On 14 May 2025, the Brussels Market Court delivered its ruling in the long-running litigation over IAB Europe’s Transparency & Consent Framework (TCF). While the Court annulled the Belgian Data Protection Authority’s (DPA) original decision, it exercised full jurisdiction to replace it, endorsing most of the DPA’s findings.
The Court confirmed that the TC String — the alphanumerical code that encodes user consent choices — qualifies as personal data, and that IAB Europe acts as a joint controller for its processing within the TCF. It upheld the GDPR infringements identified by the DPA and reimposed the EUR 250,000 administrative fine.
However, the Court narrowed IAB Europe’s role, judging it does not act as a controller for downstream personal data processing in real-time bidding (RTB). This distinction clarifies the scope of joint controllership in the AdTech ecosystem and compels TCF participants to reassess their compliance posture and exposure.
The AdTech ecosystem and the role of the TCF
OpenRTB
OpenRTB is the leading protocol for RTB auctions across the open web. It enables the automated sale of advertising space on independent news sites, blogs, mobile apps, and other ad-supported services.
When a user visits such a site, an automated system issues a bid request to advertising platforms. The request includes technical details about the user’s device and browser, approximate location, page context, and often a unique identifier such as a cookie ID. These details allow advertisers to infer the user’s interests or demographics, and determine whether they fit the targeting criteria for a specific ad. Advertisers evaluate the request in milliseconds and decide whether to bid. The highest bidder’s ad is shown as the page loads.
Although rapid and automated, this process entails broad dissemination of personal data to third parties, potentially unknown to the user.
The Transparency and Consent Framework
Article 5(3) of the ePrivacy Directive requires user consent before storing or accessing non-essential cookies and the GDPR requires for consent to be informed, specific and freely given. To address these requirements, IAB Europe introduced the TCF in 2017. The TCF is a voluntary standard combining technical specifications, contractual rules and policy requirements to enable consistent communication of users’ consent preferences across the AdTech ecosystem.
On sites that implement the TCF, users are shown a consent banner managed by a Consent Management Platform (CMP). The banner outlines the purposes of processing such as personalised ads or audience measurement, and lists participating vendors. Users can accept all purposes and vendors, reject them, or choose individual settings.
These choices are then encoded in a TC String, which is stored on the user’s device. The TC String records which purposes the user agreed to and which vendors are authorised to process data. It is then attached to bid requests to allow each vendor to verify whether it can lawfully process the data and potentially make a bid.
IAB Europe administers the TCF and plays a central role in its governance. It defines and enforces the TCF’s rules, maintains the list of registered TCF partners (the Global Vendor List), and has the authority to suspend non-compliant partners. Although not required for OpenRTB to function, the TCF is widely adopted in the industry and was the subject of legal scrutiny in the proceedings before the Belgian DPA and the Market Court.
Procedural history
2019 | Complaints against IAB and the TCF were filed with several DPAs across the EU. The Belgian DPA took the lead under the one stop shop mechanism. |
2 February 2022 | The Belgian DPA adopted Decision 21/2022. It labelled IAB Europe a joint controller for both the TCF and subsequent OpenRTB processing and imposed a EUR 250,000 fine. |
4 March 2022 | IAB Europe appealed to the Brussels Market Court. |
7 September 2022 | The Market Court issued an interim ruling and referred two questions to the Court of Justice of the European Union (CJEU):
|
7 March 2024 | The CJEU delivered its preliminary ruling, holding that:
The Market Court was tasked with verifying whether these conditions were met in the circumstances (more on the CJEU ruling in our previous blog post). |
14 May 2025 | The Market Court issued its ruling. |
Findings of the Market Court
The Market Court conducted its review using the full jurisdictional powers granted to it under Article 108 of the Act establishing the Data Protection Authority. This enabled the Court to annul the contested decision, reassess the merits, and issue a new decision.
The TC String constitutes personal data
In line with the CJEU’s preliminary ruling and the Belgian DPA’s decision, the Market Court confirmed that the TC String qualifies as personal data when it can be linked, through reasonable means, to an identifiable individual. It considered that such means were available to IAB Europe. Referring to IAB Europe’s own documentation, which requires CMPs and vendors to provide information upon request, the Court determined that IAB Europe has access to resources that could be used to identify users.
IAB Europe is a joint controller for processing operations within the TCF
The Market Court then assessed IAB Europe's influence over the purposes and means of processing, ruling that it qualifies as a joint controller for processing personal data within the TCF. This processing includes collecting, structuring, encoding, storing and transmitting users’ consent preferences via the TC String.
Regarding the processing purpose, the Market Court again referred to IAB Europe’s TCF Policies and FAQs, which describe IAB Europe as the Managing Organisation responsible for administering the framework. The Market Court found that IAB Europe shares the goal of structuring and transmitting user preferences with TCF members and promotes the TCF. Consequently, IAB Europe not only provides a standard, but also advances its own interests as an industry body.
Regarding the means of processing, the Market Court found that IAB Europe defines the required dataset, the structure of the TC String and the technical specifications for how consent must be collected and transmitted. It also has enforcement powers over TCF members. The Court considered these factors to show that IAB Europe directly organises the means of processing operations within the TCF.
