Ready for the new Google Consent Mode v2? Learn more »

IAB TCF illegal? All facts here in the FAQ

The Belgian data protection authority APD, in a procedure that has been going on for a good year, on 02. Feb 2022 made a decision. The approximately 130-page explanatory text shows many weaknesses of the IAB TCF, but also many opportunities for reform. Is the Transparency and Consent Framework now illegal? What do publishers have to consider? And how does it continue? Our FAQ explains.

a web page with a man's face on it

Update March 2024

The European Court of Justice has ruled in the IAB TCF case that the TC string (“Consent String”) constitutes personal data within the scope of the GDPR. The data contained in the string relates to identifiable users and could therefore be used to create user profiles and identify users. In addition, IAB Europe is now identified as a ‘joint controller’ under the GDPR, meaning that it shares responsibility for data processing when users’ consent preferences are recorded in a TC String. This means that it shares decisions about the purposes and methods of data processing with its members, but not the data processing itself. IAB Europe’s role as controller does not extend to data processing activities after the user’s consent has been recorded in a TC string, unless it can be demonstrated that IAB Europe has influence over the purposes and means of subsequent data processing activities.

It is important for companies participating in the TCF as publishers or ad tech vendors to update their legal documents in a timely manner to inform end users of these changes. In particular, with regard to Article 26 of the GDPR, companies should inform their end users of the existence of a joint control agreement with IAB Europe and the provider of the relevant website.

Update September 2023

( Update from September 21, 2023 ) On September 21, a public hearing took place before the Fourth Chamber of the ECJ, during which the parties involved were also questioned by the judges. Since there will be no opinion from the Advocate General, it is expected that the ECJ will announce its judgment between the end of 2023 and the beginning of 2024. Once the judgment is published, the Belgian court (Market Court) can finalize its assessment of the arguments put forward in IAB Europe’s complaint.

( Update from September 2023 ) The Belgian court (Market Court) has decided to await the ruling of the European Court of Justice (ECJ) and to suspend its assessment of IAB Europe’s action plan validated by the Belgian Data Protection Authority (APD). In January 2023, IAB Europe lodged an appeal against APD’s early validation of the plan. This shows that the APD acted hastily and the ECJ ruling will influence whether the APD’s original decision was lawful and how the plan is implemented. This is good news for IAB Europe and TCF participants as it prevents unnecessary changes from being made without careful consideration. Townsend Feehan, CEO of IAB Europe, stressed that changes to the TCF must be made with extreme caution and in accordance with ECJ procedure.

Updated June 2023

(Updated June 2023) With the TCF 2.2, the IAB has set the course for taking the steps mentioned in the action plan. A transition phase will now run until September 30, 2023, during which providers and websites can update to the new Standard . From October 2023 only the IAB TCF in version 2.2 will apply.

Update January 2023

(Updated January 2023) The action plan submitted by IAB Europe was accepted by APD and further steps towards GDPR compliance were initiated. The IAB Europe now has 6 months to implement the action plan.

April 2022 update

(April 2022 update) The IAB Europe has meanwhile lodged a complaint with the responsible court (Market Court) and challenged the procedure and the decision as such. At the same time, the requested action plan was submitted by IAB Europe. The APD will now examine the action plan; however, a decision is not expected before the end of June 2022. If the action plan is accepted by APD, IAB Europe must then implement it within 6 months.

May 2022 update

(May 2022 update) IAB Europe withdrew a requested stay of proceedings after APD confirmed the timeline for reviewing the Action Plan. Accordingly, APD will not make a decision on the action plan before September 1, 2022. By then, the Belgian court (market court) will also have decided on the procedure and the implementation of the action plan can take place in the subsequent 6 months.

What happened?

In its final report, the Belgian data protection authority APD formulated various problems for the IAB Europe and the IAB TCF. The main sticking point is that APD sees IAB Europe as the client. Furthermore, the TC string generated by the TCF (the consent information) is regarded as personal data, which would itself require consent.

What does Belgium have to do with it?

Since the GDPR came into force in 2018, there have been several complaints in various countries against IAB Europe as the body behind the IAB TCF Standard and the associated policies and CMPs. Since the IAB Europe is based in Brussels, the Belgian data protection authority was in charge of the procedure (“one-stop-shop” regulation of the GDPR).

Does the Belgian judgment also apply in other countries?

Yes, all data protection authorities must follow the Belgian ruling and not deviate from it.

What exactly does the judgment say?

