Transparency and Consent Framework EU Court Ruling Signals Broader Digital Advertising Transformation

In a judgment from the Court of Justice of the European Union (CJEU), the Interactive Advertising Bureau Europe (IAB) has been held partly responsible for data about how people consent to online advertising.

1. The CJEU judgment is part of a long-running dispute between the IAB and a group of privacy activists about the Transparency and Consent Framework v2 (TCF), a standard used by thousands of companies to deliver targeted ads.
2. The court found that the IAB and some participants in the TCF are jointly responsible for the “TC String”—a code that tells advertising publishers, vendors, and Consent Management Platforms (CMPs) how they may use an individual’s personal data.
3. This complex case is part of a broader transformation in the digital marketing landscape, with companies starting to take a more responsible approach to delivering targeted ads.

What’s the background to this case?

The IAB developed the TCF in 2017, before the enforcement deadline for the EU General Data Protection Regulation (GDPR). The group said the TCF would help publishers, adtech vendors, and CMPs comply with the law’s notice and consent requirements.

The TCF is a voluntary scheme that sets rules for companies participating in the “Real Time Bidding” (RTB) process—an ad auction that takes place in the split second before a website loads—including:

• CMPs, who help websites and apps give notice and get consent for ads
• Publishers, who bid on the opportunity to display an ad to a user
• Adtech vendors, who facilitate buying and selling processes behind the scenes

A key to this case is the TC String, a digital signal that communicates a user’s advertising consent preferences.

Privacy campaigners argued that the TC String was personal data—and that by setting rules for TCF participants handled the TC String, the IAB was a “controller” with an extensive range of responsibilities under the GDPR.

Were the campaigners right?

The IAB’s opponents have won some important arguments in this case, but not all of them.

In 2022, a decision by the Belgian Data Protection Authority (DPA) found that the TC String was indeed personal data and that the IAB was a “joint controller” that shared responsibilities with certain other companies participating in the TCF.

The IAB appealed this decision, but it also developed a new version of the TCF, TCF v2.2, which the Belgian DPA has approved.

The TCF v2.2 brings in new requirements for TCF participants, including:

• More detailed and accessible cookie notices
• A rule that withdrawing cookie consent must be as easy as giving it
• An obligation to obtain consent for a broader range of advertising-related activities

This CJEU judgment confirms most of the Belgian DPA’s decision, so it’s likely that these new transparency and consent requirements are here to stay.

What are the implications for digital advertising?

The CJEU’s ruling is technical and complex. The case will now return to the Belgian Court of Appeal, which will give a judgment based on the CJEU’s findings.

But let’s take a step back and consider the broader digital marketing ecosystem.

• The IAB has already issued stricter consent rules as a result of this case
• Google recently implemented its Consent Mode 2.0, bringing tighter consent requirements to thousands of websites and apps
• Over a dozen US states have introduced new requirements requiring businesses to provide an opt out for targeted ads.

The GDPR became enforceable nearly six years ago, and we’re only now seeing some of the most significant impacts—like changes in industry practices and new EU-inspired laws passing worldwide.

Action points following the TCF judgment

The deadline for TCF participants to implement TCF v2.2 was last November. So if those changes are relevant to you, you should already have updated your advertising program accordingly.

But more broadly, consider the following actions to help ensure you’re keeping up with the privacy-focused changes to the digital marketing landscape:

• Map your data: Make sure you know what personal data you collect, particularly for advertising or analytics purposes, and what you’re sharing with third parties.
• If you use cookies or similar technologies, work with your CMP and other service providers to ensure you comply with the laws that apply to you.
• Get ready for Data Subject Requests (DSRs). As technology, law, and business practices are changing, so is culture. People are becoming more aware of their data rights, and every company needs a way to help their customers control their personal data.