A German court has asked the Court of Justice of the European Union to answer a question that could create a new disclosure headache for platforms, marketplaces, professional directories, publishers, and businesses using third-party tracking or embedded services.
The issue is simple on its face but potentially broad in practice:
When a platform operator and a website owner are joint controllers under the GDPR, must the “essence” of their joint controller arrangement be published on the website or linked from the page where the data collection occurs?
Or is it enough to provide that information only when a data subject asks for it?
That question is now before the CJEU in Case C-287/26, following a referral from the Higher Regional Court of Düsseldorf. The case involves a lawyer’s profile on anwalt.de, a German legal services directory platform. The allegation is that the profile page did not make required GDPR transparency information available, including the essence of the joint controller arrangement between the lawyer and the platform.
While the facts come from a legal directory, the compliance implications are much larger. This is not just about lawyers on professional profile pages. It is about how modern websites rely on platforms, embedded tools, ad tech, analytics, social plugins, marketplaces, lead-generation tools, and hosted profile pages that can create joint controller relationships.
If the CJEU says this information must be published or linked from the accessed page, privacy notices may need to become more operational, more specific, and more closely tied to the actual technology running on each website.
Why Article 26 Matters
Article 26 of the GDPR applies when two or more controllers jointly determine the purposes and means of processing personal data.
That distinction matters because many companies still treat data protection relationships as if there are only two basic categories:
Controller or processor.
But in many digital environments, that framing is too narrow. A third-party platform may not merely process data on behalf of a business. The platform may help determine why data is collected, what technical means are used, how the service operates, what analytics are created, how users are tracked, or how profiles and rankings function.
That can move the relationship into joint controller territory.
Under Article 26, joint controllers must determine their respective responsibilities for GDPR compliance in a transparent arrangement. That arrangement should address issues such as data subject rights, transparency obligations, points of contact, and each party’s respective role.
The GDPR then says the “essence” of that arrangement must be made available to data subjects.
The problem is that the GDPR does not clearly say what “made available” means.
Does it mean posted in a privacy policy?
Does it mean linked from the page where tracking or collection happens?
Does it mean available through a marked privacy link?
Or does it mean a business can wait until a person asks?
That is the gap now before the CJEU.
The Website Disclosure Problem
The case illustrates a practical problem that privacy teams see every day.
A user visits a page hosted on or operated through a platform. That page may display a professional profile, a business listing, a marketplace page, a lead form, a booking widget, a social plugin, a review tool, or an advertising tag.
When the page loads, personal data may be collected. This can include IP addresses, device identifiers, cookie IDs, browser information, usage data, referral data, and behavioral signals.
The user often sees one brand, but multiple entities may be involved.
That creates a transparency problem. If two parties jointly determine parts of the processing, the user should be able to understand who is responsible for what. Otherwise, the user may not know which entity to contact, which rights process applies, or which company is responsible for the collection, transmission, storage, analytics, or follow-up use of the data.
That is why this case matters. It asks whether joint controller transparency needs to be visible at the point of collection, not buried in a back-office contract or produced only after a request.
Why Platforms Should Pay Attention
Platforms are especially exposed because their business models often involve shared digital environments.
Examples include:
Legal directories, doctor directories, contractor marketplaces, SaaS marketplaces, review platforms, booking platforms, creator platforms, franchise pages, affiliate portals, embedded lead-generation tools, and ad-supported publisher networks.
In these settings, a platform may provide the technical infrastructure while the business or profile owner benefits from the exposure, traffic, analytics, inquiries, rankings, or leads. The platform may collect data for its own service operations, fraud prevention, analytics, targeting, optimization, or product improvement. The listed business may also benefit from the same data flow.
That is exactly the type of structure that can raise joint controller questions.
If the CJEU requires proactive publication, platforms may need to revisit how they present privacy information across hosted pages. A generic privacy policy may not be enough if users cannot easily understand that the page involves joint controllership and what each party is responsible for.
For businesses using these platforms, the risk is not limited to the platform provider. A company with a profile page, listing, widget, or embedded tool may also be pulled into the compliance analysis.
Why Website Owners Should Care
Website owners often assume that third-party tools are vendor issues.
That assumption is dangerous.
The CJEU has already recognized joint controllership in cases involving Facebook fan pages and embedded social plugins. The core principle is that a website operator can be responsible for certain stages of data collection and transmission when it chooses to deploy a tool that causes personal data to be collected and sent to a third party.
In plain English, if your website benefits from the tool and helps trigger the data collection, you may not be able to treat the entire issue as somebody else’s problem.
That matters for:
Cookie banners
Privacy policies
Tracking disclosures
Vendor inventories
Data processing agreements
Joint controller terms
Consent records
DSAR workflows
Marketing pixels
Lead-generation forms
Embedded maps, videos, chat tools, and social plugins
The more complex your website stack becomes, the harder it is to maintain accurate disclosures manually.
