menu close NewsContact Us
English
EnglishGerman
search close
Global Site close
ArgentinaArubaBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoEl SalvadorGuatemalaHondurasMexicoParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanKosovoLatviaLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaBahrainEgyptGhanaIsraelJordanKenyaKuwaitLebanonLiberiaMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUgandaUnited Arab EmiratesYemen
English
EnglishGerman
Services
close Services
Tax
Services
About Us
close About Us
About Us
Careers
NewsContact Us
search close
home News
Belgian Ruling Shakes European Advertising Standard TCF

Belgian Ruling Shakes European Advertising Standard TCF

Court of Appeals Brussels – 2022/AR/292

Daniel Lauschke
20/05/2025
Belgian Ruling Shakes European Advertising Standard TCF
On May 14, 2025, a Brussels appellate court declared large parts of the most commonly used consent standard for online advertising – the "Transparency & Consent Framework" (TCF) from IAB Europe – as non-compliant with data protection laws. Particularly critical: the so-called TC String was definitively classified as personal data, and IAB Europe was deemed (jointly) responsible. Given that, according to industry estimates, the TCF is used on hundreds of thousands of websites – including those of Google, Amazon, Microsoft, and X – the ruling impacts the majority of internet users in the EU.

Facts of the Case

IAB Europe, the trade association behind the TCF, developed it to technically and contractually coordinate consent for personalized advertising. Version 2.0, which remains widely in use, stores user preferences in a character string (“Transparency and Consent String,” or TC String) and shares it across the OpenRTB system with participating providers.

Back in 2024, the European Court of Justice (ECJ, C-604/22) had already determined that the TC String could qualify as personal data. Subsequently, the Belgian Data Protection Authority (DPA) found multiple violations (lack of a legal basis, insufficient transparency, inadequate security) and imposed a €250,000 fine. IAB Europe appealed and even requested a reopening of the case; however, this request was denied by the court. It is important to note that the newly released TCF Version 2.2 was not part of this case.

1. Court Decision

The TC String is personal data.

When visiting many websites, users encounter a consent window (“cookie banner”), where they choose whether to accept or reject advertising. This selection is stored as a character string (the TC String).

The court ruled that this dataset could be linked to an identifiable person with reasonable effort, for example, when combined with an IP address. Therefore, it constitutes personal data under the General Data Protection Regulation (GDPR).

2. IAB Europe shares responsibility.

IAB Europe determines the rules for how the TC String is generated, stored, and passed on to advertising companies. Due to this influence, the association is jointly responsible for the processing of this data, along with website operators and advertising networks. However, the court noted that IAB Europe itself does not directly process the data.

3. Responsibility ends at the TC String—no liability for subsequent ad auctions.

Many companies use the TC String to conduct real-time advertising auctions (“Real-Time Bidding”) within seconds. The court clarified that IAB Europe is only responsible for such subsequent auctions if it also sets rules for them. In this case, no evidence of this was presented.

Confirmed violations and consequences.

4. The court confirmed multiple violations.

IAB Europe did not obtain valid user consent and could not rely on “legitimate interests.” Users are not sufficiently informed about who uses their data and for what purposes. The system fails to provide a reliable mechanism to prevent data falsification or misuse. Additionally, it lacks a complete record of processing activities, a data protection impact assessment, and a data protection officer.

Consequently, the court upheld the €250,000 fine, required a detailed remedial plan to address the deficiencies, and imposed a penalty of €5,000 per day for non-compliance with the court’s instructions.

Practical Implications

According to Heise (article dated May 15, 2025), the TCF is "the most widely used standard for profiling in online advertising." Following this ruling, all stakeholders—including publishers, ad-tech platforms, and advertisers—face regulatory scrutiny if they continue relying on Version 2.0 without addressing the identified shortcomings. Moreover, civil claims for damages could be significant given the large number of impacted EU users. IAB Europe has since announced the development of a new Version 2.2, which it claims already addresses the ruling’s findings.

Recommendations for Companies

  • Conduct a GDPR gap analysis of the TCF's use (including Version 2.2).
  • Always establish a solid legal basis and document consent processes.

Failure to take corrective action could result in fines and reputational harm in an environment where data protection compliance is increasingly becoming a competitive advantage.