The Court of Justice of the EU has found that information recording users’ consents and marketing preferences held within IAB Europe’s system for auctioning data for advertising purposes constitutes personal data, and for which IAB Europe is a joint data controller, under GDPR.

As explained in the Court’s press release, when a user consults a website or application containing advertising space, companies, brokers and advertising platforms – which represent thousands of advertisers – can bid in real time, behind the scenes, to acquire that advertising space in order to display advertisements there which are tailored to the user’s profile. However, before such targeted advertisements can be displayed, it is necessary to obtain the user’s prior consent to the collection and processing of his or her data (concerning, for example, his or her location, age and search and recent purchase history).

IAB Europe, a body based in Belgium representing the EU digital advertising sector, offers a solution, the Transparency and Consent Framework, which encodes and stores users’ advertising preferences in a string composed of a combination of letters and characters (“Transparency and Consent String” or “TC String”), which is shared with personal data brokers and advertising platforms so that they know to what the user has consented or objected. A cookie is also placed on the user’s device.  According to the Press Release, when they are combined, the TC String and the cookie can be linked to that user’s IP address.  IAB Europe considers that its framework ensures the bidding system is GDPR-compliant.

In a reference from the Belgian court for a preliminary ruling on certain questions, the Court of Justice of the EU has confirmed that it agrees with the findings of the Belgian Data Protection Authority, namely that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her. It is not relevant whether IAB Europe can itself combine this information to profile users; it is enough that it is in possession of means reasonably likely to identify those users on the basis that it is able to demand access to some of its members’ TC String information.

Further, IAB Europe must be regarded as a “joint controller” within the meaning of the GDPR, even when it has no access to the data concerned. Subject to the verifications which are for the Belgian court to carry out, IAB Europe appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and to determine, jointly with its members, both the purposes of those operations and the means behind them. However, IAB Europe cannot be regarded as a controller, within the meaning of the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String (e.g. digital advertising, audience measurement or content personalisation).

On its website, IAB Europe states that it welcomes the ruling which provides clarity over the concepts of personal data and joint controllership.

For more information, click here.