This Is Bigger Than One German Case
The question before the CJEU fits into a larger enforcement trend.
European courts and regulators have increasingly focused on whether website operators, platforms, advertisers, publishers, and technology providers are properly allocating responsibility for digital data collection.
That includes tracking tools, social plugins, ad tech frameworks, consent strings, hosted pages, and platform-mediated data flows.
The broader theme is clear: regulators and courts are not only asking whether a business has a privacy policy. They are asking whether the policy accurately reflects what the site actually does.
That is a much harder standard.
A static privacy policy drafted once a year may not reflect new tags, changed vendors, altered consent behavior, new embedded tools, or data flows triggered by marketing teams. This is where many organizations lose control. The website changes faster than the compliance documentation.
A privacy notice can be legally polished and still operationally wrong.
The Risk for Ad Tech and Tracking Tools
The joint controller issue becomes especially important in advertising and analytics.
Modern advertising stacks rarely involve a single controller and a single processor. They may involve publishers, advertisers, consent management platforms, analytics providers, retargeting platforms, data brokers, clean rooms, identity providers, and measurement vendors.
Some vendors may be processors for certain activities, independent controllers for others, and joint controllers for a specific stage of processing.
That is why a simple vendor list is often not enough. A business needs to understand the role each party plays for each processing activity.
For example, the same vendor might be:
A processor for hosting a form submission
An independent controller for fraud prevention or product improvement
A joint controller for a specific advertising or measurement integration
If your privacy notice treats every vendor the same way, it may not accurately describe the legal reality.
That is the transparency problem this CJEU referral brings into focus.
CJEU Compliance Reviews
The CJEU has not yet answered the question, so businesses should avoid overreacting. But they should not ignore it either.
The practical compliance move is to prepare for a more transparency-focused outcome.
That means reviewing whether your website can clearly answer the following:
Who collects personal data when a page loads?
Which third-party tools fire before consent?
Which tools fire after consent?
Which entities receive personal data?
Which vendors are processors, independent controllers, or joint controllers?
Where is the joint controller arrangement described?
Can a user find that information from the page where the processing occurs?
Does the privacy policy match the website’s actual tracking behavior?
Are cookie tables and vendor disclosures updated when tags change?
Is there a process for reviewing new marketing tools before deployment?
For many companies, the answer is no.
The gap is not always legal drafting. The gap is operational visibility.
Why Static Privacy Policies Are Becoming a Liability
The old model of website compliance was document-based.
A company would publish a privacy policy, add a cookie banner, and assume the site was covered.
That model is breaking down.
Website compliance is now dynamic. Tags change. Pixels get added. Consent settings shift. Vendors update scripts. Marketing teams test new tools. Agencies add trackers. Embedded content loads third-party resources. Platforms change how their services collect and use data.
When that happens, the privacy policy can become outdated without anyone realizing it.
This is especially risky when legal obligations depend on the actual data flow, not the company’s intended documentation.
A privacy policy that says one thing while the website does another creates exposure. It can also give regulators, plaintiffs, or competitors a clear argument that the business failed to provide accurate transparency.
That is why businesses need more than a privacy policy. They need continuous visibility into what their websites are doing.
The Captain Compliance View
This announcement is a reminder that privacy compliance is moving closer to the website layer.
The risk is no longer limited to whether a company has a privacy notice. The question is whether the notice, consent banner, cookie table, vendor disclosures, and data rights workflows accurately reflect the real-time behavior of the website.
Captain Compliance helps companies close that gap by monitoring websites for privacy risks, tracking technologies, consent failures, vendor changes, and compliance issues that can appear after launch.
For companies operating in the EU or serving EU users, this matters because joint controller relationships are not always obvious from the contract alone. They often become visible only when the website’s actual data flows are reviewed.
A business may not realize that a hosted profile page, advertising integration, embedded widget, analytics tool, or lead-generation platform has created a disclosure issue until a regulator, claimant, or competitor points it out.
That is the wrong time to find the problem.
Compliance Takeaway
The CJEU’s eventual decision could clarify whether Article 26 joint controller disclosures must be proactively published online or whether on-request access is enough.
But even before that ruling, the direction of travel is obvious.
Privacy transparency is becoming more specific, more technical, and more connected to actual website behavior.
Businesses should use this moment to review their platform relationships, website trackers, consent behavior, vendor disclosures, and joint controller arrangements.
The safest posture is not to wait for a formal request from a data subject. The safer posture is to make privacy disclosures easy to find, accurate, and aligned with the way the website actually collects and shares data.
Because in modern privacy compliance, the problem is often already live on the page.
