GDPR

Is the TC String a personal data and IAB Europe a data controller?

Joris Deene
7 months ago
262 views
11 minutes reading time

Introduction

On May 14, 2025, the Market Court (Brussels Court of Appeal) pronounced in an important data protection case in the online advertising industry. The case revolves around IAB Europe and her Transparency & Consent Framework (TCF)., a system widely used to record Internet users' consent to the processing of their personal data for targeted online advertising.

This ruling is the result of a legal battle that began with a decision by the Belgian Data Protection Authority (GBA) on Feb. 2, 2022, followed by an appeal against the decision by IAB Europe to the Market Court, a preliminary question to the European Court of Justice and finally this ruling by the Market Court.

In this contribution, I explain what the ruling means for the data protection law, what impact it has on the digital advertising industry and why different parties have different interpretations of this complex decision.

What is the TCF and what are TC Strings?

Before discussing the ruling, it is important to understand exactly what the Transparency & Consent Framework (TCF) is:

The TCF is a framework developed by IAB Europe that enables websites and apps to record and share users' preferences about the processing of their personal data with ad tech companies. It is essentially a standard that ensures that users' preferences about the collection and processing of their data for targeted advertising are stored and transmitted within the digital advertising ecosystem.

When you come to a website and get a cookie pop-up, the TCF records your consent or objection in a so-called "TC String" (Transparency & Consent String) - a digital signal that contains your choices. This TC String is then shared with all participants in the TCF system, such as advertising companies that want to show targeted ads based on your data.

The original decision of the GBA

Retrieved from Feb. 2, 2022, the Belgian GBA ruled that:

  1. TC Strings are personal data because they can be linked to identifiable individuals, for example through the IP address.
  2. IAB Europe is a data controller (together with the other TCF participants) for the data processing that takes place within the TCF.
  3. IAB Europe is also (jointly) responsible for further processing by TCF participants, such as for personalized advertisements.
  4. The TCF violates several provisions of the AVG, including lack of a lawful basis for processing, lack of transparency, and data protection deficiencies by design.

The GBA fined IAB Europe €250,000 and required significant changes to the TCF. It is important to note that the GBA's decision was approved by all relevant data protection authorities in the EU through the one-stop-shop mechanism.

The preliminary questions to the Court of Justice

IAB Europe appealed this decision to the Markets Court. The Markets Court stated on September 7, 2022 preliminary questions to the Court of Justice of the European Union:

  1. Whether TC Strings are personal data
  2. Whether IAB Europe can be considered a data controller for TC Strings
  3. Whether IAB Europe can be considered a data controller for subsequent processing by TCF participants

On March 7, 2024, the EU Court ruled in case C-604/22 that:

  • TC Strings are indeed personal data, even from IAB Europe's perspective, when they can be linked to identifiers such as IP address
  • IAB Europe may be jointly responsible for the creation and use of TC Strings if it influences the purpose and means of processing
  • IAB Europe is not necessarily joint data controller for further data processing by TCF participants, such as for personalized advertisements

Market court ruling

On May 14, 2025, the Markets Court ruled:

  1. TC Strings's personal data: The Court confirms that TC Strings are personal data within the meaning of Article 4(1) of the GDPR.
  2. IAB Europe is joint data controller for TC Strings: The Court finds that IAB Europe is indeed a (joint) data controller for the processing of TC Strings within the TCF, given its role as manager of the framework.
  3. IAB Europe is NOT a joint controller of further processing operations: Crucially, the Market Court held that IAB Europe is NOT responsible for the further processing that TCF participants perform based on preferences stored in TC Strings, such as personalized ads. Thus, the Court rejects the GBA's conclusion that IAB Europe acts as a (joint) controller for the processing operations that take place entirely within the OpenRTB protocol.
  4. Breaches of the AVG: Court confirms that IAB Europe violated several AVG provisions, including:
    • Article 5.1.a (lawful, proper and transparent processing)
    • Article 6 (lawfulness of processing).
    • Article 12-14 (transparency and disclosure).
    • Article 24-25 (accountability and data protection by design)
    • Article 30 (register of processing activities)
    • Article 32 (security of processing)
    • Article 35 (data protection impact assessment)
    • Article 37 (appointment of data protection officer).
  5. Destruction on procedural grounds, but substantive affirmation: The Markets Court overturned the GBA's decision 21/2022 on procedural grounds, but endorsed the GBA's substantive reasoning and upheld the fine of €250,000 imposed.

The different interpretations of the ruling

What is striking is that several parties, such as IAB Europe and the DPA, interpret the statement in a different way:

According to IAB Europe :

  • The statement is nuanced and not as unequivocal as some claim.
  • The Markets Court overturned an important part of the GBA's original decision, namely the part that found IAB Europe to be a joint controller of further processing under OpenRTB.
  • Nowhere in the ruling does it state that "the TCF is illegal."
  • The conclusion about TC Strings as personal data is based on one sentence in the v2.0 policy that has since been updated in version 2.2.
  • Many of the breaches mentioned concern version 2.0 of the TCF, while version 2.2 already contains many improvements.

According to the complainants and the GBA:

  • The Court upheld all the violations alleged by the complainants.
  • The TC String is indeed personal data.
  • The TCF is not a paper standard but a real system that processes personal data.
  • IAB Europe is the data controller for data processing within the TCF.
  • IAB Europe and the participating companies are joint controllers of the processing in the TCF.
  • IAB Europe cannot invoke a valid legal basis for processing TC Strings.
  • IAB Europe violates duty of information to Internet users.
  • IAB Europe violates data protection obligations by design, by default and by security.

