ECJ ruling on tracking consent mechanism: update for consent banners required

The European Court of Justice (ECJ) has issued another important ruling in the proceedings surrounding the common TCF industry standard for tracking consent mechanisms in websites and apps. Specifically, it has now decided that the consent signals, known as Transparency and Consent Strings (TC Strings), constitute personal data under the GDPR and that the industry association Interactive Advertising Bureau Europe (IAB Europe) is a (joint) controller under EU data protection law when processing them.
Simply put, TC strings are combinations of letters and numbers that indicate whether and to what extent users have consented to the use of their data when interacting with a cookie banner. Based on the information stored in the TC string, the advertising space on the website or app used is auctioned off through the so-called real-time bidding process to be able to display user-targeted advertising. As the TC String allows to make a connection to the person using the website or app, the TC String constitutes personal data.
When storing consent preferences in a TC String, the industry association IAB Europe is (jointly) responsible under data protection law because IAB Europe “influences” and, together with its members, determines the purposes and means of data processing related to the TC String, according to the ECJ. IAB Europe has developed the Transparency and Consent Framework (TCF) to provide a framework that enables the delivery of targeted advertising in compliance with the GDPR. IAB Europe sanctions certain Consent Management Platforms (CMPs) for obtaining valid user consent for this framework.
The ECJ ruling will require adjustments to the TCF standard, but there is no direct need for implementation for website and app publishers for the time being. IAB Europe will likely make an adjustment to the currently valid TCF 2.2 in the coming months, which will then have to be implemented by CMP and advertising technology service providers.
The ruling is also seen as a further clear signal from the ECJ that both the understanding of controllership and the definition of personal data must be interpreted extremely broadly data under EU protection law – it therefore remains difficult to “escape” the reach of the GDPR.

(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)