The Belgian Market Court has confirmed that the core mechanism underpinning tracking-based online advertising in Europe—the Transparency and Consent Framework (TCF) developed by IAB Europe—breaches the General Data Protection Regulation (GDPR).
Although the court annulled the Belgian Data Protection Authority’s (DPA) original 2022 decision on procedural grounds, it upheld the substantive findings and confirmed the €250,000 fine imposed on IAB Europe.
The TCF is a standardised framework used widely across websites to record users’ preferences for personalised advertising, primarily through Real-Time Bidding (RTB) systems. RTB facilitates the instantaneous auctioning of ad space based on data collected about users’ online behaviour. The TCF was intended to demonstrate compliance with GDPR by enabling websites and advertisers to obtain user consent for such tracking. However, both EU and Belgian authorities have found that this system fails to meet the regulation’s requirements.
In March 2024, the Court of Justice of the European Union (CJEU) ruled that the “TC String”—the record of a user’s consent preferences generated by the TCF—constitutes personal data under the GDPR. The CJEU also found that IAB Europe could be considered a joint data controller for the processing of such data.
Building on this interpretation, the Market Court ruled on 14 May 2025 that IAB Europe is a joint data controller for the processing of user preferences within the TCF. It upheld the Belgian DPA’s conclusions regarding GDPR violations and confirmed the original financial penalty. However, it rejected the DPA’s position that IAB Europe is a controller for processing operations taking place entirely within the OpenRTB protocol—a separate aspect of the RTB infrastructure.
The Belgian DPA’s original decision, issued on 2 February 2022 (Decision 21/2022), found that the TCF did not ensure informed, freely given, and specific consent, and that IAB Europe had failed to meet its obligations regarding data security, transparency, and accountability. The DPA ordered the organisation to submit a compliance plan within two months. The decision was supported by all relevant EU supervisory authorities through the one-stop-shop mechanism.
IAB Europe appealed the ruling, prompting the Market Court to refer questions to the CJEU. The CJEU’s preliminary ruling in March 2024 confirmed that consent strings represent personal data and that IAB Europe plays a direct role in determining the purposes and means of processing such data.
In response to the Market Court’s latest ruling, Hielke Hijmans, Chair of the Litigation Chamber of the Belgian DPA, stated: “What is important to remember here is that this ruling by the Market Court, like that of the CJEU in 2024, confirms our position that the TC String is personal data and that IAB Europe acts as joint data controller for the processing of user preferences within the TCF. This clarification of key concepts in the GDPR has had and will continue to have a lasting positive impact on all those involved in the EU.”
IAB Europe welcomed the court’s rejection of the joint controllership designation for RTB data processing under OpenRTB but acknowledged that it remains responsible for the TCF’s operation. The organisation stated it had submitted a revised version of the framework for review by the Belgian DPA and other authorities.
In parallel with the legal proceedings, IAB Europe had submitted an action plan to address the identified infringements. Although this plan was approved by the Belgian DPA in January 2023, it too became the subject of further appeals by both IAB Europe and complainants.
The legal process surrounding the TCF has highlighted wider concerns about the lawfulness of the RTB ecosystem as a whole. RTB typically involves sharing personal data—sometimes including IP addresses, location data, and browsing history—with hundreds of third parties, often without adequate transparency or control. Critics argue that this constitutes a systemic breach of the GDPR.
The Market Court’s ruling is expected to accelerate scrutiny of tracking-based advertising across the European Union. With many publishers, platforms, and advertisers relying on RTB and TCF-compliant consent mechanisms, significant operational changes may now be required to align with legal standards.
The outcome marks a significant development in the regulation of digital advertising in Europe, reinforcing the principle that data collection for advertising must adhere strictly to legal requirements. It also establishes a clear precedent regarding the interpretation of key GDPR concepts, including the definition of personal data and the responsibilities of industry-standard-setting bodies such as IAB Europe.
Read also:
EU Court Fines European Commission for Breaching GDPR in Landmark Ruling
