Tech & Sourcing @ Morgan Lewis


The European Court of Justice (CJEU) recently issued a significant final decision affecting the online advertising industry, particularly concerning the Transparency and Consent Framework (TCF) developed by the Interactive Advertising Bureau (IAB) Europe. This framework is widely used across the industry to manage users' consent preferences for data processing, known as the Transparency and Consent String (TC String). In essence, the TCF is designed to facilitate the buying and selling of online advertising space by these operators. Here's a breakdown of the court's ruling and its potential implications.

Key Findings of the CJEU

  • TC String is personal data: The CJEU ruled that the TC String, which records user consent preferences, qualifies as “personal data” under the General Data Protection Regulation (GDPR). This classification hinges on the fact that the TC String, often linked with identifiers like IP addresses, can be used to profile and identify users. The CJEU states that “where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her” (at 44).
  • IAB Europe's role as joint controller: The CJEU found that IAB Europe acts as a "joint controller" of the TC String. This means IAB Europe shares responsibility for managing this data, alongside its members, up to the point where user preferences are recorded. The CJEU states that the “fact that such a sectoral organisation does not itself have direct access to the personal data processed by its members under those rules does not preclude it from holding the status of joint controller for the purpose of those provisions” (at 77).
  • Limitations on IAB Europe's controller role: Interestingly, the court specified that IAB Europe's role as a controller does not extend to subsequent data processing activities after the initial recording of consent preferences because it “does not appear to involve the participation of IAB Europe” (at 75). Therefore, IAB Europe isn't responsible under the GDPR for how this data is used by others post-collection, unless IAB Europe “has exerted an influence over the determination of the purposes and means of that processing”—which is for the lower court in Belgium to determine.

Background of the Decision

This decision follows a referral from a Belgian court amidst IAB Europe's appeal against a penalty imposed by the Belgian data protection authority, which fined IAB Europe €250,000 for noncompliance with the GDPR.

Potential Consequences and Broader Implications

The ruling has considerable implications for the digital advertising sector:

  • Joint controller agreements: Entities using the TC String may need to establish joint controller agreements to clarify all responsibilities and compliance obligations under the GDPR and beyond.
  • Potential applicability beyond TC String: The principles outlined could also apply to other similar data strings and technologies in the digital advertising ecosystem, suggesting a broader impact on data management practices across the industry.

In conclusion, the CJEU's decision underscores the importance of compliance with GDPR standards in the European digital advertising industry. It highlights the need for clear agreements and responsibilities among parties involved in data processing. While IAB Europe and its members navigate these new requirements, the ruling also serves as a critical reminder for all stakeholders to rigorously assess and adapt their data-handling practices to ensure they meet regulatory expectations.