCF facilitates the exchange of personal data by using a Consent Management Platform (CMP) that collects user consent for data processing for marketing or advertising purposes.

However, for targeted advertisements to be displayed, user consent is required. Upon first visiting a site, a CMP pop-up allows users to consent to or object to data processing. User preferences are encoded in a Transparency and Consent String (TC String), shared with data brokers and advertising platforms. This process involves placing a cookie on the user's device, linking the TC String and the cookie to the user's IP address, aiding in targeted advertising.

Since 2019, the Belgian Data Protection Authority (DPA) received complaints about TCF's GDPR compliance. After investigation, the DPA deemed IAB Europe a data controller responsible for managing consent signals and imposed corrective measures and a fine. IAB Europe contested this, arguing that the TC String does not specifically identify users and that it lacks access to data processed by its members.

The CJEU judged that a CT string is "not precluded" from constituting personal data.

The CJEU determined that GDPR Article 4(1) “must be interpreted as meaning that a string composed of a combination of letters and characters, such as the TC String (Transparency and Consent String), containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of personal data concerning him or her by website or application providers as well as by brokers of such data and by advertising platforms constitutes personal data within the meaning of that provision in so far as, where those data may, by reasonable means, be associated with an identifier, such as the IP address of that user’s device, or if they allow the data subject to be identified. In such circumstances, the fact that, without an external contribution, a sectoral organisation holding that string can neither access the data that are processed by its members under the rules which that organisation has established nor combine that string with other factors does not preclude that string from constituting personal data within the meaning of that provision.”

The CJEU also determined that Articles 4(7) and 26(1) must be interpreted as –? ? ? ? first, “a sectoral organisation, in so far as it proposes to its members a framework of rules that it has established relating to consent to the processing of personal data, which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data relating to such consent, must be classified as a ‘joint controller’ for the purpose of those provisions where, in the light of the particular circumstances of the individual case, it exerts influence over the personal data processing at issue, for its own purposes, and determines, as a result, jointly with its members, the purposes and means of such processing. The fact that such a sectoral organisation does not itself have direct access to the personal data processed by its members under those rules does not preclude it from holding the status of joint controller for the purpose of those provisions”;

And secondly, “the joint controllership of that sectoral organisation does not extend automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising”.

Reference.