Luxembourg, 7 March 2024
PRESS RELEASE No 44/24
Auctioning of personal data for advertising purposes: the Court of Justice clarifies the rules under the GDPR
When a user consults a website or application containing advertising space, companies, brokers and advertising platforms, which represent thousands of advertisers, can bid in real time, behind the scenes, to acquire that advertising space in order to display advertisements there which are tailored to the user’s profile (Real Time Bidding).
However, before such targeted advertisements can be displayed, it is necessary to obtain the user’s prior consent to the collection and processing of his or her data (concerning, for example, his or her location, age and search and recent purchase history) for purposes such as, inter alia, marketing or advertising, or with a view to sharing those data with certain providers. The user can also object to that collection and processing. IAB Europe is a non-profit association established in Belgium which represents undertakings in the digital advertising and marketing sector at European level. IAB Europe has drawn up a solution which it presents as being capable of bringing that auction system into conformity with the GDPR1.
Users’ preferences are encoded and stored in a string composed of a combination of letters and characters referred to as the ‘Transparency and Consent String’ (TC String), which is shared with personal data brokers and advertising platforms so that they know to what the user has consented or objected. A cookie is also placed on the user’s device. When they are combined, the TC String and the cookie can be linked to that user’s IP address. In 2022, the Belgian Data Protection Authority held that the TC String constitutes personal data within the meaning of the GDPR and that IAB Europe had been acting as data controller without fully complying with the requirements of the GDPR. That authority imposed on it a number of corrective measures as well as an administrative fine. IAB Europe is contesting that decision and has brought an action before the Brussels Court of Appeal, which has referred questions to the Court of Justice for a preliminary ruling.
In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her.
Furthermore, IAB Europe must be regarded as a ‘joint controller’ within the meaning of the GDPR. Subject to the verifications which are for the referring court to carry out, that association appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and to determine, jointly with its members, both the purposes of those operations and the means behind them. That said, and without prejudice to any civil liability provided for under national law, IAB Europe cannot be regarded as a controller, within the meaning of the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String, unless it can be established that that association has exerted an influence over the determination of the purposes and means of those subsequent operations.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Source – EU Court of Justice – Email