Attention online marketers: New ECJ ruling on the IAB TCF

On March 7, 2024, the ECJ dealt with the IAB TCF for the first time. The ruling is quite explosive and has consequences for all online marketers: On the one hand, the ECJ established the personal nature of the TC string and, on the other, the joint responsibility of all players involved in online marketing for the data processing that takes place in the context of the TC string.

What is the IAB TCF?

The "Transparency and Content Framework" ("TCF") of the Interactive Advertising Bureau ("IAB") is an industry standard in online marketing. The rules contained in the TCF for various players in online marketing serve to ensure compliance with data protection law, in particular the GDPR. You can find more information on the current IAB TCF 2.2 and its predecessors in our updates no. 155, no. 131, no. 128 and no. 76.

How did the ECJ decision come about?

In spring 2022, the Belgian data protection supervisory authority declared various practices of the IAB TCF 2.2 to be contrary to the GDPR. The IAB took legal action against this decision. The competent Brussels Court of Appeal has referred the case to the ECJ for a preliminary ruling. The ECJ's ruling concerns the questions of whether the TC string in connection with an IP address constitutes personal data and, if so, whether IAB Europe qualifies as a data controller under data protection law, in particular with regard to the processing of the TC string. The TC-String is a string of characters generated by a Consent Management Platform ("CMP") to store and share a user's consent or refusal for various online marketing purposes and providers. A CMP is software that helps website operators to provide the necessary information about data processing in the context of online marketing and to obtain and manage the consent or refusal of users.

What was the ECJ's position?

Personal data: According to the ECJ, the TC-String is personal data. The court justifies this view by stating that information contained in the TC-String makes it possible to link the TC-String to the IP address of a user's device and thereby identify the data subject. This justification appears consistent - within the logic of the ECJ rulings on personal reference - as it is sufficient for a personal reference pursuant to Art. 4 No. 1 GDPR that a data subject is identifiable. The fact that the IAB itself cannot combine the TC string with the IP address of a user's device or access the processed data does not rule out the classification as personal data in this respect. This is also a consistent continuation of the ECJ's "Breyer" case law from 2016, in which the court ruled that not all information required to identify a person must be in the hands of a single person. What the ECJ did not consider, however, is that only in the rarest cases of a criminal offense can the IP address be assigned to a connection owner (and not a person; further investigations must be carried out for this) with the help of the police and public prosecutor's office, as only the law enforcement authorities can obtain the relevant information from the respective internet provider. In the "Breyer" case from 2016, the IP addresses were also stored in the server log files at least for the purpose of detecting and preventing hacker attacks, so that there was at least a vague link to a criminal offense and criminal prosecution. However, this is not the case here, as the storage of the TC string data, including an IP address, in no way serves to prevent and prosecute criminal offenses. The ECJ could also have taken into account the fact that it is not necessary to identify a person in many online marketing processes. The ECJ's reasoning is therefore not valid in this respect, but unfortunately this does not change the legal practice, which must continue to live with the very broad understanding of the reference to persons in case law. Every website operator who integrates a CMP in accordance with the IAB TCF must in future assume that the TC string generated by the CMP is completely personal.

Joint controllership: With regard to data protection liability, the ECJ ruled that IAB Europe is jointly responsible with the other parties involved in the processing of the TC-String. According to Art. 4 No. 7 GDPR and Art. 26 para. 1 sentence 1 GDPR, such joint controllership requires that the actors jointly decide on the means and purposes of the data processing. The ECJ sees the joint decision on the purposes of processing in the fact that the TC-String creates a regulatory framework to ensure that the processing of personal data of a data subject in online marketing complies with the GDPR. For the ECJ, the joint decision on the means of processing results from the fact that the parties involved in online marketing carried out by processing the TC-String agree to comply with the regulatory framework of the IAB TCF. This applies in particular to the IAB itself, as it has the option to exclude individual actors from participating in the IAB TCF.

In its ruling, the ECJ only defined data protection responsibility for the data processing associated with the TC string. This essentially includes information on the granting of consent by the data subject or the data subject's objection to data processing. According to the ECJ, the IAB is not jointly responsible for further processing such as the transfer of this data to third parties or the display of personalized advertising.

Does joint responsibility only apply to IAB members?

The ECJ's ruling primarily focuses on the IAB's (joint) responsibility under data protection law. However, it cannot be ruled out that the ruling could also be transferred by data protection supervisory authorities and courts to all other areas of online marketing in which several players come together to process data jointly under a uniform set of regulations. The ECJ ruling is not clear in this respect.

What are the consequences of the ruling?

The consequence of the joint controllership of several IAB members is that they must conclude an internal agreement on their joint controllership in accordance with Art. 26 para. 1 sentence 2 GDPR. In this agreement, they must specify in particular who ensures compliance with which GDPR obligations and how the information obligations and data subject rights are fulfilled. It is expected that the IAB will provide a template for a corresponding internal agreement in the future.

As joint controllers, IAB members face new risks: According to Art. 26 para. 3 GDPR, they can be held liable by data subjects for the fulfillment of all data subject rights. Pursuant to Art. 82 para. 4 GDPR, they may even be required to pay compensation if a joint controller commits a data protection breach. In this respect, it is advisable to communicate regularly with all other IAB stakeholders involved and to protect yourself by means of a well thought-out contract.

The consequence of the personal reference of the TC-String is that the lawfulness of all data processing relating to the TC-String must be checked. If such processing is based on consent, the formulation of a transparent declaration of consent poses a particular challenge. The entire topic will probably also have to be mentioned in data protection declarations in future in order to meet the requirements of Art. 13 GDPR.

Ultimately, two things remain to be seen: the further course of the court proceedings in Belgium and the reaction of the IAB. In this respect, it is to be expected that the Belgian Court of Appeal will agree with the ECJ's statements. As the IAB has welcomed the ECJ ruling, no further appeals are to be expected.

Overall, the ruling should accelerate the long-observed trend of replacing order processing with joint controllership in the area of online marketing.