On 15 May 2025, the Belgian Market Court upheld the Belgian Data Protection Authority's (DPA) decision to fine IAB Europe €250,000 for violations of the GDPR linked to its Transparency and Consent Framework (TCF). 

This ruling follows the CJEU's previous clarifications of March 2024 and concludes a long-running disagreement that began in 2019.

What is the TCF?

IAB Europe's TCF is a voluntary standard that helps participants in the adtech ecosystem obtain and manage user consent for the processing of personal data when targeting advertising. 

The TCF is particularly relevant to those using the OpenRTB protocol for Real-time Bidding (RTB), i.e. the automated and instantaneous online auction of user profiles for selling and buying ad space on the internet.

When a user first visits a website or app, a Consent Management Platform (CMP) appears presenting options to consent or object to data processing for specified purposes (e.g. personalised advertising). Under the TCF, these choices are encoded into a "Transparency and Consent String" (TC String), which is then shared with other participating organisations to inform ad delivery in line with the user's consent preference. 

While the TC String alone may not directly identify a user, the CMP places a cookie on the user's device (euconsent-v2) which, when combined with the TC String, can be linked to an IP address, making it indirectly identifiable. This technical feature became central in the assessment of whether the TC String constitutes personal data under the GDPR. 

Procedural history

Initial DPA decision 

The Litigation Chamber of the DPA ruled on 2 February 2022 that the TCF was not compliant with GDPR requirements. It determined that:

• The TC String is classified as personal data (due to indirectly identifying users when linked to an identifier); and 
• IAB Europe acts as a data controller with respect to the TC String. 

A €250,000 fine was imposed, alongside corrective measures to bring the TCF into compliance. These measures included:

1. vetting all participating organisations to ensure the GDPR requirements were met;
2. establishing a valid legal basis for processing and dissemination of users' preferences within the TCF; and
3. prohibiting the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF. 

The DPA gave two months for IAB Europe to present an action plan to implement these measures. 

For more information see our article here.

Appeal 

IAB Europe appealed the DPA's decision to the Belgian Market Court on 4 March 2022, challenging both the classification of the TC String as personal data within the meaning of Article 4(1) GDPR and its own status as a controller. 

In response, the Market Court stayed the proceedings on 7 September 2022 and referred two preliminary questions to the CJEU:

1. Whether the TC String is personal data under Article 4(1) GDPR, particularly when combined with other identifiers.
2. Whether IAB Europe, as a standard-setting organisation, should be considered a joint controller for the processing of TC Strings and for further processing of data for subsequent purposes such as digital advertising.

For more information see our article here.

CJEU clarifications

On 7 March 2024, the CJEU confirmed that the TC String qualifies as personal data under Article 4(1) GDPR where it can be associated with an identifier (like an IP address) allowing user identification. The rationale was that if the TC String allows user identification when combined with additional data, it must itself contain some information about an identifiable user. Importantly, it does not matter whether IAB Europe itself can directly identify users – the potential for indirect identification by requesting access to linked data held by other members is sufficient.

The Court also found that IAB Europe acts as a joint controller with respect to the creation and dissemination of TC Strings, given its role in defining the TCF's binding technical rules and processing structure. 

However, this joint controllership status does not automatically extend to further processing by third parties (e.g. publishers or adtech vendors), unless IAB Europe also determines the purposes and means of those subsequent processing operations. 

Belgian Market Court Ruling 

In its final decision of 14 May 2025, the Market Court followed the CJEU's reasoning, upholding the DPA's fine of €250,000. It confirmed that:

• The TC String is personal data if it allows for identification;
• IAB Europe is a joint controller for the processing of TC strings; however,
• IAB Europe is not a joint controller for subsequent advertising processing carried out by third parties.

Although this third point partially narrows the DPA's original findings, the key conclusion remains: IAB Europe bears responsibility under the GDPR for how personal data is processed within the TCF via the TC String. 

Implications for TCF participants

This decision reinforces that consent frameworks must comply with the GDPR, particularly around transparency, lawful basis and accountability.

TCF v2.2

It is important to note that, the ruling addresses TCF v2.0, which was the subject of the original 2022 decision. The Market Court explicitly stated that it has no jurisdiction over TCF v 2.2, the current version of the framework. 

TCF v2.2 was released following the DPA's 2022 decision when IAB Europe submitted an action plan to ensure the TCF was GDPR compliant. This plan was approved by the Belgian DPA on 11 January 2023, and led to the release of TCF v2.2 in May 2023 (i.e. two years before the Market Court's decision). This version includes key changes, such as:

• Removing legitimate interest as a basis for certain data processing purposes (specifically, personalised advertising and content); and 
• Enhancing the information provided to users, including providing clearer purpose names and descriptions.

It is worth noting that legitimate interest has not been removed as a basis for all advertising and content purposes under the TCF – only those where there is personalisation. This appears to reflect a negotiated middle ground with the regulators.

Comment

While this update confirms IAB Europe's GDPR violations under the old TCF, it does not declare TCF v2.2 unlawful. This version remains in effect and may withstand regulatory scrutiny (at least for now). However, given the evolving legal and regulatory landscape, further challenges cannot be ruled out.