European Court of Justice rules IAB's cookie consent system violates GDPR

A system of the IAB trade association that is used on many websites to request permission to place cookies via a pop-up is in violation of the GDPR. This was stated by the European Court of Justice in a judgment.

IAB is the largest European trade association for advertisers marketing agencies and media companies. Years ago the organization built the Transparency & Consent Framework with which cookie consent can be arranged in one go according to the GDPR rules. Many users see this system in the form of the cookie pop-up that appears on many sites. It is estimated that approximately eighty percent of European websites and apps use the system according to Financial Dagblad.

The Belgian supervisory authority decided in 2022 however that IAB's system is in conflict with the GDPR. The IAB system stores users' preferences encoded in a TC string which is then shared with organizations that participate in the IAB advertising platform. This way personal data brokers and advertising platforms know what a user has or has not given permission for. In addition a cookie is placed on the user's device. But the TC string and cookie in combination with each other can be linked to the user's IP address making the user identifiable. According to the privacy regulator IAB is also a data controller which means it can be held responsible for violations of the GDPR. IAB was fined 250,000 euros and given two months to submit an action plan with points for improvement.

IAB appealed the decision. The Belgian judge again asked the European Court of Justice for further explanation. The Court now enters into its judgment to the same conclusion namely that the TC string contains information about an identifiable user and therefore constitutes personal data. The Court also believes that IAB Europe should be regarded as a joint controller.The Court's judgment now goes back to the Belgian judge who had asked the Court for an explanation. Only after the Belgian court has made a ruling will the decision of the Belgian privacy authority become final. But the European Court's ruling means that the advertising sector must fundamentally adapt its current system. IAB has already designed an alternative but because the industry wanted to wait for the legal process this was never put into practice.