IAB Europe is a controller (CJEU judgment)

On 7 March 2024, the CJEU ruled that IAB Europe is both an controller and a joint controller in the operation of the well-known "cookie bar". What does this mean for us?

What does the judgment cover?

It concerns the entire "Transparency Consent Framework"-and thus the entire ecosystem of thousands of websites and partners that rely on consents collected through the famous cookie bar ("TCF"). The entire ecosystem is better known as a simple cookie bar interface that typically mentions hundreds of partners in marketing consents. Simply put, if you consent to cookie bar marketing via the IAB cookie bar, you have likely given consent to hundreds of other companies that are part of the ecosystem. Thanks to TCF, these companies can verify whether or not they can target advertising to your device. So, you've probably already seen an ad on social media because you've consented to that company's marketing on another site. However, the judgment is not about the legality of consent and the legality of the dissemination of such advertising, but rather about TCF itself and IAB Europe's position within it.

The judgment was preceded by a 2022 decision by the Belgian supervisory authority in which IAB Europe was fined EUR 250k for:

• As a controller, IAB Europe did not have a legal basis for its own processing of personal data (both TC String and TCF) and the legal basis (consent) for further processing (ad targeting) was insufficient;

• It did not have a Data Protection Officer (DPO), records of processing activities  and did not carry out an impact assessment (DPIA);

• The information obligation of the controller was not fulfilled (Art. 13 GDPR, see also CJEU judgment in Planet 49 GmbH);

• Failed to take adequate organizational measures to ensure accountability, security and privacy by design/default.

IAB Europe should have provided remedies within two months. In this respect, we refer to the FAQs published and regularly updated by the IAB on this issue.

What preliminary questions have been addressed by the CJEU?

The CJEU was in fact asked to answer three separate questions, namely whether:

1. The so-called "TC String" constitutes processing of personal data and whether IAB Europe is its controller;

2. The entire TCF constitutes a processing of personal data in which IAB Europe is a joint controller under Article 26 GDPR with the web controllers;

3. Whether IAB Europe's joint responsibility extends to the subsequent targeting of advertising by ecosystem partners.

The answers are yes, yes, and no - but the third answer has yet to be fully answered by the Belgian court.

What is TC String?

A TC String is a code string or information about whether a specific person (or device) has given consent or not. The IAB Europe argued that the TC String itself does not contain any information that directly or indirectly identifies a specific person and argued that it does not constitute processing of personal data. The connection is in fact possible via the IP address obtained and stored by the euconsent-v2 cookie, used as part of the cookie bar functionality. IAB Europe argued that the link between TC String and cookie cannot be made by IAB Europe itself but only by TCF users. The CJEU rejected similar reasoning in principle and upheld a broad definition of personal data. The Court of Justice answered the first question referred for a preliminary ruling:

"It follows that TC String is personal data within the meaning of Article 4(1) GDPR. In that context, it is irrelevant that such a sectoral organisation cannot have access to the data processed by its members within the framework of the rules laid down by it, nor can it combine the TC String with other identifiers, such as, in particular, the IP address of the user's device, without external input, which it has the right to require."

Is IAB Europe a joint controller?

According to the Court, yes, similar to Facebook in relation to "Facebook Insights". What is interesting about the reasoning of the judgment in this regard is the fact that the Court did not consider the overall objective or purpose of TCF. While IAB Europe says that the purpose of TCF is to ensure compliance with the GDPR when collecting consent, the Court said something different:

"...the TCF framework established by IAB Europe constitutes a framework of rules designed to ensure compliance with the GDPR in the processing of a website or app user's personal data carried out by certain entities participating in online auctions of advertising space."

"Under these conditions, TCF's objective is essentially to promote and facilitate the sale and purchase of advertising space on the Internet for the aforementioned entities."

That said, while this is a solution to ensure compliance with GDPR in obtaining consent, it is also intended to encourage and enable the sale and purchase of ad space. In relation to these purposes, according to the Court, IAB Europe is a joint controller together with the controllers of the websites that operate the bar in question. The boundary of where the relationship of joint controllers ends and begins is not entirely clear. This was also the case after the judgment in relation to Facebook Insights. Facebook almost immediately published a so-called "joint controllers addendum", where it clearly described the boundaries in question. The possible boundaries are only hinted at in the Court's answer to the third question:

"Moreover, in response to the doubts expressed by this Court, it must be excluded that the potential joint liability of this industry body (IAB Europe) automatically extends to other processing of personal data carried out by third parties, such as website or app providers, in respect of users' preferences for the purposes of targeted online advertising."

This means that if companies are already targeting advertising on the basis of IAB consents, they are already acting as independent controllers. However, even here, the Belgian national court may still rule that there is a joint controller relationship. The Court of Justice has ordered it to examine this question.

What does this mean?

It means that, like Facebook/Meta, IAB Europe can have three different statuses at the same time:

1. Sole Controller for TC String;

2. a joint controller for the other TCF operations; and

3. possibly still a processor, for all other processing operations (such as targeting advertising based on consent obtained).

How the legal bases of the controllers are re-aligned will depend on this new status.

What practical steps need to be taken?

It will be necessary to modify the so-called cookie /privacy policies of each site that uses TCF. This information today does not assume that IAB Europe or its "subsidiary" organization is a joint controller. The controller has its own purposes and must inform data subjects about them, ideally before obtaining their data (Art. 13 GDPR) or later (Art. 14 GDPR). IAB Europe should conclude a joint controllers agreement with the website controllers according to Art. 26 GDPR, and provide the essential parts of it to the data subjects. This can practically only be done through cookie policies of websites where the IAB solution is deployed or through cookie bars. This means that IAB Europe will need the cooperation of its clients to ensure that these steps are secured across the board. It would be advisable for sites themselves to proactively communicate these changes, as system changes can take months if not years to implement.

Is each cookie bar a joint controller?

No. These conclusions only apply to TCF, due to the fact that it is an ad targeting ecosystem. A regular cookie bar that does not share data with hundreds and thousands of ecosystem partners will obviously not be a joint controller. Cookie bars can be "on-premise" solutions where there is no data sharing with their providers. However, data sharing may occur where the provider of the solution is typically in the role of an data processor.

What is the nature of the IAB's euconsent v-2 cookie?

The Court has not, of course, thought about these questions, but the judgment may have huge implications in this respect. Namely, until now, this cookie has been considered as a necessary or technical cookie, as is typical for cookies that remember allowed settings or consents. But the Court made clear that TCF's purpose is to encourage and enable the sale and purchase of advertising space. Of course, if the euconsent v-2 cookie were considered advertising, consent would be required to impose it itself! And a different and earlier one than is obtained through it. However, it is clear that without this cookie the whole TCF solution cannot technically work. It will therefore be interesting to see how the nature of this cookies is dealt with by the Regulatory Authority or the Data Protection Authority, as the case may be.

Jakub Berthoty

Dagital Legal.