News

EU digital advertising: IAB Europe and the allocation of liabilities for the TCF

21 May 2025

On May 14, 2025, the Belgian Market Court delivered a landmark ruling regarding IAB Europe’s role in the Transparency and Consent Framework (TCF). The Court confirms that TC Strings qualify as personal data and that IAB Europe must be regarded as a joint controller under the GDPR, but only for its own processing of TC Strings. This ruling marks the end of a litigation saga which, beyond the TCF, clarifies the allocation of responsibilities in joint controllerships under the GDPR. But the exact roles and responsibilities of other stakeholders in the digital advertising ecosystem are not directly addressed by the Court.

What is the TCF and how does it work?

In accordance with the 2002/58 "ePrivacy" Directive, user consent must be obtained before placing “non-essential” cookies or other tracking technologies on a user’s device, typically via a Consent Management Platform (CMP) displayed as a banner on websites.

In 2017, IAB Europe developed the TCF, a standardized set of contractual, ethical, and technical rules designed to help its members (vendors) collect and share user consent for the use of cookies within the advertising ecosystem, particularly in the context of real-time bidding (RTB) for online advertising.

How the TCF works:

Website users’ preferences are recorded by the CMP implemented by the website’s publisher. Users can choose to accept or refuse cookies on their device for the purposes defined and described by the TCF and displayed through the CMP when accessing the website of a publisher.
These choices and their related purposes are encoded in a standardized format called the “Transparency and Consent String” (TC String).
The TC String is then shared with all TCF vendors willing to implement cookies on the user’s device, to ensure they comply with the user’s choices as collected through the CMP.

This mechanism allows the TCF to translate user preferences into a chain of attributes (string) that can be automatically interpreted by advertisers, platforms, and vendors in relation with the TCF protocol.

Challenging the TCF: a six year long procedure

Due to its fast and broad development within the EU digital advertising ecosystem (up to 80% of the RTB), the TCF has been the subject of legal challenges seeking to address breaches of the GDPR.

Here are the key highlights of this legal saga:

2019	The Belgian DPA received several complaints against IAB Europe regarding the TCF’s compliance with the GDPR and the ePrivacy Directive (Article 5§3 for cookies).
February 2, 2022	The Belgian DPA ruled that IAB Europe acted as a data controller for the data processed via TC Strings and ordered the association to comply with GDPR requirements.¹
March 4, 2022	IAB Europe appealed the decision before the Brussels Market Court, arguing that the TC String is not personal data, and that, in any case, IAB Europe did not determine the data processing purposes or means and therefore could not be qualified as a data controller.
September 7, 2022	Brussels Market Court referred several preliminary questions to the Court of Justice of the European Union (CJEU) under Article 267 TFEU, seeking clarification on: Whether a TC String qualifies as personal data processing under Article 4(1) GDPR, even though it does not directly identify users; Whether IAB Europe can be considered a data controller for the processing of TC Strings under the GDPR; and The criteria to determine joint controllership, and the extent of IAB Europe’s liability.
March 7, 2024	In its ruling C-604/22,² the CJEU determined that (i) the TC String does constitute personal data, particularly when it can be linked to an IP address or other identifiers accessible to members of the TCF, and (ii) IAB Europe is considered a joint controller, as it plays a decisive role in setting the purposes and means of processing through the TCF standard, despite not directly collecting or storing the data. The Court limited IAB Europe’s responsibility to the initial recording of user preferences (e.g., consent signals), explicitly excluding subsequent uses such as personalized advertising by other actors, unless IAB Europe also jointly determines those purposes or means. In so doing, the CJEU disapproved of the Belgian DPA's decision to hold joint controllership for processing operations beyond the TC String.
May 14, 2025	The case is referred back to the Brussels Market Court by effect of the CJEU ruling to determine IAB Europe's degree of responsibility.³

Key takeaways of the ruling from the Belgian Market Court

1. TC Strings qualify as personal data

In line with both the DPA and CJEU rulings, the Market Court confirms that the TC String must be regarded as personal data under Article 4(1) of the GDPR when it can be linked to an identifiable user through reasonable means, such as an IP address.

The Court conducted a detailed analysis and emphasized that identifiability does not require IAB Europe to have direct access to all users’ personal data, thereby confirming the CJEU's previous case law.⁴

2. IAB Europe is a joint controller with TCF Participants, but solely for the TC String

The Market Court confirms that IAB Europe is a joint controller regarding processing operations within the TCF. However, contrary to the DPA's position, IAB Europe does not act as a joint controller for processing operations that occur entirely under the OpenRTB protocol.

The Court held that: “In conclusion, while the contested decision is admittedly procedurally flawed as set out in the Interlocutory Judgment, IAB Europe's substantive grievances against the contested decision are unfounded, except to the extent that the contested decision holds that IAB Europe acts as a (joint) controller of the processing operations that take place entirely under the OpenRTB protocol.