Analysis of different viewpoints

1. TC Strings as personal data

IAB Europe claims that the conclusion that TC Strings are personal data is based only on "one sentence in the v2.0 policy that has since been updated in version 2.2."

My analysis: This argument by IAB Europe is legally weak. Both the CJEU and the Markets Court have ruled, after thorough analysis, that TC Strings are personal data because they can be linked to identifiers such as IP addresses. The definition of personal data in the AVG is functional and looks at the result, not wording in policies. Changing a sentence in a policy document does not change the factual, technical nature of TC Strings. TC Strings remain personal data if they can be used in practice to identify natural persons directly or indirectly.

2. IAB Europe as data controller for TC Strings.

Both sides interpret the ruling differently regarding the degree of responsibility of IAB Europe.

My analysis: The Market Court (and earlier the Court of Justice) is persuasive here: IAB Europe is indeed a data controller for TC Strings. IAB Europe determines the purpose and means of processing by designing the TCF framework, establishing the specifications, and controlling participation. The fact that IAB Europe itself does not have direct access to the TC Strings does not diminish this responsibility. Article 4(7) AVG defines a controller as the one who "determines the purposes and means of the processing of personal data," which is exactly what IAB Europe does for TC Strings.

3. IAB Europe as data controller for OpenRTB.

This is a crucial point of contention: IAB Europe stresses that the Markets Court rejects the GBA's conclusion that IAB Europe is responsible for processing within OpenRTB.

My analysis: On this point, IAB Europe has been vindicated legally. The Market Court made an important distinction between the TCF (for which IAB Europe is a data controller) and OpenRTB (for which IAB Europe is not). This distinction is legally correct: for joint processing responsibility, there must be actual influence over the purpose and means of processing. IAB Europe has no direct influence over how individual participants further process data within OpenRTB. This is a significant legal victory for IAB Europe and significantly limits their liability.

4. Has the TCF been declared illegal?

Some messages suggest that "the TCF is illegal," while IAB Europe stresses that this is nowhere in the ruling.

My analysis: IAB Europe is legally correct here. The Markets Court identified specific AVG violations that must be remedied, but did not declare the TCF as a system fundamentally illegal. The TCF can, with appropriate modifications, be AVG-compliant. This is an important nuance difference: the system is not inherently illegal, but its implementation by IAB Europe showed breaches that must be corrected.

5. Significance of the annulment of the GBA decision.

Both parties interpret the annulment of the GBA decision differently.

My analysis: This is a legally complex situation in which both sides are partly right. Procedurally, IAB Europe has a point because the GBA's decision was indeed overturned. But substantively, the GBA was largely right, as the Markets Court endorsed the GBA's reasoning and upheld the sanction. The Markets Court overturned the decision for procedural reasons, but not because of substantive errors in the GBA's assessment. This is an important legal nuance that leads to different interpretations on both sides.

6. Relevance of TCF v2.2 enhancements.

IAB Europe stresses that many of the breaches mentioned relate to version 2.0, while version 2.2 already contains many improvements.

My analysis: This argument has legal validity, but limited practical impact. The lawsuit was indeed specifically about TCF v2.0, and IAB Europe has made several improvements in version 2.2. However, the fundamental legal issues (TC Strings as personal data, IAB Europe as a TCF data controller) remain unchanged, regardless of version. The improvements in v2.2 may help resolve some violations, but do not change the underlying legal principles.

Conclusion of my analysis

After reviewing all the opinions, I conclude that the Market Court's ruling is nuanced, with both sides being partially right:

  1. The GBA has been vindicated on fundamental issues: TC Strings are indeed personal data and IAB Europe is a data controller within the TCF.
  2. IAB Europe has won a victory by having the Court rule that it is not responsible for further processing under OpenRTB. This significantly limits their liability.
  3. The claim that "the TCF is illegal" is legally unsubtle and incorrect. The TCF must be modified to comply with the AVG, but the concept has not been declared fundamentally illegal.
  4. The improvements made by IAB Europe in version 2.2 are relevant, but do not change the fundamental legal principles.

The practical implications of the ruling

So what does this ruling mean for practice?

  1. For IAB Europe:
    • IAB Europe must work on the action plan previously approved by the GBA, although some parts of it may now be irrelevant due to the determination that IAB Europe is not a joint controller for further processing.
    • The €250,000 fine remains.
    • IAB Europe must take further steps to comply with AVG obligations regarding TC Strings.
  2. For users of the TCF (websites, ad networks):
    • There will be more clarity about their responsibilities within the TCF system.
    • They remain solely responsible for the further processing of personal data in the context of personalized advertisements.
    • They must ensure that they comply with AVG obligations in their use of the TCF.
  3. For Internet users:
    • The ruling confirms that their consent preferences (TC Strings) are personal data and should be protected as such.
    • The TCF should better inform users about the processing of their data.
    • Users should have more control over their consents and objections.

Conclusion

The Markets Court ruling brings important clarification to a complex issue. It confirms that TC Strings are personal data and that IAB Europe is a data controller for the processing of these data within the TCF. At the same time, it recognizes that IAB Europe is not responsible for any further processing that takes place on the basis of TC Strings.

For the digital advertising industry, this ruling means that the TCF must evolve further to become fully AVG-compliant. For Internet users, it is confirmation that their consent preferences must be protected as personal data.

If your organization uses or is considering using the TCF, it is advisable to:

  1. To check that you are using the latest version of the TCF (v2.2 or later).
  2. Evaluate your implementation of the TCF for compliance with the AVG.
  3. To ensure maximum transparency to users.
  4. Take your responsibilities as a data controller seriously.
For legal advice on implementing the TCF in your specific situation, please contact our lawyers specializing in data protection.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics