Back to the overview
02-14-2022 Article

Belgian data protection supervisory authority rules: TCF 2.0 – Large parts of programmatic online marketing – unlawful!

Update Data Protection No. 109

In its decision of February 2, 2022, the Belgian data protection supervisory authority declared the Transparency and Consent Framework 2.0 ("TCF 2.0") and a number of data processing operations of the Interactive Advertising Bureau Europe ("IAB") to be unlawful. This has potentially far-reaching consequences, as most German websites use consent management platforms ("CMPs") that follow the rules of TCF 2.0 to obtain declarations of consent. In addition, almost all significant participants in the global online advertising ecosystem comply with these rules.

Background: The IAB TCF 2.0

The IAB has developed the TCF 2.0 in order to standardize uniform standards for consent to the use of cookies and similar technologies and to obtain declarations of consent for various aspects of online marketing and thus achieve the highest possible level of GDPR compliance. Each party involved must undertake to only process data for purposes that have been transparently presented and for which permission has been granted in accordance with the GDPR. For this purpose, purposes have been defined that reflect different aspects of online marketing. For example, a strict distinction is made between the display of simple advertisements (without personalization), the statistical analysis of user behavior and the determination of a personalized advertising profile. All advertising tool providers (in the diction of TCF 2.0, the so-called "vendors") must provide numerous data when registering (such as various information about cookies and similar technologies used and information about which data is processed for which purpose.

The "TC-String" and the technical ecosystem of the IAB

In addition to the TCF 2.0, the IAB also operates a technical ecosystem that allows, for example, updates that a vendor provides for its advertising tool (such as the indication that another date is being processed) to be automatically transmitted to all providers of a CMP, so that the website operator (called the "publisher" at the IAB) can always have up-to-date transparency information and can always obtain an updated declaration of consent for its website. In addition, the forwarding of a declaration of consent is controlled centrally by the IAB. If a user submits a declaration of consent on a website with a CMP that follows the rules of TCF 2.0, a so-called "TC string" is created by the CMP, i.e. a pseudonym date that contains information about which purposes and which vendors the user has accepted and/or rejected. This TC string is then forwarded via standardized IAB interfaces to the advertising tool providers that the respective website operator has implemented on their website. This is the most technically and legally complex project for the standardization of declarations of consent in online marketing and for achieving a high level of GDPR compliance in this area.

The importance of TCF 2.0. for Real Time Bidding

The unification and standardization through TCF 2.0 is particularly important for modern programmatic marketing, known as real-time bidding or real-time advertising. This is a modern form of online marketing in which automated online auctions are held for the sale and purchase of online advertising space. Specifically, this means that when a person accesses a website or application that contains an advertising space, this advertising space is immediately auctioned off (in real time) by an automated online auction system and algorithms in order to display targeted advertising that is specifically tailored to this person's (advertising) profile. Real-time bidding itself is subject to its own standards and protocols, which are separate from TCF 2.0. The OpenRTB protocol, which was developed and specified by the IAB Technology Laboratory, Inc. ("IAB USA") and which was also the subject of the decision by the Belgian data protection supervisory authority, leads the way here. As shown, the TCF 2.0 with its technical ecosystem is intended precisely to obtain effective consent and thus a suitable basis for the data processing associated with real-time bidding, in particular the tracking and analysis of user behavior, including the personal interests of users to create a corresponding (advertising) profile.

The decision of the Belgian Data Protection Authority

Nevertheless, the Belgian data protection supervisory authority received complaints about the IAB and TCF 2.0 from various data protection activists. As the IAB is based in Belgium, the Belgian supervisory authority was responsible. A lengthy procedure involving consultation with all European data protection supervisory authorities ended in the first stage on February 2, 2022 with a 127-page decision in which the Belgian data protection supervisory authority examined numerous detailed aspects of TCF 2.0 and declared some of them unlawful.

IAB's own infringements without reference to TCF 2.0

Some of these failures are attributable to the IAB alone and are unlikely to have any further impact on online marketing. For example, the IAB failed to appoint a data protection officer, carry out data protection impact assessments and maintain a register of procedures. These breaches can certainly be easily remedied in the future.

Systemic violations of the TCF 2.0

However, the 127 pages of the decision also contain numerous detailed legal and technical considerations that relate directly to the TCF 2.0. In our view, the most important points raised against the TCF 2.0 are as follows:

  • Joint responsibility: There is joint responsibility for the processing of personal data in the TC-String between the IAB and the other participants in TCF 2.0 (recital 362 et seq.). In this regard, the IAB will probably have to draft a corresponding agreement on joint responsibility in the future, coordinate it within the industry and include it in its binding regulations.

  • Legitimate interest is not a suitable legal basis: The IAB cannot rely on the legitimate interest for data processing in its technical backend (para. 410). Consequently, the IAB must also obtain a declaration of consent for this.

    The legitimate interest cannot be a suitable legal basis for modern programmatic marketing or real-time bidding. This applies not only to the IAB, but also to all other participants in TCF 2.0 (para. 441.). This legal assessment corresponds to the prevailing opinion for personalized advertising. However, it should be noted that many data processing operations are also organized via TCF 2.0 that do not require any personalization, such as the selection of simple advertisements based on the context of a website (not based on the user's preferences) or the statistical analysis of the success of an advertisement. The Belgian supervisory authority has not commented on these similarly defined purposes of TCF 2.0.

Conclusion – Why not much will change in the next few months

The IAB has been granted an implementation period of 6 months by the Belgian data protection supervisory authority. In addition, the IAB has the right to lodge an appeal, which may have a suspensive effect. This means that the IAB would only be obliged to implement the law once an administrative court in Belgium has made a final decision. It could be years until then.

Nevertheless, the Belgian decision increases the risk of claims for damages before German courts and complaints before the German supervisory authorities, as the Belgian decision has made it much easier for data subjects and potential claimants to argue against certain tracking and marketing practices. For the first time, an affected party can refer to a specific decision by a supervisory authority for many points (and not just to abstract guidance and other publications by authorities).

With this in mind, we recommend that all companies that use TCF 2.0 (whether as a vendor or publisher) check the extent to which TCF 2.0 is used. We also urgently recommend taking another look at the CMPs, cookie banners and similar consent mechanisms used on your own websites and apps and checking whether all settings have been made in such a way that the purposes, vendors and processed data categories are stated as transparently as possible.

We also recommend reconsidering the risk decisions made with regard to our Data Protection Update No. 108 on the new guidance for telemedia providers and the latest activities of European supervisory authorities on Google Analytics: A few months ago, it was still valid to decide that the use of rather problematic tracking and marketing tools should be used despite existing legal concerns due to the low intensity of legal prosecution. Corresponding risk assessments must now at least be reconsidered in light of the latest activities of the European supervisory authorities.

Download as PDF
Download as PDF

Contact persons

Dr. Lutz Martin Keppeler
Cologne
Michael Kuska, LL.M., LL.M.
Düsseldorf

Contact persons

Dr. Lutz Martin Keppeler
Cologne
Michael Kuska, LL.M., LL.M.
Düsseldorf

Related articles

12-05-2025
Get ready: NIS2 Implementation Act in Germany in force!
12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft
11-13-2025
GEMA vs. OpenAI: Landmark ruling on AI language models and copyright law
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-15-2025
More transparency, more responsibility: The new EU Regulation 2024/900 and its consequences for political advertising
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.