ECJ judgment on Real-Time Bidding: What advertisers now need to consider

The ECJ published its judgment in case C-604/22 on March 7, 2024.

The referral procedure  concerns fundamental data protection questions  regarding digital advertising ecosystems. The targeted display of (digital) advertising to a user has been part of every advertiser's toolbox for years. The decision is therefore likely to have far-reaching practical consequences.

Background

Background to the Real-Time Bidding Process
In practice, the so-called real-time bidding process is often used for the targeted display of digital advertising to a specific website or application ("app") user.

When a user accesses a website or app with an advertising space, advertising companies, in particular data brokers and advertising platforms representing thousands of advertisers, can place bids anonymously in real time to obtain this advertising space via an automated auction system ("bidding") using algorithms and display targeted advertising that is specifically tailored to the profile of such a user.

One of the advantages for an advertiser is that they can reduce their spreading loss when placing advertising. The advertiser pays for advertising that is, in the best case, targeted at specific users.

For website operators, the advantage lies in the "multiple" sales opportunity of the digital advertising space. Two users who visit a certain website at the same time will - almost certainly - see different advertisements based on different profiles. The website operator earns twice.

Background to the use of the Real-Time Bidding process based on the Transparency & Consent Framework of IAB Europe
The Interactive Advertising Bureau ("IAB Europe") is an association that represents the digital advertising and marketing industry at the European level. The members of IAB Europe include companies that generate high revenues through the sale of advertising space on websites or in apps.

IAB Europe has developed the "Transparency & Consent Framework" ("TCF"). This is a regulatory framework consisting of guidelines, instructions, technical specifications, protocols and contractual obligations that enable both the provider of a website or app and data brokers or advertising platforms to lawfully process a user's personal data. In particular, the aim of the TCF is to facilitate compliance with the GDPR when companies use real-time bidding. However, before such targeted advertising is displayed, the user's prior consent must be obtained.

A "Consent Management Platform" ("CMP") is used for this purpose, which enables users to give their consent to the provider of the website or app to collect and process their personal data for predetermined purposes, such as marketing or advertising, or to exchange such data with certain providers, and to objectto various types of data processing or the exchange of such data based on the legitimate interests asserted by the providers within the meaning of Article 6 (1) (f) GDPR ("legitimate interest"). This personal data relates in particular to the user's location, age, search history and recent purchases.

The TCF provides a framework for the extensive processing of personal data and facilitates the recording of user preferences using the CMP.

These preferences are then encoded and stored in a string consisting of a combination of letters and characters, which IAB Europe refers to as the Transparency and Consent String ("TC-String"). The respective TC-String is shared with the brokers for personal data and advertising platforms involved in the Real-Time Bidding process. This allows them to determine what the user has consented to and/or objected to.

The CMP also stores a cookie (Euconsent-v2) on the respective end device used by the user.

Combined with each other, the respective TC-String and the respective cookie can be assigned to the IP address used by a specific user.

Legal issues

TC-String can represent personal data
Firstly, the ECJ had to clarify whether a TC-String is to be regarded as personal data in the case at hand. The ECJ initially assumes that a TC-String can be considered personal data, even if such a TC-String itself does not contain any directly identifiable information.

Due to the broad definition of the term "personal data" in Article 4 No. 1 GDPR, a person is at least identifiable  if, as here, an identification of a specific natural person is possible. The ECJ has therefore categorized IAB Europe as a controller within the meaning of the GDPR (see Article 4 No. 7 GDPR).

Even though IAB Europe, by itself, does not have the   means to identify a single user, in the opinion of the ECJ and its previous case law, the TC-String is still to be considered personal data from the perspective of IAB Europe. Based on the case file, the ECJ assumes that members of IAB Europe (e.g., advertisers, data brokers) are obliged to provide IAB Europe, upon request, with all information that enables IAB Europe to identify the users whose data is the subject of a TC- String.

This means that IAB Europe generally has the means at its disposal to identify a specific natural person based on the information that its members and other organizations participating in the TCF must provide to it (see recital no. 26 sentences 3 and 4 GDPR).

