On 7 March 2024 the CJEU ruled that the Transparency and Consent String (TC String) (a string composed of a combination of letters and characters into which users’ preferences in relation to targeted advertising are encoded and stored) developed by the IAB constitutes personal data. The TC String interacts with a cookie to identify whether the user has indicated consent/lack of consent to targeted advertising. It is often used in connection with Real Time Bidding (a process where advertisers bid to place advertisements on websites in real time).
The CJEU held that despite not processing data itself, in setting the rules in relation to how the consent could be used, stored and shared in the TC String, IAB is “exerting influence” over the processing and is therefore a joint controller with its members. The court further confirmed that the joint controllership does not extend to the processing undertaken by members based on that consent.
This is a useful reminder that if you play a part in determining the means and purposes of processing personal data, you should not assume that you have no responsibility for the processing where you do not personally process the personal data.
The full case report can be found here.