Tracking-based Advertising - Introduction
In a landmark decision with sweeping implications for the ad tech ecosystem, the Belgian Market Court has ruled that IAB Europe's Transparency and Consent Framework ("TCF") does not have a legal basis under the General Data Protection Regulation ("GDPR"). For clarification, while some headlines have labelled the TCF outright "illegal," the judgement does not contain such wording. The Court instead confirms that, as implemented, TCF did not meet the GDPR's requirements.
For the uninitiated, the TCF is the mechanism behind the ubiquitous consent pop-ups seen across websites in the EU, enabling a real-time bidding mechanism ("RTB") for targeted advertising. Such a system is utilised by the majority of tech giants, and the likelihood is that any internet user has encountered the TCF is one way or another.
Context and findings
Originally sanctioned by the Belgian Data Protection Authority ("DPA") in 2022 with a €250,000 fine and a compliance action plan, the TCF has been under legal scrutiny for years, in fact, this week's ruling cannot be understood in isolation as it contains years of broader regulatory context to parse. 2018 marks the first formal complaints towards authorities which concerned the scale and nature of personal data broadcasts within the RTB, particularly in relation to GDPR's Article 5(1)(f).1
Investigations in several Member States have highlighted the widespread sharing of highly sensitive data categories through RTB ecosystem, prompting the call for both enhanced regulatory clarity and enforcement consistency. Of course, while enforcement timelines have varied across jurisdictions, the DPA's proactive approach, culminating in this latest Market Court judgment, reflects a significant moment in EU data protection law.
The Market Court in its administrative appellate capacity has now annulled the above-mentioned 2022 decision, but only on procedural grounds. Substantively, it upheld the DPA's core findings, namely:
- That Transparency and Consent ("TC") Strings are personal data under the GDPR, on the basis that the information encoded within them, when combined with additional data held by IAB Europe or its participants, can directly or indirectly identify individuals;2 and
- That IAB Europe acts as a joint controller for the processing of user preferences captured within the TCF. The Court found that IAB imposes the design and structure of this data flow in a "binding manner", exercising decisive influence over how user preferences are collected and shared.
Implications for Ad Tech, Standards Bodies, and Data Controllers
The decision introduces a clear warning for industry consortia and standard-setting bodies. Despite the open-source architecture and voluntary participation model of the TCF, the Court ruled that IAB Europe's central role in defining and enforcing its parameters constitutes a joint controllership, which, by itself has far-reaching implications.
While IAB Europe has already submitted an action plan to bring the TCF into alignment with GDPR, the regulatory spotlight on RTB and cookie-based consent frameworks is unlikely to fade. Nonetheless, the future of adtech in Europe must now move toward privacy-focused alternatives, such as contextual advertising or first-party data models. Whether this moment marks the demise of tracking as we know it, or a pivot toward innovation, will depend on how quickly the industry can adapt.
Footnotes
1. Article 5(1)(f), GDPR: "Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"
2. In layman terms, the TC String is a sort of "yes/no" checklist about that companies can do with your data that travels with one's activity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
