IAB Europe has failed in its attempt to overturn a 2022 ruling that its real-time bidding adtech system – used by many of the world’s leading brands – is in breach of GDPR, the EU’s highest court in Luxembourg has confirmed.
The European Court of Justice ruling comes after IAB Europe contested a decision made by the Belgian Data Protection Authority in 2022, which said its real-time bidding model is not in line with the EU’s rules. The Belgian Court of Appeal then asked for clarification on the matter in Luxembourg.
IAB Europe, which represents hundreds of digital advertising and marketing companies, created a system in which brokers and platforms can bid for advertising space based on website users’ profiles in real-time. It encodes users’ preferences for the bidder to know what the user consented to, and places a cookie on the user’s device.
However, the Belgian regulator ruled that IAB Europe failed to give users precise information on the use of their data, and ordered the organisation to establish a legal basis for data processing as well as to strictly vet organisations that use its real-time bidding system in order to ensure that they meet the requirements of the GDPR. It also ordered IAB Europe to pay a €250,000 fine.
The regulator – The Autorité de la Protection des Donnés – had first launched a probe into IAB Europe’s Transparency & Consent Framework in 2019, following 22 complaints about the system, including one from the Irish Council for Civil Liberties.
It ordered the organisation to come up with measures to bring the framework into compliance with the GDPR within two months, while adtech firms including Google, Amazon and Microsoft have been ordered to delete data gathered through the system.
In its ruling, published today, the ECJ said: “[The IAB’s model] contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR.
“Where the information contained in a Transparency and Consent String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her.”
Related stories
LiveRamp faces privacy probe over ‘invasive profiling’
Acxiom caught in bust-up over illegal data trading
Adtech framework is sunk; now firms must delete data
New IAB adtech framework ‘as flawed as the last one’
CMA action forces Google to delay demise of cookies
Privacy groups claim victory over looming adtech ruling