EU Policy. IAB Europe’s advertising bidding model uses personal data, EU court rules

IAB's framework aims to help advertisers comply with data protection rules.
IAB's framework aims to help advertisers comply with data protection rules. Copyright Darko Vojinovic/AP Photo
Copyright Darko Vojinovic/AP Photo
By Cynthia Kroet
Share this articleComments
Share this articleClose Button

After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case.


IAB Europe’s online advertising model uses personal data and is therefore subject to the General Data Protection Regulation (GDPR), the EU’s highest court in Luxembourg clarified today (7 March).

The European Court of Justice (ECJ) ruling comes after IAB Europe contested a decision by the Belgian Data Protection Authority in 2022, which said its advertising real time bidding model is not in line with the Union’s privacy rules. The Belgian Court of Appeal then asked for clarification on the matter in Luxembourg.

IAB Europe, an association representing digital advertising and marketing companies, created a system in which brokers and platforms can bid for advertising space based on website users’ profiles in real time. It encodes users’ preferences for the bidder to know what the user consented to, and places a cookie on the user’s device.

The Belgian privacy watchdog said however that IAB Europe failed to give users precise information on the use of their data, and ordered the business to establish a legal basis for data processing as well as to strictly vet organisations that use its real time bidding system in order to ensure that they meet the requirements of the GDPR. It also ordered the company to pay a €250,000 fine.

The ECJ said today that IAB’s model “contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR.”

“Where the information contained in a Transparency and Consent String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her,” the statement said.

The ECJ’s clarification means that the case is referred back to the Belgian Court of Appeals.


The judgment comes as the European Commission aims to present a so-called Cookie Pledge at its Consumer Summit in April. This voluntary pledge would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. 

The next review of the GDPR, which entered into force in 2018, is expected mid-2024. The commission last year also proposed a new law to improve cross border cooperation between data protection authorities. New rules to ensure stronger enforcement of the GDPR (

The highest fine for non-compliance with the GDPR to date was issued in Ireland; in 2023 the Irish data protection authority ordered Meta to pay a €1.2bn fine for transferring data collected from Facebook users in the EU to the US. Meta appealed. 

Subscribe here to stay informed on the latest EU policy developments with our weekly newsletter, “The Policy Briefing”. Your weekly insight on European rulemaking, policy issues, key events, and data trends.

Share this articleComments

You might also like