.png?width=178&height=52&name=logo_transparent%20(4).png "PrivacyPerfect_logo.png"){kind=logo}
Cookies and Digital Advertising: Google Chrome Phases Out Third-Party Cookies & European Court of Justice declares IAB Europe as Joint Controller
On 7 March 2024, the European Court of Justice (Court) delivered its judgment in the IAB Europe case. IAB Europe is a digital marketing and advertising association, which was fined by the Belgian Data Protection Authority for unlawfully processing personal data. However, IAB Europe claimed that they are not controllers and that the transparency and consent string (TC string) should not be considered personal data. In this blog post we examine the IAB Europe case and its implications for the Cookie Consent Mechanism.
IAB Europe
IAB Europe has developed the Transparency and Consent Framework (TCF) to establish a standardized approach for complying with the European General Data Protection Regulation (GDPR) and the e-Privacy Directive regarding the collection and use of personal data within the OpenRTB protocol. OpenRTB, a widely adopted protocol for Real-Time Bidding, facilitates the instantaneous online auctioning of user profiles for the purchase and sale of advertising space on the internet. This is primarily done through the use of cookies
IAB Europe functions as an intermediary with the TCF. When users visit certain websites, they are asked to agree to cookies through a cookie consent banner. Subsequently, the user's consent and preferences are encrypted and stored in a transparency and consent string (TC string). This TC string is then shared with organisations participating in the OpenRTB. After sharing, a cookie is placed on the user's device, connecting the TC string with the cookie and the user’s IP address.
The main goal of the TCF was to enable companies to demonstrate their compliance with privacy legislation by obtaining valid consent from users to process their personal data, which is essential in the digital advertising industry.
Findings of the Court
TC Strings are Personal Data
The TC string contains the personal preferences of the user with regard to their consent to personal data processing. Linking the information contained in a TC string to an identifier, such as the IP address, may make it possible to draw up user profiles and to identify the person to whom that information specifically relates. Therefore, the Court concluded that the TC String should be considered personal data.
IAB Europe is (Joint) Controller
Even though IAB Europe does not participate in Real Time Bidding or in digital advertising (they only developed the standards for the industry), the Court concluded that IAB Europe is nonetheless considered to be a joint controller with respect to the storage of consent preferences through the TC string, as it influences how personal data is processed for its own purposes. However, the joint responsibility does not automatically extend to subsequent processing of personal data by third parties for targeted online advertising unless IAB Europe exercises influence on the determination of the purpose of such subsequent processing and of the means by which it is carried out.
Consequences
Following the judgment by the Court, the TCF must be adapted and businesses using the TCF for online advertising purposes may need to implement changes to their cookie consent mechanism as well as their related policies and agreements, such as their privacy policy. The wording of their legal texts must reflect that IAB Europe is joint controller and a joint controllership agreement must be concluded between the businesses that act as controllers and IAB Europe. Moreover, the consent template shown to end users must include that the TC string and storage of the user’s preferences are also data categories for which consent is given.
It is important to note that the Court has not determined whether the consent form provided by IAB Europe complies with the legal requirements for valid consent under the GDPR. This remains an ongoing challenge for companies participating in the TCF as controllers.
Google Chrome phasing out third-party cookies
Meanwhile, Google is ending third-party cookies for Chrome users. However, the end of third-party cookies does not eliminate the need for user consent as there are still other tracking technologies in use. Consent remains a crucial requirement under data protection laws like the GDPR, obliging websites to obtain consent before activating cookies or tracking users for advertising. Websites must inform users about tracking technologies used, securely document consents obtained, and allow users to easily change or revoke their consent preferences. Publishers using Google's ad platforms must now use certified consent management platforms aligned with data privacy laws. Google's Privacy Sandbox offers alternative APIs and measures to support advertising functionalities without relying on third-party cookies for user tracking.
Cookiebot
To prepare for Google's planned elimination of third-party cookies by the third quarter of 2024, website owners need to assess and understand their current usage of third-party cookies. Utilising tools like the Cookiebot consent management platform (CMP) allows for a free audit of a website's cookies and online trackers. By identifying which third-party cookies are in use, website owners can better prepare for the changes ahead.
In a future without third-party cookies, Cookiebot CMP will continue to detect technologies used for collecting personal data from end users, including proposed browser APIs by Google for remarketing and real-time ad auctions. Cookiebot CMP can assist in securing valid consent in accordance with data privacy regulations such as the GDPR, which is not only essential for cookies but also for alternative tracking methods in a cookie-free setting.
Stay tuned for the latest update by signing up for our newsletter.
Until next time!
Team PrivacyPerfect
SHARE