Top EU Court Ruling Means It May Be Legally Impossible to Use Real-Time Bidding for Ads
Back in 2020, we wrote about a report by Johnny Ryan and the Irish Council for Civil Liberties that claimed over 100 trillion pieces of personal data were being exchanged online each year for use in micro-targeted advertising under the Real Time Bidding (RTB) system. A new ruling from the Court of Justice of the European Union (CJEU) will finally see courts examine whether RTB is fully compliant with the EU’s GDPR legislation. At the very least, RTB is likely to change in key ways – and it may even turn out that the system is fundamentally incompatible with EU privacy law.
Under RTB, in the few hundredths of a second after you click a link to visit most sites, blank advertising slots are put up for an automated auction among potential advertisers. In addition to information about the site and ad space, reams of personal information are also shared with potential bidders. To help site owners and adtech companies comply with GDPR, the digital advertising group IAB Europe drew up its Transparency and Consent Framework (TCF), “an accountability tool that relies on standardisation to facilitate compliance with certain provisions of the [EU’s] ePrivacy Directive and the GDPR.”
The application of the TCF has contributed to the routine use of “consent” popups on sites. They inform visitors about where personal data will be sent and gather consent for third-party use. Users’ preferences are stored in a special set of characters known as the Transparency and Consent String (TC String), and a cookie is placed on the user’s system. Importantly, the TC String and the cookie can be linked to the user’s IP address.
As we discussed in November 2021, the Belgian data protection authority issued a draft ruling identifying alleged infringements of GDPR by IAB Europe as a result of the way the TCF is used by the adtech industry. IAB Europe appealed against the final ruling of the Belgian data protection authority. The evident importance of the case led the Belgian Market Court, part of the Brussels Court of Appeal, to make a referral in September 2022 to the EU court asking for clarification of key issues. The CJEU has now issued its ruling regarding the “auctioning of personal data for advertising purposes.” There are two elements:
“In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her.
Furthermore, IAB Europe must be regarded as a ‘joint controller’ within the meaning of the GDPR. Subject to the verifications which are for the referring court to carry out, that association appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and to determine, jointly with its members, both the purposes of those operations and the means behind them.”
These rather technical issues might not seem particularly important at a first glance. An analysis from three academics immediately after the Belgian data authority’s final ruling on the TCF explained that assuming the ruling would be upheld – which has now happened – the impact would be dramatic:
“Characterising IAB Europe as a joint controller with RTB actors, the Belgian decision gives DPAs [Data Protection Authorities] an agreed-upon blueprint to deal with a structurally difficult enforcement challenge. Furthermore, under the DPA’s simple-looking remedial orders are deep technical and organisational tensions. We analyse these “impossible asks”, concluding that absent a fundamental change to RTB, IAB Europe will be unable to adapt the TCF to bring RTB into compliance with the decision.”
What Does This Mean for Real-Time Bidding?
One of the issues with applying GDPR to real-time bidding is that each actor in the RTB system has tried to claim that a different part of the system was responsible for GDPR compliance. This vagueness made it hard for data protection authorities to decide who they should bring GDPR enforcement actions against. The CJEU’s confirmation of the Belgian DPA analysis that more or less everyone involved in the RTB system must comply with the GDPR hands EU DPAs a powerful weapon for future enforcement actions against all players in the RTB world.
The second issue identified by the CJEU is perhaps even more far reaching. In its 2022 decision, the Belgian DPA gave IAB Europe a chance to fix the privacy problems it had identified. As the academics put it: “much of what the Belgian DPA asks ranges from structurally challenging to impossible without rethinking how RTB itself works.” At the very least, this probably means that “consent” popups will have to go. More profoundly, the CJEU ruling could mean the RTB system cannot be made fully legal in the EU, and would have to be dropped there. This would have major repercussions on digital adtech around the world. If RTB is no longer an option, the obvious alternative is contextual advertising, as more and more people are now advocating.