The verdict is more than 120 pages long and can be downloaded here as a PDF (English). It gets “interesting” from section 535, in which the actual offenses are explained:

  • The TCF does not represent a valid legal basis for the processing of user decisions. Consent has not been given sufficiently (see next point)
  • The TCF does not transparently reflect the information that a user needs to make a decision.
  • The security of the TCF as a mechanism is not sufficient enough (e.g. to prevent misbehavior of CMPs).
  • The IAB is viewed as the client (controller) and the data. This results in certain obligations for the IAB Europe, which have not been complied with to date; specifically, a list of data processing is missing.
  • The IAB Europe did not carry out a DPIA, although it would be necessary to do so.
  • The IAB Europe has not commissioned a data protection officer, although this would be necessary.
A woman holding a megaphone next to a cookie and a certified IAB europe stamp

What are the consequences?

The sanctions against the IAB Europe ultimately result from the offenses (see above) and are:

  • (Re)design the TCF in such a way that it results in a valid legal basis.
  • Data that IAB Europe has collected so far must be deleted.
  • The legal basis “legitimate interest” may no longer be used in the TCF.
  • Reorganized the TCF so that CMPs have a “harmonized” way to obtain consent in a GDPR compliant manner. Information should be presented in a concise, concrete but understandable manner.
  • Appropriate security mechanisms must be developed to protect the TCF.
  • The IAB Europe must create a register of data processing.
  • The IAB Europe must conduct a DPIA.
  • The IAB Europe must appoint a data protection officer.

Furthermore, the IAB Europe is required to draw up an “Action Plan” within 2 months. This is to show the steps that are to be taken to make the TCF compliant in the future. As soon as the plan has been accepted by the APD, the IAB then has another 6 months to implement it accordingly.


Stay up to date!

Subscribe to Newsletter

Are all CMPs illegal now?

no A CMP like that of consentmanager is generally independent of this – after all, a website operator can configure the CMP so that it becomes compliant or switch off the TCF in the CMP entirely.

Is the TCF illegal now?

no The current form is considered insufficient. The IAB Europe now has the task of initiating appropriate measures and making the TCF compliant again.

What’s next?

The IAB Europe now has 2 months to develop measures and/or to submit an objection. It is assumed that both will happen: There will certainly be an objection to individual components of the decision – at the same time, we will see how the TCF can be put on a secure footing. In particular, the aim here is to convert the TCF into a Code of Conduct (CoC). The IAB has been working on this for a long time. A CoC would have further advantages and greater legal certainty.

Who does the judgment affect?

For the time being, it only directly affects IAB Europe. Indirectly, it affects CMPs, providers and publishers in the medium term – at the latest when new purposes and legal bases have to be set in the consent layer or the technical substructure changes.

How should I react now?

As with everything. it is not wrong to take a close look and wait and see how the actors behave.

As a general recommendation, it can be deduced that “legitimate interest” is not regarded as a sufficient legal basis for online advertising – this had already been announced in advance and in other judgments. If you use marketing tools on your website, you should check whether they require consent.

In general, we recommend using the TCF only when it is really necessary. This might not be the case for most e-commerce websites, for example. At the same time, most news sites will continue to rely on the TCF. Here we recommend checking the description texts and provider lists carefully and, if necessary, providing more precise descriptions and further information.

Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste

Checkliste herunterladen

Do I have to delete all my data now?

no The Belgian judgment only affects IAB Europe for the time being. Indirectly, however, it can be assumed that a “pure TCF CMP” also falls under the conditions of the judgment and has therefore not legally obtained approval.

Are websites using the TCF now at risk?

no On the one hand, actors will initially wait – this also applies to the other data protection authorities in other countries. As long as the procedure is still “pending”, it makes no real sense to use the procedure as a basis for warnings or new procedures.

On the other hand, it is still unclear whether the TCF itself can be used in a compliant manner under certain conditions. Here, too, it remains to be seen and, if necessary, to keep an eye on the development of the TCF.

What does consentmanager do for me? What should I do?

As a member of IAB Europe and in various regional associations and other groups, consentmanager is actively involved in the consultations and decisions within the IAB. In this respect, consentmanager will be able to implement all necessary steps promptly in order to be able to protect its customers legally or technically.

As a consentmanager customer, you don’t have to do anything concrete at first (see above for exceptions). All technical and procedural adjustments that a “new” TCF requires can be made internally by us – there is no need to exchange codes now.

Don’t see your question?

Feel free to contact us directly.

more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]