Belgian court confirms: IAB / TCF Framework violates the GDPR

Last update: 16.05.2025

After the Belgian ADP (Autorité de protection des données) - the data protection authority responsible for the IAB - declared the entire infrastructure of the IAB/TCF framework and all data collected to date to be in breach of the GDPR back in 2022, this decision was confirmed by a Belgian court on 15 May 2025, as expected. The European Court of Justice had already confirmed in a landmark ruling in 2024 that the TC string is personal data.
Website operators who use the IAB framework should therefore definitely check whether they want to continue using this feature in the future. Although IAB Europe points out that version 2.2 of the framework has eliminated all shortcomings, uncertainties remain. In order to avoid any risk, the IAB framework should no longer be used in the cookie banner for the time being.

Note: This problem only affects customers who use the TCF framework!

How do I know if TCF is active on my site?

If you have generally activated the setting option for the IAB framework, you will find the menu item "IAB framework (TCFv2)" in the configuration of your domain in CCM19 as shown in the screenshot. You can only use TCF if the red checkmark is green.

And an important note at this point: CCM19 is not based on TCF - TCF is an additionally activatable module within the CCM19 system. You CAN activate TCF, but you do not have to and CCM19 also works completely WITHOUT TCF.

Screenshot from CCM19 backend with activated IAB framework

Decision with immediate effect

This decision applies immediately and EU-wide! The decision was made in accordance with the "One Stop Shop" principle of the General Data Protection Regulation and therefore applies immediately and everywhere in the EU.

"The processing of personal data (for example, the collection of user preferences) under the current version of the TCF is not compatible with the General Data Protection Regulation, as it violates the principle of fairness and lawfulness", quotes Hielke Hijmans, Chairman of the Authority's Trial Chamber.

The decision in the press

Here are some links to comments in the press on this decision.

Article at heise.de "Belgian court ends cookie banner dispute with clear ruling"
Netzpolitik.org "Struggle for sovereignty of interpretation"
Irish Council for Civil Liberties "EU ruling: tracking-based advertising by Google, Microsoft, Amazon, X, across Europe has no legal basis"

Background - what is the TCF framework?

Basically, the system of targeted advertising within the TCF Framework works as follows: Every time a visitor calls up a website that participates in the TCF Framework, this leads to an auction among the providers of advertisements.

Within milliseconds, a detailed profile of the visitor is used to decide which advertisements they will see. This is called real-time bidding (RTB). For this to work well, or at all, the providers need to know as much as possible about the visitors: Age, gender, websites visited, interests, place of residence, presumed purchasing power etc are just some of the criteria. All of this information together constitutes a visitor's profile - which can be as detailed as you like.

The Transparency and Consent Framework from IAB Europe is used to communicate these profiles. If visitors click on the "Accept cookies" button or simply do not object, the TCF framework generates the so-called TC string. The TC-String forms the basis for the creation of the above-mentioned individual profiles and for the auctions in which thousands of international partners participate.

These violations were found.

The following violations of the General Data Protection Regulation were documented and criticized.

Articles 5.1.a and 6 (lawfulness of processing; fairness and transparency)
Articles 12, 13 and 14 (Transparency)
Articles 24, 25, 5.1.f and 32 (security of processing; integrity of personal data; data protection by design and by default)
Article 30 (Register of processing activities);
Article 35 (data impact assessment);
Article 37 (Appointment of a data protection officer).

And a whole host of other details. The bottom line is that these problems cannot be fixed with the current structure of the TCF framework.

What is the IAB doing?

The IAB Europe has taken note of the ruling and commented that it has presented a solution in version 2.2 of the framework that would already remedy the shortcomings mentioned.

Overall, attempts are being made to chalk up the decision as a victory because the ruling also confirmed once again that IAB Europe is only jointly responsible for the controversial TC string.

What consequences does this have for CCM19 and for you as a user of the IAB / TCF framework?

This decision also presents us as CMP with a major challenge - how are we supposed to provide our customers with a GDPR-compliant TCF content banner if the basis that is to be used is not GDPR-compliant? This will not be possible in this form; the IAB is clearly leaving us and all customers who use the TCF framework out in the cold.

Reassuring for all customers who do NOT use TCF, but only the standard banner: this does not affect them.

For all users of the framework, at least one risk remains. Continuing to use the TCF framework in its updated form could violate the GDPR and expose the website to the risk of warnings. Leading data protection experts, who drove the lawsuit, now see the advertising industry as being forced to develop new, innovative tracking solutions that actually protect the privacy of website visitors.

The technology for this exists - also from our side. So IAB - get your job done!

With the next update in our interface, there will be a reference to this status in the interface, as can be seen here in the screenshot:

Note in CCM19 on legal issues with IAB/TCF

What can you do / What options for action are there?

There are basically 2 options for dealing with the situation:

You can of course let it continue to run, but you must be aware of the risks. All processes that exclusively require the TC-String may no longer be used today, as they are not GDPR-compliant. This includes the entire IAB / TCF construct. You have to decide for yourself whether you want to adhere to this; of course, we cannot recommend it.
If you use processes that do not necessarily require TCF, you can use them as normal embeddings, you just need to ensure that the description is correct. You are then on the safe side.

Of course, we are aware of the enormous economic resources involved in this situation, but the bottom line is that we are only mapping the mask for handling the TCF framework, which:

100% mandatory by the IAB - deviations are not permitted
Is therefore more or less identical for all CMP providers

we can't really exert any influence at this point, the AdTech industry must act together with the IAB and as quickly as possible.

We would like to continue working with the IAB, which has always worked very well on a technical and communicative level. But we also want a reliable construct that is fit for the future.