Is the TCF illegal? A rational look at the IAB Europe vs Belgian APD situation (May 2025)

On May 14, 2025, the Belgian Market Court ruled on IAB Europe and the TCF, answering some questions about the case.

‍

We covered this saga extensively and have actively followed developments since the initial decision from the APD. As a CMP provider and a major player in the data privacy ecosystem, this is highly relevant for us and our clients. Our objective, as always, is to decipher the news and bring clarity to our audience.

‍

Before going deeper, let’s clarify: Despite claims already arising online, this ruling does not declare the TCF illegal. Continue reading for a more detailed look at the situation, what you should do if you use the framework, and to understand the intricacies behind the latest ruling.

‍

IAB Europe vs the Belgian APD: History and context

The saga between the Interactive Advertising Bureau (IAB) Europe and the Belgian data protection authority (“Autorité de Protection des Données” or APD) can be traced back to around 2018, and complaints around real-time bidding (RTB) expressed by the Irish Council for Civil Liberties.

These complaints led to a decision by the Belgian DPA in February 2022, finding that IAB Europe’s Transparency and Consent Framework (TCF) had significant issues. According to the APD:

‍

• The Transparency & Consent (TC) string can be considered personal information requiring a legal basis (consent, legitimate interest, etc).
• IAB Europe would be a data controller of that information, even though it doesn't process the consent information.
• IAB Europe would also be a joint controller with TCF participants (vendors, CMPs, publishers). As a result, the APD considered that it failed to establish a legal basis for processing the TC string.
• The security measures in place to protect the consent signal's integrity could be insufficient.

As a result, IAB Europe was ordered to bring the TCF into compliance, along with a €250,000 fine. IAB Europe appealed the decision and released the TCF v2.2, addressing some of the points of concern stemming from the case.

‍

In March 2024, the Court of Justice of the European Union (CJEU) answered the appeal to provide guidance in the case, ruling that the TC String could indeed be personal data and that an organization setting standards like IAB Europe could be a joint controller if it influences the processing, even without direct data access. 

‍

With this information available, the Belgian Market Court proceeded to move forward and issued its final ruling on May 15th.

‍

May 2025: Understanding the Belgian Market Court ruling on IAB Europe and the TCF

The Belgian Market Court issued its final ruling in May, based on the CJEU's guidance.

‍

The court annulled the original APD decision based on procedural issues but essentially confirmed the substance of the Belgian DPA’s findings:

• The TC String is considered personal data.
• IAB Europe is a joint controller of that data, specifically limited to the processing within the TCF system (IAB Europe is not responsible for processing operations entirely within the subsequent OpenRTB protocol). 
• The lack of a legal basis, transparency failures, and inadequate security were confirmed as GDPR infringements tied to IAB Europe's role as joint controller for the TCF. 
• The €250,000 fine was confirmed.

‍

What are the next steps?

The Market Court upheld the core legal findings against IAB Europe for its role in managing the TCF, clarifying IAB Europe's specific responsibilities regarding the TCF framework. Despite the original decision being annulled due to procedural issues, the case will not go back to the APD as the Market Court ruled on the merits of the case. 

‍

Now, it returns to the action plan initially requested from IAB Europe to answer the issues identified with the TCF. Parts of it have already been implemented, and the Market Court decision will guide the following steps, presumably to make the current version of the TCF ok from a legal standpoint, as opposed to the 2022 version that has been audited initially by the Belgian APD. 

‍

As we stand, the story has yet to be entirely written on this saga.

‍

What does it mean for organizations using the TCF?

Rulings like these can be polarizing, which is nothing new in the history of the TCF. Following the ruling, and while we wait for the next decisions, the implications for organizations using the TCF are still being studied, as expressed by our Chief Privacy Officer:

‍

While some concerns may be justified, the IAB is not unhappy with the ruling. For now, our view is that nothing in the judgment declares the TCF illegal. From what we can see, the decision does not represent a dramatic shift.

- Thomas Adhumeau, Chief Privacy Officer at Didomi

‍

What does this new ruling mean if you’re a Didomi CMP client?

The team at Didomi is still carefully analyzing the ruling to understand its actual implications and discussing with the parties involved to understand the consequences of the verdict. 

• If you currently use the TCF, rest assured that we have already implemented many improvements (like in the TCF v2.2) that the APD had called for. Future enhancements will continue to be prioritized in our product roadmap. No additional changes are currently required.
• If you don’t use the TCF, the flexibility of our platform means that you don’t have to, and can continue to work with our CMP as you’re currently doing.

Importantly, please remember that our solutions are fully customizable and, above all, legally compliant. To ensure this is always the case, we partner with legal firms and industry actors and maintain certifications for our company and products. 

‍

The recent ruling brings additional clarity around roles and responsibilities in the TCF ecosystem. Please remember that it is part of an ongoing legal process, for which the final implications are still being interpreted. We will keep you in the loop as the situation evolves.

‍

Frequently asked questions (FAQ)

Is the TCF illegal?

No, the May 2025 ruling by the Belgian Market Court does not declare the Transparency and Consent Framework (TCF) illegal.

‍

Can I still use the TCF after the May 2025 ruling?

Yes, you can. The ruling focuses on IAB Europe’s obligations as a joint controller and the need to improve transparency, legal basis, and security. If you're using TCF v2.2, you are already benefiting from many of the improvements that were expected by regulators.

‍

Should I stop using the TCF and switch to another framework?

The TCF remains widely used and is being actively updated to meet legal expectations. Switching frameworks is not required following this ruling. Instead, ensure your current implementation is up to date (e.g., TCF v2.2), your legal bases are well defined, and your consent practices are transparent and secure.

‍

How is Didomi responding to this ruling?

At Didomi, we are monitoring the situation closely and engaging with legal experts and industry stakeholders to assess the implications. Our CMP has already integrated many of the improvements outlined in TCF v2.2, and we will continue to evolve based on regulatory guidance.

‍

Whether you use the TCF or not, our platform remains fully compliant, flexible, and secure.