Belgian Court Limits IAB Europe’s Controller Status; Danish Authorities Issue Joint Cookie Compliance Guidance

Want to receive these privacy recaps in your inbox each week? Subscribe here.

EUROPE

BE Court Rules IAB Europe is Joint Controller of TC String, not Other Data

Over three years after the Belgian Data Protection Authority (APD)’s February 2022 decision holding IAB Europe’s Transparency and Consent Framework (TCF) in violation of the GDPR, the Belgian Market Court annulled the decision on the IAB Europe’s appeal, while confirming in part and overturning in part certain aspects of the APD’s decision. Specifically, consistent with answers issued by the EU Court of Justice in 2024, the Market Court found that the Transparency and Consent (TC) String of the TCF constitutes personal data under the GDPR and that the IAB Europe acts as a joint data controller of the TC String for the processing of user preferences within the TCF, but that the IAB Europe does not act as a joint controller of other personal data processed by participants using the TCF, such as data exchanged as part of the real-time-bidding (RTB) ecosystem for digital advertising.

TAKEAWAY

It’s not over yet. This Market Court decision was based on only one of two appeals in this case. The second appeal, filed by the IAB Europe in 2023, challenged the Litigation Chamber’s approval of the IAB Europe’s action plan (created and submitted by the IAB Europe in response to the original 2022 decision). The Market Court has yet to rule on that second appeal, and, according to the IAB Europe’s FAQs , the APD’s voluntary suspension of the implementation period for the approved action plan continues to apply until a final ruling of the Market Court on the IAB Europe’s second appeal. Further, since the measures proposed in the action plan stem, in part, from the assumption that the IAB Europe acts as a joint controller of not only the TC String, but also of other data processing done by TCF participations (the latter part of such assumption has now been overturned), at least part of the action plan is now irrelevant. 

Danish DPA and Digital Agency Publish Joint Cookie Guidance

To help companies comply with both the GDPR (governing the processing of personal data, whether or not via use of cookies) and the Cookie Executive Order (governing the use of cookies, whether or not involving the processing of personal data), the Danish DPA and Digital Agency have published joint guidance outlining what rules apply to cookies and practical steps companies should take as a result, as well as examples of non-compliant consent prompts.

TAKEAWAY

Examples of non-compliant consent prompts outlined by the guidance include prompts that (1) only offer a “consent” action, without an alternative; (2) block users from accessing the website unless and until they consent; (3) nudge the user toward the consent option with colors and fonts that are easier to see than the alternative; (4) bundle multiple processing purposes into a single consent option, rather than providing separate consent choices for each purpose; (5) include vague labels for consent options, such as “necessary”, “statistics” and “third-party technologies” without providing specific information about the purposes of processing and the specific information that will be processed for each purpose; (6) don’t inform that consent can be withdrawn; or (7) don’t make withdrawing consent as easy as giving it (e.g., by swiping a toggle back to off after swiping it on). 

A LITTLE MORE PRIVACY, IF YOU PLEASE

Europe

• The French CNIL Publishes Final Privacy Guidance for Mobile Apps

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.