CJEU rules on joint controllership in TCF marketing related data processing

On 7 March 2024, the Court of Justice of the European Union ("CJEU") has issued a preliminary ruling on joint controllership and the definition of personal data. The CJEU held in "IAB Europe" (C-604/22) that IAB Europe and its members are joint controllers with respect to the processing of Transparency and Consent Framework ("TCF") related marketing data. It also considered TC strings as personal data.

IAB Europe is an European level association for the digital marketing and advertising ecosystem. It provides TCF solutions for publishers, advertisers and vendors. TCF is a GDPR consent solution to obtain and manage consent for the use of targeted advertising cookies in the EU. It mainly facilitates the use of cookies in connection with the OpenRTB protocol. The OpenRTB protocol enables advertisers to place bids in real time on digital advertising spaces (e.g., website or app). The ad of the winning bidder is automatically displayed to the profile of the website or app user. TCF provides a consent management tool to a user on its first website or app visit to obtain such consent and enables the user to object to certain processing activities based on the ad tech vendors' legitimate interests. IAB Europe stores the user's preferences as a combination of letters and characters for each user (the "TC string") and shares it with personal data brokers and advertising platforms participating in the OpenRTB protocol, so that they know to what the user has consented or objected. It also places a cookie on the users device that links the TC string to the user's IP address.

The CJEU considered the TC string to be personal data. The CJEU referred to its Breyer decision (C-582/14), arguing that "all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly" are pertinent to determine whether a person is identifiable. The CJEU considered that IAB Europe has the reasonable means to identify the natural person. In the court's view, IAB Europe could create user profiles based on the TC string information and the linked personal identifiers, such as the IP address of a user's device.

The CJEU held that IAB Europe exercises influence over the personal data processing operations under the TCF and thus determines – jointly with its members (TCF adtech vendors and TCF consent management platforms users) – the purposes of the processing. In particular, IAB Europe sets out rules for the processing of the TC string that IAB Europe members have to accept in order to join. 

However, the CJEU held that the joint controllership does not extend to the subsequent processing of targeting advertisement at users carried out by IAB Europe members or third parties, such as website or app providers. According to the factual findings of the Belgian court, IAB Europe is not involved in data processing on that stage.

In consequence of the judgment, businesses that participate in the TCF must amend their privacy notice and other legal texts as well as conclude a joint controllership agreement with IAB Europe. We expect that IAB Europe will provide its members such agreement soon.