From the perspective of IAB Europe, a TC-string is therefore to be regarded as a pbD.

Industry organizations, such as IAB Europe, can be regarded as joint controllers
The ECJ then had to clarify whether the IAB Europe is not only to be regarded as a controller in the sense of data protection law, but whether there may even be joint controllership for the TCF within the meaning of Article 26 GDPR. Joint controllership leads to further data protection requirements, including increased requirements regarding website and/or app privacy notices.

IAB Europe, as an industry organization, has offered its members a regulatory framework established by IAB Europe in relation to consent in the area of personal data processing, which not only contains binding technical rules, but also rules detailing how personal data relating to this consent must be stored and disseminated. It was also questionable whether the assessment is based on whether IAB Europe itself has direct access to the personal data processed by its members within this regulatory framework.

In addition, the ECJ had to clarify whether joint controllership (see Article 26 GDPR) can be assumed if such an industry organization influences the further processing of personal data by third parties, such as members of IAB Europe, e.g., regarding user preferences for targeted online advertising.

1. The industry association may be responsibleFirstly, with reference to previous ECJ rulings, the ECJ ruled that a natural or legal person who influences the processing of personal data in their own interest and thus participates in the decision on the purposes and means of this processing can be regarded as a controller within the meaning of Article 4 No. 7 GDPR.

2. The industry association may be the joint controller.
   Participation in the decision on the purposes and means of processing may take various forms, and may result both from a joint decision by two or more entities and from concerted decisions by such entities.
   
   Therefore, an industry organization such as IAB Europe can also be considered a joint controller within the meaning of Article 4 No. 7 and Article 26 (1) GDPR. According to the case law of the ECJ, joint controllership of several actors for the same processing under the GDPR does not require that each of the actors has access to the personal data in question (see corresponding ECJ ruling of July 10, 2018, C-25/17, Jehovah's Witnesses).
   
   It must therefore be examined on a case-by-case basis whether such an industry organization, taking into account the particular circumstances of the case at hand, exerts influence on the processing of personal data, such as the TC-String, out of its own interests and, together with others, determines the purposes and means of the processing in question. The IAB Europe would then not merely be an organization for the standardization of processes (here: the processing of personal data in a specific context), but possibly, together with other controllers, a joint controller within the meaning of Article 4 No. 7 and Article 26 (1) GDPR.
   
   First, as regards the purposes of such processing of personal data, the ECJ concludes, subject to the checks to be carried out by the referring court, that the TCF established by IAB Europe constitutes a regulatory framework intended to ensure that the processing of personal data of a user of a website or app by certain economic operators participating in the online auctioning of advertising space complies with the GDPR.
   
   In these circumstances, the TCF is essentially intended to promote and facilitate the sale and purchase of advertising space on the Internet by these economic operators.
   
   In these circumstances, the TCF is essentially intended to promote and facilitate the sale and purchase of advertising space on the Internet by these economic operators.

Future Prospects

The ECJ's decision comes as little surprise. The ECJ is continuing its case law. It is therefore still important to note that the ECJ does not make a clear decision in the direction of "absolute personal reference" or "relative personal reference". This was probably not necessary here because members of IAB Europe are obliged to provide information on users, and these users are then identifiable in any case.

The argument in favor of joint responsibility also comes as little surprise.

From a practical perspective, the requirements for data protection privacy notices and marketing consents under data protection law in the context of the real-time bidding process are still high. Advertisers face major challenges. On the one hand, it is a challenge to achieve a transparent presentation of all players in a digital and dynamic advertising ecosystem in which real-time bidding is used. On the other hand, the transparent pre-formulation of a corresponding marketing consent under data protection law is a challenge.

It remains to be seen whether the IAB Europe will continue to develop its TCF (there are different versions) and whether it will be able to take away the ECJ's starting points. It would certainly be worth a try for the digital advertising industry. In addition, other providers of digital advertising ecosystems will also have to examine the extent to which this ECJ ruling is applicable to their structures.