IAB Transparency & Consent Framework (TCF) is an open standard jointly developed by the European advertising industry and launched in 2018 to help stakeholders comply with EU privacy regulations (GDPR and ePrivacy), particularly in programmatic advertising. It enables websites and technology vendors to manage user consent transparently and consistently across the advertising supply chain. Consent is recorded using a technical identifier known as the TC String (Transparency and Consent String), which stores a user’s choices regarding which vendors are granted consent and for what purposes cookies or personal data may be used.
In February 2022, the Belgian Data Protection Authority (APD) issued a decision questioning the legality of the TCF. The APD ruled that the TC String constitutes personal data and that IAB Europe acts as a data controller for its processing, not only for documenting consent but also for the subsequent use of that data within the programmatic advertising supply chain. IAB Europe was fined €250,000 and required to submit a corrective action plan. This triggered a years-long legal process. It concluded in May 2025 when the Belgian Market Court confirmed its final interpretation based on a preliminary ruling issued by the Court of Justice of the European Union (CJEU) in spring 2024.
The outcome: IAB Europe is not responsible for how other parties process the data, such as for targeted advertising. Its role is limited to managing the TCF and generating the TC String. At the same time, it was confirmed that the TC String can sometimes constitute personal data, particularly when combined with other identifiers, such as an IP address. In such cases, processing requires a valid legal basis under the GDPR.
What does the decision mean in practice?
The TCF has not been deemed illegal. Publishers and technology providers can continue using it, ensuring TC Strings are treated as personal data when linked to an identifiable user.
IAB Europe’s responsibility is limited to creating and managing the TC String, not how consent data is subsequently used for ad targeting. This means each party remains responsible for its data processing activities.
The TCF remains a valid and valuable way to manage consent transparently, provided that participants, such as publishers, CMP providers, and SSPs, ensure their privacy practices comply with the GDPR.
What happens next?
The Belgian Market Court’s ruling now allows IAB Europe to implement the corrective action plan it previously submitted, at least for the necessary parts. Some planned changes have already been implemented (e.g. TCF v2.2), and a new update (TCF v2.3) is currently open for public comment.
Publishers should ensure they are using an up-to-date version of the TCF and that their CMP provider supports the latest technical and policy requirements. Since IAB Europe now acts as a joint controller for the TC String, it must be listed as a vendor that receives user consent. In practice, this means IAB Europe should be included in the CMP vendor list if it isn’t already.
Summary: What should publishers do now?
The Belgian Market Court’s May 2025 ruling clarifies the legal status of the TCF in Europe and offers digital publishers greater certainty around its continued use. The TCF is not illegal, but its use requires compliance with the GDPR when the TC String can be linked to an identifiable user.
Key actions for publishers:
This ruling finally brings stability after years of uncertainty. Now is a good time to review your practices and ensure your consent management is transparent for users and regulators.