The Market Court also confirms the sanctions imposed on IAB Europe by the Contested Decision that relate solely to processing operations within the TCF. It is not necessary to refer the case back to the Dispute Resolution Chamber, nor is it legally required for the Market Court to proceed with a European consultation procedure.”

IAB Europe is not considered a joint controller for the processing operations carried out entirely under the OpenRTB protocol, due to the absence of sufficient evidence demonstrating such a role.

IAB Europe is a joint controller of the processing operations within the TCF because it:

sets the overarching purpose of the processing within the TCF, namely to facilitate consent management and enable online advertising across the digital advertising ecosystem;
determines essential means (it defined and imposed binding technical specifications on how CMPs must collect, store, and transmit users’ consent preferences via TC Strings);
enforces certain binding rules (IAB Europe can suspend or exclude non-compliant vendors, demonstrating a clear enforcement and oversight role); and
has a significant role related to the operations as IAB Europe exercises a decisive influence over the practical modalities of processing, including how TC Strings are formatted, distributed, and interpreted within the framework.

Although IAB is a joint controller with the parties processing personal data with it under the TCF. the Court points out the absence of any joint controller agreement.

The Market Court states that “the allocation of responsibilities is thus a matter for the joint controllers themselves.” Since IAB Europe, CMPs, vendors, and publishers all have considerable influence over how data is processed under the TCF, the Court rejects the idea that any one party is less responsible. In the absence of a clear allocation of roles, they are therefore held equally and jointly responsible for GDPR compliance.

The Court also cautions that unclear or overly complex arrangements between joint controllers could undermine the principles of lawfulness and transparency, making it essential to have clear, practical agreements in place.

3. The Court overturns DPA’s decision while upholding some of its findings regarding GDPR infringements

Due to procedural errors, the Belgian DPA's decision is overturned by the Market Court. However, some findings of the DPA regarding GDPR violations are upheld by the Court.

The Market Court expressly limited IAB Europe’s responsibility to the processing operations directly governed by the TCF. It explicitly excluded processing operations carried out entirely under the OpenRTB protocol used by the digital advertising ecosystem, determining that IAB Europe cannot be held liable for processing activities over which it exercises neither factual nor decision-making control.

This limitation reduces the scope, but not the principle, of the GDPR infringements held by the Belgian DPA, that the Court reaffirms. The IAB, while defining TCF v1.1 (launched on April 25, 2018) and TCF v2.0 (launched from August 21, 2019), failed to:

provide a legal basis for the processing of user preferences under the TCF (Articles 5.1.a and 6 GDPR);
provide transparency and inform users in an efficient and clear manner (Articles 12, 13, and 14 of the GDPR);
implement appropriate technical and organizational measures to verify the validity of consent signals in the TCF system and enable proper control or accountability mechanisms (Articles 24, 25, 5.1.f, and 32 of the GDPR);
maintain a record of processing activities (Article 30 of the GDPR);
conduct data protection impact assessments (Article 35 of the GDPR); and
appoint a Data Protection Officer (Article 37 of the GDPR).

However, following the Belgian DPA's ruling in 2022, and in accordance with the compliance action plan validated on January 11, 2023, by the Belgian DPA, most of these infringements had already been addressed by IAB. In practice, the TCF v2.1 (launched from August 19, 2020) and v2.2 (launched from May 16, 2023, and replacing previous versions since November 20, 2023) were not targeted by this proceeding.

Consequently, the practical implications of this Market Court decision are relatively mitigated but remain significant regarding the role and classification of parties within the digital advertising ecosystem.

Epilogue

The Market Court's decision has been the subject of communication campaigns by both parties, each claiming victory. This is not far from the truth.

Yes, the TCF v1.0 and v2.0 were infringing the GDPR until August 2020, but no, IAB is not responsible for the entire processing chain under these previous versions of the TCF, as alleged by the Belgian DPA.

Based on this epilog, IAB Europe should soon offer the digital advertising ecosystem a new contractual framework illustrating the new scope of a limited joint controllership.

The future will reveal whether privacy advocates may seize the opportunity of this decision to strike back on the validity of consent for previous versions of the TCF, and if so, how statutes of limitation and the complexity of joint controllership involving hundreds of businesses might be tried by civil courts handling damage claims.

Authored by Etienne Drouard, Joséphine Beaufour, Rémy Schlich, Sarina Singh

1/ Belgian Data Protection Authority, Litigation Chamber, Case number: DOS-2019-01377, Decision on the merits 21/2022 of 2 February 2022.

2/ CJEU, IAB Europe, case C-604/22, March 7, 2024.

3/ Brussel Market Court, case 2025/3556, dated May 14, 2025.

4/ CJEU, Tietosuojavaltuutettu, case C-25/17, July 10, 2018.