The CJEU's decision follows questions for a preliminary ruling referred by the Brussels Court of Appeal (BCA), before which an appeal was brought by IAB Europe, a non-profit association representing undertakings in the digital advertising and marketing sector at the European level. IAB Europe had developed a solution using a “Transparency and Consent String” (TC String) to encode and store users' preferences for targeted advertising, allowing advertisers to know what users have consented or objected to. Google, Amazon, Microsoft, TikTok, and many other tracking-based online advertising companies rely on IAB Europe’s Transparency & Consent Framework (TCF Framework).

IAB Europe appealed against the BCA’s decision on its TCF Framework, prompting the BCA to seek clarity from the CJEU on whether the TC String constitutes personal data under the GDPR, and whether IAB Europe acts as a data controller and should therefore be held accountable for not fully complying with its obligations under the GDPR.

The CJEU’s ruling provided the following key findings:

• TC Strings as personal data: The CJEU confirmed that TC Strings (digital signals containing user preferences) contain information about an identifiable user and should therefore be considered personal data under the GDPR. Crucially, the CJEU notes that when the information in the TC String is linked to an identifier, such as the user's IP address, it can potentially be used to create a user profile, leading to identification.
• IAB Europe as a joint controller: The CJEU confirmed that IAB Europe should be viewed as a joint controller with TCF participants, due to its participation in determining detailed requirements for the TC String – even if it does not in fact interact with the relevant TC Strings. The association's influence over data processing operations, particularly in recording consent preferences in a TC String, was deemed significant in determining the purposes and means behind these operations.
• No joint controllership for IAB in respect of subsequent processing: By contrast to the above, the CJEU clarified that the IAB Europe cannot be considered a joint controller for data processing operations occurring after  consent preferences are recorded in a TC String, such as digital advertising, audience measurement, or content personalisation, unless it is established that IAB Europe exerted influence over determining the purposes and means of those subsequent operations.

Implications for the digital advertising industry

The CJEU's ruling on the IAB Europe case is a significant development for the multiple participants relying on IAB Europe’s TCF framework. The ruling sets a significant precedent for the liability of entities involved in data processing operations within the digital advertising landscape, noting the general direction of regulation looking to impose greater accountability for personal data in the field of targeted advertising.

Advertisers, brokers, and platforms operating within the EU and relying on the TCF Framework must, if not already doing so, look to expand their privacy programmes to cover the activities taking place on the basis of the TCF Framework.

The full text of the CJEU’s judgment can be found here.

The CJEU’s press release can be found here.