Brussels Court of Appeal confirms ECJ line regarding IAB TCF 2.0: TC strings are person-related, IAB partly jointly responsible

Review and facts of the TCF proceedings

After receiving several complaints regarding the widely used Transparency and Consent Framework 2.0 ("TCF 2.0") since 2019, the Belgian data protection supervisory authority classified this standard used for online advertising as unlawful under data protection law in February 2022 and imposed a fine on the organization operating it, the Interactive Advertising Bureau Europe ("IAB"). 

This topic is relevant for almost all website operators who use an IAB Consent Management Platform ("CMP") to obtain consent for tracking and marketing tools.

After the IAB submitted a plan to the Belgian data protection supervisory authority on how it intends to bring TCF 2.0 into compliance with data protection regulations, this was approved by the Brussels-based authority in 2023 and the IAB was given six months to implement the plan technically. However, a fine was also imposed on the IAB for violating data protection regulations. 

The IAB filed an appeal with the Brussels Court of Appeal, which referred two questions on the interpretation of the GDPR to the ECJ as part of a preliminary ruling procedure: in particular on the classification of the TC String under data protection law and on the responsibility of the IAB.

In 2024, the ECJ (Case C-604/22) found that personal data is processed when using Transparency and Consent Strings ("TC String") and that IAB can be considered a joint controller in part when processing such data. You can also find a more detailed description of the facts in our Updates No. 174 (Attention online marketers: New ECJ ruling on the IAB TCF), No. 131 (Belgian Data Protection Authority Approves Action Plan of IAB Europe with respect to TCF 2.0 – Decision by the Court of Justice of the European Union still Pending) and No. 109 (Belgian data protection supervisory authority decides: TCF 2.0 – Large parts of programmatic online marketing – unlawful!). 

This line is now confirmed by the decision of the Brussels Court of Appeal (case number 2022/AR/292): On May 14, 2025, the court declared TCF 2.0 to be in breach of data protection law in large parts. The TC String was finally classified as personal and the IAB Europe was partially classified as a joint controller.

All details on the IAB TCF can also be found in our Updates No. 155 (Deadline October 1, 2023 – The implementation period for the IAB TCF 2.2 expires), No. 131 (Belgian Data Protection Authority Approves Action Plan of IAB Europe with respect to TCF 2.0 – Decision by the Court of Justice of the European Union still Pending), No. 128 (Current legal situation regarding the use of tracking tools on websites) and No. 76 (Federal High Court: non-necessary Cookies require consent; preselected checkboxes are not sufficient)

Key statements of the Belgian judgment 

The judgment of the Brussels Court of Appeal follows the requirements of the ECJ. Firstly, the Court of Appeal clarifies that the TC String (a coded character string containing all relevant information about the user's consent decision) is personal data. You can find more information on how the TC String works in our Data Protection Update No. 109 (Belgian Data Protection Authority decides: TCF 2.0 – Large parts of programmatic online marketing – unlawful!). Secondly, the court emphasizes that the IAB, together with the IAB participants, is to be regarded as a joint controller under data protection law with regard to the creation and storage of TC Strings. However, this joint controllership relates exclusively to the processing of personal data when storing the consent preferences of the data subjects in a TC String. 

However, the Brussels court was unable to establish joint responsibility for the subsequent processing of this personal data by SSPs, DSPs and other tools on the basis of the stored preferences, such as forwarding it to third parties or displaying personalized advertising offers. 

With regard to the processing of TC Strings, however, it must now be ensured that there is a sufficient legal basis (e.g. consent of the users concerned).

Practical consequences for companies 

Although the IAB TCF 2.2 has already addressed many of the original criticisms of the Belgian supervisory authority, it is far from completely eliminating all legal risks that exist in the area of personalized online marketing. It is expected that the IAB will provide a template for a joint responsibility agreement in the future. Until then, each company should assess the risks and benefits of online marketing for itself. In practice, no mass wave of warnings or the like has yet been observed as a reaction to the Belgian ruling. However, you should be prepared for the fact that this could happen at any time.

Companies can currently take the following measures to minimize risk:

• Include the processing of TC Strings in the privacy policy;
• Check for yourself whether the use of the TC String is based on a legitimate interest or whether a declaration of consent should be obtained for this purpose to be on the safe side. Although there is not yet a separate function for such a declaration of consent in the CMPs, every website operator/publisher can expressly refer to the processing by means of the TC String and its personal reference on the first layer of the CMP and make it the subject of the declaration of consent by means of a corresponding wording;
• Inclusion of the processing of the TC String in the record of processing activities.