The tracking-ads industry in the EU is dealt another setback

The Court of Justice of the EU’s (CJEU) ruling represents a significant setback for the tracking-ads industry’s consent collection practices. The CJEU confirmed that the data generated by the consent management tool, specifically the strings of data produced in response to users’ privacy choices, constitutes personal data under the General Data Protection Regulation (GDPR) because it includes personal identifiers.

Furthermore, the CJEU determined that IAB Europe, the ad industry association responsible for the consent management tool, is considered a “joint controller” alongside its advertiser members. This means that IAB Europe shares responsibility for ensuring compliance with the GDPR regarding data processing activities. However, the court left open the possibility for IAB Europe to be considered a controller for data processing operations that occur after user consent preferences are recorded, pending evidence of its influence over subsequent data operations.

The CJEU’s decision stems from a referral of questions raised by a Belgian court, prompted by IAB Europe’s challenge to a February 2022 ruling by the Belgian data protection authority. This decision found that IAB Europe’s “Transparency and Consent Framework” (TCF) violated the GDPR.

The ruling is particularly significant for web users in Europe, as it addresses the issue of consent spam that has proliferated since the implementation of the GDPR in May 2018. Many websites bombard users with endless pop-ups soliciting consent for sharing their data with numerous ad partners. These pop-ups often lack GDPR compliance, offering users limited options and burying tracking opt-outs in obscure menus, while prominently featuring easily accessible “accept” buttons. This practice undermines users’ privacy rights and creates a false sense of choice.