Belgian Court Resolves Cookie Banner Dispute with Definitive Ruling

A Belgian appeals court has provided clarity on a significant issue regarding the most widely used standard for real-time online advertising, known as the Transparency and Consent Framework (TCF). The court determined that the existing version of this framework grossly violates the General Data Protection Regulation (GDPR), which may have far-reaching implications for the entire online advertising market within the European Union.

Previously, in a landmark ruling from last year, the European Court of Justice (ECJ) clarified that the so-called Transparency and Consent String qualifies as personal data under the GDPR. This string facilitates the cross-site identification of users. Developed by the Interactive Advertising Bureau (IAB) Europe, the framework has been at the center of a protracted legal battle initiated by the Belgian Data Protection Authority (APD) since 2019, seeking to clarify the legal standing of this framework.

When users indicate their advertising preferences on any of the numerous websites utilizing the TCF framework, this information is recorded via cookies and shared with other websites that use the OpenRTB protocol to auction advertising space in real time. The IAB Europe generates the Transparency and Consent String to link these preferences to user profiles. After prompting from the Belgian appeals court, the ECJ confirmed that this string constitutes personal data as defined by the GDPR. The Belgian judges were tasked with determining the specific implications of this classification in their ruling.

In response to the ruling, Hielke Hijmnans from the APD emphasized two key points: first, that the market court's decision aligns with the ECJ's 2024 ruling affirming the TC String as personal data; and second, that IAB Europe is deemed responsible for processing user preferences within the TCF framework. Further analysis of the court's ruling, published today in Flemish by the ICCL, is required to comprehend its broader implications.

Johnny Ryan of the Irish Council for Civil Liberties, who has long opposed what he considers unlawful data processing, remarked that the decision underscores how consent systems used by major firms like Google, Amazon, and Microsoft mislead hundreds of millions of Europeans. Ryan, a participant in the proceedings as a co-plaintiff alongside other European data protection activists, criticized companies for turning the GDPR into a daily nuisance rather than a tool for safeguarding privacy, asserting that the tech industry has attempted to conceal significant data protection violations behind misleading consent pop-ups.

Meanwhile, IAB Europe expressed satisfaction with the court's decision, albeit for different reasons. The court overturned a previous ruling from the APD that would have resulted in a EUR250,000 fine against IAB Europe. Additionally, the court clarified that the organization is not the sole data processor responsible for the TC String; that responsibility lies with the companies that implement the framework. IAB Europe also announced the development of a new version, 2.2, of the TCF standard, which they believe addresses the court's findings. This new version limits companies' ability to cite 'legitimate interest' under the GDPR for profiling purposes.

The court's ruling replaces the APD's fine notice. However, companies that have relied on the TCF as a standard while unlawfully processing personal data may face additional sanctions from regulatory authorities. The absence of a legal basis for data processing could expose both IAB Europe and advertisers utilizing the TCF standard to potential compensation claims. Given that the unlawful data processing likely affected nearly every internet user in the EU, even modest individual settlements could result in substantial financial liabilities.