IAB Europe's Ad Consent Popups Pose Privacy Problem

Online popup solicitations that seek consent for targeted ads in Europe represent personal information, according to the Court of Justice of the European Union (CJEU) – a decision characterized as either a "mortal wound" for online ad tracking, or a welcome clarification, depending on whom you ask.

On Thursday, the CJEU upheld and clarified a 2022 decision from the Belgian Data Protection Authority (APD) that the identifiers used to record responses to popup consent solicitations under IAB Europe's Transparency and Consent Framework (TCF) qualify as personal information.

The TCF plays a role in the Real-Time Bidding (RTB) system used to deliver targeted ads over the internet. It's essentially a standard way to present popup requests for consent to be tracked.

And RTB, it's argued, conflicts with Europe's GDPR and ePrivacy Directive. "RTB exposes the personal data of internet users to large numbers of companies without any means of control over what happens to that data," explained Johnny Ryan, from the Irish Council for Civil Liberties (ICCL), and Cristiana Santos, of Utrecht University, in a 2022 academic paper. "This is a security problem and is irreconcilable with the European legal requirement that processing of personal data must be secure, accountable, and transparent."

RTB is the process by which online ads get auctioned at high speed. It includes transmitting an identifier known as the Transparency and Control String (TC String) from web browsers to participating advertisers. These auctions broadcast personal data (what the person is viewing online or where they are located), according to Ryan and Santos, but lack security controls.

The APD determined that the TC String identifier amounts to personal information under Europe's General Data Protection Regulation because it can be used to link advertising preferences to an individual through an HTTP cookie and an IP address.

The APD also found that IAB Europe – the industry trade group that developed the framework – had been acting as the data controller under GDPR, raising the possibility of legal liability for privacy violations.

IAB Europe appealed the APD decision [PDF], and now the CJEU has sided with the APD.

• Meta sued by privacy group over pay up or click OK model
• Europe bans Meta from using personal data to target ads
• Privacy advocate challenges YouTube's ad blocking detection scripts under EU law
• France says non to Office 365 and Google Workspace in school

"In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR," the CJEU declared in a statement [PDF]. "Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user's device, that information may make it possible to create a profile of that user and to identify him or her."

The CJEU also ruled that IAB Europe qualifies as the "joint controller" under GDPR, but not the sole controller.

The case now heads back to the Brussels Markets Court, which will "resume its examination of IAB Europe's substantive arguments in line with the answers provided by the CJEU," as IAB Europe put it. A final decision is not expected for several months.

"People across Europe have been plagued by fake 'consent' popups every day on almost every website and app since the GDPR was introduced almost six years ago," lamented Johnny Ryan, of the Irish Council for Civil Liberties, in a statement. "IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight. This decision will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry."

IAB Europe argues it's just a flesh wound. The ad group welcomed the CJEU's clarification, which "will allow a serene completion of the remaining legal proceedings" and maintains that the ruling does not mean its TCF itself – already revised for compliance [PDF] – is illegal.

"The CJEU ruling relates solely to those two key questions ('Is the TC String personal data?' and 'Is IAB Europe a (joint) controller regarding processing further to implementation of the TCF?') and does not contain any broader considerations on consent prompts," IAB Europe stated in an explanatory note [PDF].

"There is therefore nothing in the CJEU ruling that could be viewed as even remotely questioning the legality of consent prompts or prohibiting their use by the digital ecosystem to comply with legal requirements under the EU's data protection framework."

"The CJEU ruling furthermore does not examine whether any activities of IAB Europe or TCF participants could be deemed any GDPR breaches. Instead, it only provides clarifications regarding the concepts of personal data and controllership and how they could apply depending on the circumstances." ®