[German]A Belgian court has now ruled on a complaint by data protectionists regarding the TCF framework. The judges consider the TCF framework to be non-compliant with the GDPR. This poses a problem for the online advertising industry around Microsoft, Google and Co. because they use cookie consent via the TCF framework.
The following Post on Mastodon takes up this issue and writes that the annoying consent cookie pop-ups with which Big Tech requests consent for advertising tracking are not compliant with the GDPR.
Background: Google, Microsoft, Amazon, X and the entire tracking-based advertising industry rely on the "Transparency & Consent Framework" (TCF) to obtain consent for data processing via cookies. The TCF is used on 80% of websites.
Specifically, the TCF has been used by advertising networks in Europe for seven years as a legal safeguard for real-time bidding (RTB). RTB is used to auction advertising space on websites and in apps. RTB tracks what Internet users look at on the Internet and then shares this continuously with a large number of companies. As a result, the companies that want to place advertisements know the interests of internet users. Since, according to critics, the RTB system makes it impossible to know what happens to the data, it is also not possible to provide the necessary information for users to consent to advertising tracking, they claim.
On May 15, 2025, the Belgian Court of Appeal ruled that the TCF was not compliant with the GDPR. This Belgian ruling follows a chain of complaints and litigation across Europe that Dr. Ryan brought against Real-Time Bidding (RTB) in 2018.
The current ruling (Download the court order in English) stems from a complaint filed by various complainants with the Belgian Data Protection Authority. These were coordinated by Dr. Johnny Ryan, Director of Enforcement at the Irish Council for Civil Liberties. According to this statement, the group of complainants are: Dr. Johnny Ryan of Enforce, Katarzyna Szymielewicz of the Panoptykon Foundation, Dr. Jef Ausloos, Dr. Pierre Dewitte, Stichting Bits of Freedom and the Ligue des Droits Humains.
Commenting on the ruling, Dr. Johnny Ryan said: "Today's court decision shows that the consent system used by Google, Amazon, X and Microsoft is deceiving hundreds of millions of Europeans. The tech industry has tried to hide its huge data breaches behind fake consent pop-ups. Tech companies have turned the General Data Protection Regulation into a daily nuisance, not a shield for people."
German site heise has taken up the ruling, which has far-reaching consequences for advertising networks, in this German article with further information, assessments and comments. Hielke Hijmnans from the Belgian data protection supervisory authority APD is satisfied: "That this decision of the Market Court, as well as the decision of the CJEU 2024, confirms our position that the TC String is personal data and that IAB Europe acts as a controller for the processing of user preferences in the context of the TCF."
The online advertising industry association, IAB Europe, which originally set up the TCF, is also satisfied. On the one hand, the decision of the lower court was overturned on formal grounds. The fine of 250,000 euros imposed there is therefore not due. The association is not a responsible data processor beyond the TC-String. In addition, IAB Europe has already developed the TCF 2.2, which already takes account of the ruling from the association's point of view.
Here in the blog I use the consent solution via Contentpass since fall 2024. A solution that allows subscribers to visit the websites ad-free and that more and more publishers are using instead of cookie consent pop-ups. The Contentpass solution doesn't generates a lot of revenue for me, as the subscriptions are distributed across all Contentpass pages. At best, the revenue covers 10% of the monthly costs that I pay for the Contentpass solution. But I am thus away from the IAB Europe cookie consent.
