The Belgian Market Court (Brussels Court of Appeal) issued a ruling on May 14, 2025 in the dispute between IAB Europe and the Belgian Data Protection Authority (APD) over the Transparency & Consent Framework (TCF). This case has attracted wide attention, since the TCF underpins how many publishers and advertisers manage user consent for online ads (especially Real-Time Bidding, or RTB) under the EU’s GDPR. In February 2022, the Belgian DPA had fined IAB Europe €250,000 and required changes to the TCF, alleging among other things that the TCF’s “TC String” signals are personal data and that IAB Europe was acting as a joint controller for downstream ad processing. IAB Europe appealed that decision, and after preliminary questions went to the Court of Justice of the EU (CJEU) in March 2024, the Belgian Market Court has now delivered its final judgment. In summary, the court annulled the 2022 APD decision for  procedural reasons (agreeing that the APD had not fully substantiated its claims) but upheld the substantive points that TC Strings are personal data and that IAB Europe is a joint controller – with very limited scope. Crucially, the court rejected the notion that IAB Europe controls the entire RTB process. In practical terms, this ruling clarifies controller responsibilities in the ecosystem, but does not ban the TCF or RTB. Below we unpack the ruling, dispel common misconceptions, and discuss what it means for advertisers and the programmatic industry.

‍

Context and Background

‍

To understand the ruling’s implications, it helps to review the timeline and parties involved:

‍

• The TCF and TC String: The Transparency & Consent Framework (TCF) is an industry standard managed by IAB Europe. It allows websites, advertisers, and tech vendors to record a user’s consent preferences for tracking and personalized advertising in a compact “TC String.” That string encodes which legal bases (consent/legitimate interest) a user has given for categories of data usage. In real-time bidding (RTB), the TC String is passed between ad tech partners to signal the user’s choices, so that ads can be targeted only when lawful.
• February 2022 APD Decision: On Feb 2, 2022 the Belgian Data Protection Authority (Autorité de protection des données, APD) published Decision 21/2022. It concluded that the TC String is personal data and that IAB Europe is a joint controller for all processing of that data in the TCF and RTB ecosystem. The APD fined IAB Europe €250,000 and required IAB Europe to submit an action plan to make the TCF compliant. All other EU data protection authorities (via the one-stop-shop mechanism) endorsed this decision.
• Appeals and CJEU Referral: IAB Europe appealed the 2022 decision to the Brussels Court of Appeal (Market Court). Before ruling on the case, the Market Court decided to refer two preliminary questions to the CJEU: : (1) Can a TC String be “personal data” under the GDPR? and (2) Is IAB Europe a (joint) controller for the processing of TC Strings and for the subsequent processing (such as ad targeting) that uses those TC Strings.
• March 2024 CJEU Ruling: In March 2024, the CJEU answered those questions. It held that a TC String can be personal data if it relates to an identified or identifiable person – for example, if it can be linked (even indirectly) to an IP address or device identifier. The CJEU confirmed that IAB Europe is a joint controller for the creation and use of TC Strings (since it jointly defines the purpose and means of that processing). However, the CJEU also indicated that IAB Europe may not be a controller for later ad processing – it left that point open for the Belgian court to decide based on the facts.

‍

In plain language the courts have established that consent signals (TC Strings) fall under GDPR protection, and that IAB Europe must treat them as personal data in the narrow context of the framework. But beyond that, the court has removed IAB Europe from any control over actual ad auctions or personalization. The TCF itself survives as a legal mechanism for gathering and sharing consent, albeit with some updated obligations.

‍

Key Legal Clarifications

‍

The Market Court’s ruling makes several important legal points. The technical language can be summarized as follows:

‍

• TC Strings are personal data. The court confirms that a TC String – the bit of data recording a user’s consent preferences under the TCF – qualifies as “personal data” under the GDPR. This follows the CJEU’s logic that such a string “contains the individual preferences of a specific user” regarding their personal data. In practice, while a TC String alone might not identify someone, it relates to an identifiable person because it is tied to their specific profile of consent choices. If that string can be linked (even by combining it with other data like an IP address) to a person, it falls within the GDPR’s scope. The upshot is that all parties handling TC Strings must treat them as  personal data – i.e. requiring a lawful basis (typically, the user’s consent) and respecting data subject rights.
• IAB Europe’s Limited Joint-Controller Role. The court holds that IAB Europe is a joint data controller only for the creation and encoding of the TC Strings. Because IAB Europe runs the TCF standard (setting the purposes and means of processing the string of user preferences), it shares control specifically over the processing of that consent string. For example, by defining the format and rules for TC Strings, IAB Europe influences how user consents are captured and shared, making it a co-controller in that narrow sense.
• No Controller Role for Subsequent Ad-Targeting. Crucially, the Belgian court rejects the APD’s view that IAB Europe is a controller of later ad processing. In other words, IAB Europe is not responsible for how publishers, advertisers, or DSPs use the TC Strings to target ads. Those participants remain controllers (or processors) for their own data usage in RTB. This mirrors the CJEU’s guidance that IAB Europe’s role ends with the TCF mechanics, not the downstream ad business.
• No Ban on TCF or RTB. Importantly, the ruling does not outlaw the TCF or RTB. Some early media reports sensationalized the decision as declaring the entire TCF illegal, but that is inaccurate. Both IAB Europe and industry commentators emphasize that the TCF “remains a best-practice standard” for GDPR compliance. The court itself did not say “stop using TCF” – it said “apply the GDPR correctly to this part of the process.” The decision clarifies legal responsibilities; it does not prohibit continuing the framework. In sum, the TCF as a consent mechanism survives, albeit with some tweaks already underway.