The Market Court also took the view that other TCF partners act as joint controllers in their respective roles within the framework, but noted that no joint controller arrangement exists between them and IAB Europe, in breach of Article 26 GDPR.
IAB Europe is not a joint controller for downstream OpenRTB processing
The Market Court rejected the DPA’s conclusion that IAB Europe qualifies as a joint controller for processing personal data in the context of OpenRTB. The Court held that the DPA had not demonstrated that IAB Europe determines the purposes or means of processing activities carried out by publishers, vendors or other AdTech actors after the TC String has been generated and shared.
Applying the CJEU’s guidance, the Court reiterated that joint controllership requires concrete influence over each specific stage of processing and does not automatically extend along a processing chain — it must be substantiated for each operation. Although IAB Europe designed the TCF to enable GDPR-compliant advertising, this did not entail involvement in how participants use TC Strings during real-time bidding.
In the absence of any documentation or conduct suggesting control over the means and purposes of downstream OpenRTB data processing, the Court concluded that IAB Europe could not be considered a joint controller.
GDPR violations and sanction upheld
Having established that IAB Europe acts as a joint controller for TC String processing within the TCF, the Market Court ruled that it had committed multiple infringements of the GDPR.
No valid legal basis (Articles 5(1)(a) and 6 GDPR): The Market Court found that IAB Europe failed to identify a lawful basis for its processing of the TC String.
Transparency violations (Articles 12, 13, and 14 GDPR): The Court found that IAB Europe did not inform users of its role as a joint controller or provide essential information such as the legal basis for processing, categories of data collected, recipients, or users' rights. Its privacy policy only applied to members, stakeholders, and TCF participants, and made no mention of end users. The Court also confirmed that these obligations could not be delegated to CMPs or publishers.
Inadequate safeguards and oversight (Articles 24, 25, 32 GDPR): IAB Europe did not implement sufficient measures to ensure the integrity of the TC String. Validation procedures were limited to pre-deployment checks of CMP software and did not cover the consent signals transmitted in practice. The Court noted the absence of any effective system to detect or prevent manipulation of the TC String and found that IAB Europe did not actively monitor participant compliance.
Missing documentation and risk assessment (Articles 30 and 35 GDPR):
The Court found that IAB Europe had not conducted a data protection impact assessment, despite the large-scale nature of the processing and potential risk to the rights and freedoms of data subjects. It also failed to include TCF-related activities in its record of processing, which focused only on internal administrative operations.
Failure to appoint a DPO (Article 37 GDPR): IAB Europe had not appointed a data protection officer, even though it carried out regular and systematic monitoring of data subjects across the EU.
Sanctions: The Court upheld the EUR 250,000 administrative fine imposed by the DPA.
As confirmed by the Market Court, the ruling only concerned the version of the TCF that was under review at the time of the Belgian DPA’s decision, namely version 2.0. Following Decision 21/2022, IAB Europe submitted a corrective action plan, which the DPA validated in January 2023. Version 2.2 of the TCF was launched on 16 May 2023 in execution of that plan, with implementation by all participants required by 20 November 2023. However, that validation predated the Market Court’s legal reasoning, and there has been no judicial assessment of whether version 2.2 fully addresses the infringements confirmed by the Court.
Stakeholder reactions and takeaways for the AdTech sector
The ruling has prompted reactions from both IAB Europe and the Belgian DPA, each claiming partial success.
The DPA emphasised that the Court upheld its findings that IAB Europe committed multiple GDPR infringements in connection with its role in the TCF and stated that it must now analyse the ruling in more detail. It remains to be seen whether the DPA will consider TCF version 2.2 sufficient in light of the Market Court’s findings.
Meanwhile, IAB Europe welcomed the Market Court's ruling, noting that it confirms “it was right to appeal” and that the newest TCF version 2.2 only needs “minor changes to be readily implemented” to ensure compliance.
For the time being, the most immediately relevant aspect of the ruling is the Court’s clarification of joint controllership within the TCF. IAB Europe is expected to integrate a formal joint controllership arrangement into the framework that complies with Article 26 of the GDPR. TCF participants should review this arrangement and assess whether it aligns with their role and responsibilities.
In parallel, participants may wish to review their real-time bidding practices in light of Court’s findings. The Court confirmed that IAB Europe is not a joint controller for downstream processing carried out via OpenRTB. This means that each publisher, vendor or intermediary involved in real-time bidding must ensure that profiling, bid-request broadcasting and related data flows comply with the GDPR. Participation in the TCF does not, in itself, guarantee that they meet these obligations.
Though the ruling concludes the proceedings concerning TCF version 2.0, it does not preclude further developments, especially regarding the interpretation of joint controllership. While grounded in the CJEU’s position, the ruling reflects the Market Court’s own interpretation of the roles within the ecosystem, which could be approached differently by other Member State courts or the CJEU in future cases.
With multiple GDPR infringements judicially confirmed, the risk of civil claims by data subjects or representative organisations against IAB and TCF participants cannot be excluded. Any litigation is likely to raise challenging questions regarding the extent of joint responsibility among the many participants in the ecosystem, how affected data subjects can demonstrate damages incurred and the degree to which individual entities can be held accountable for systemic failures in a framework that they helped to implement.