‍

What This Means for the Industry

‍

Consent Management and Vendors. Companies that provide Consent Management Platforms (CMPs) or otherwise handle TC Strings should note that these strings are now confirmed personal data. Practically, CMPs must ensure TC Strings are stored securely (e.g. encrypted) and are, if necessary, included in any data protection impact assessments or records of processing. TC Strings should be tied to user profiles in a way that supports legal compliance: CMPs must be able to delete or update a string if a user withdraws consent, and honor data subject rights (including right to access or erase their consent data) under GDPR. In other words, treat the consent record itself with the same care as other personal data you hold.

‍

Publishers, Advertisers, and DSPs. The ruling clarifies that each party in the RTB chain retains responsibility for its own data use. Publishers (websites/apps) and advertisers should continue to rely on user consent as the lawful basis for personalization. The fact that TC Strings are personal data means advertisers should document how they use those strings: for example, privacy notices may explicitly mention that the ad partner uses a consent string to drive ad personalization.

‍

Industry Standards and Trust. Perhaps most broadly, the ruling sends an encouraging signal that collective consent standards like the TCF are still valid. As IAB Europe put it, the TCF “remains a best-practice standard” for meeting GDPR and ePrivacy requirements. In fact, the Belgian court’s focus on procedure and clarity – rather than outright banning the framework – underscores that regulators expect robust consent mechanisms, not their elimination. The decision helps preserve a common approach: publishers and vendors can continue to build on the TCF (and its upcoming versions) rather than each reinventing separate consent systems. It also reinforces the message that industry self-regulation must go hand-in-hand with compliance; future iterations of the TCF will incorporate the court’s guidance (as we discuss below) to strengthen user privacy while keeping advertising viable.

‍

Recommendations for Advertisers and Partners

‍

In light of this ruling, advertisers and their legal/privacy teams should take the following steps to stay compliant without overreacting:

‍

• Treat TC Strings as personal data. Update your data inventories and processing records to list the TC String as a form of personal data. In practice, that means applying the GDPR’s rules to how you store and use those strings. Ensure you have a legal basis for processing them (most likely the user’s explicit consent) and that you can respond to user requests about their consent information. ‍
• Update Contracts and Policies. Since the court draws new lines around controller duties, consider revising any agreements with partners. For example, if you are a publisher or agency using the TCF, review your joint-controller or data-processing agreements Ensure that contracts with CMP vendors specify each party’s responsibilities for handling TC Strings. This helps document that each organization only governs its own piece of the chain, in line with the ruling.‍
• Implement TCF Enhancements. IAB Europe had already developed an action plan in 2023 to address these issues, and many of those updates are released in TCF version 2.2 (May 2023). Advertisers should make sure they are running the latest TCF version. ‍
• Stay Calm and Communicate. It’s important not to panic or scrap RTB. The decision is about legal definitions, not product viability. Remind internal stakeholders that the core approach stays the same: continue using the consent string to drive targeting, but do so under a clear legal framework. Share this analysis with your technical and compliance teams so they understand the ruling. If necessary, educate your marketing/IT teams that TC Strings must be managed as personal data according to the GDPR. Finally, continue to build user trust: emphasize that your ad technology respects people’s choices, and that you welcome the clarification the courts have provided.

‍

Conclusion

‍

The Belgian Market Court’s ruling is a significant milestone for data privacy in advertising, but it is not a fatal blow to RTB or consent-based targeting. Rather, it sharpens the rules:TC Strings are personal data, and the makers of the framework bear limited responsibility for them. For advertisers and publishers, the takeaway is to keep using consent frameworks like the TCF as intended, with full GDPR care, rather than abandoning them. At Adlook, we have always prioritized privacy and compliance. We welcome the clarity this ruling provides. Our platform already handles user consents according to the highest GDPR standards, and we will continue to adapt to any framework updates. We encourage our partners to focus on robust privacy processes – after all, respecting consumer consent is both a legal obligation and a business imperative. Programmatic advertising does and can continue to work in harmony with data protection law. By treating TC Strings as personal data, assigning controller duties correctly, and keeping transparency at the forefront, the industry can maintain effective targeting and the public’s trust. Adlook remains fully GDPR-compliant and committed to supporting a transparent, privacy-respecting digital advertising ecosystem for all our clients and partners.

‍

‍