The Brussels Court of Appeal ruled on May 14, 2025, that the consent model used in tracking-based advertising by major tech companies such as Google, Microsoft, Amazon, and X (formerly Twitter) does not comply with EU privacy laws, including the General Data Protection Regulation (GDPR).
The ruling, which targets the Transparency and Consent Framework (TCF) utilized for real-time bidding (RTB) in online advertising, marks a crucial step in the European Union’s ongoing fight against surveillance-based advertising.
The Implications of Tracking-Based Ads
The case centered on the methods employed in tracking-based advertising, specifically those using Real-Time Bidding (RTB) systems. RTB allows advertisers to bid in real time to display ads to users based on personal data. Each time a user visits a website, information such as location, browsing habits, and even inferred personal attributes like beliefs or health conditions can be shared with thousands of companies.
Despite efforts by Big Tech companies to claim compliance with the GDPR by using the TCF, the court ruled that this framework falls short of the regulation’s requirements, particularly in terms of transparency and consent. The core issue lies in how user consent is obtained through pop-up notifications that, according to the court, do not adequately address the complexities of consent and data protection standards.
Background: The Legal Battle
The ruling stems from a case between the Interactive Advertising Bureau Europe (IAB Europe) and the Belgian Data Protection Authority (GBA). IAB Europe, a non-profit organization representing the digital advertising sector, developed the TCF, which aims to help businesses comply with privacy laws when processing personal data through RTB systems. The TCF collects user preferences and stores them in what are known as “TC Strings,” which are then shared with advertising platforms to manage consent.
In 2022, the GBA issued a ruling against IAB Europe, asserting that the TCF violated several provisions, especially regarding the transparency and legality of user consent. The GBA imposed a €250,000 fine on IAB Europe, arguing that the TC Strings, which can be linked to identifiable individuals, qualify as personal data.
IAB Europe appealed the decision, arguing that TC Strings alone do not constitute personal data, but the court upheld the GBA’s position, affirming that TC Strings, when combined with other identifiers like IP addresses, can indeed identify individuals, making them personal data under GDPR.
Key Legal Questions and the Court’s Findings
The case brought to light two critical legal questions: whether TC Strings should be classified as personal data and whether IAB Europe should be considered a data controller under GDPR. The Court of Justice of the European Union (CJEU) had already ruled that TC Strings qualify as personal data when linked with identifiers like an IP address, as they can be used to identify individuals either directly or indirectly. Furthermore, the CJEU clarified that organizations like IAB Europe, which influence how personal data is processed, are considered joint controllers under GDPR, even if they do not directly access the personal data.
The Brussels Court of Appeal dismissed IAB Europe’s objections, affirming that the TC Strings do indeed constitute personal data. The court also concluded that IAB Europe, as the architect of the TCF, plays a key role in determining how personal data is processed, thus making it a joint data controller along with other participants in the digital advertising ecosystem.
The Role of the GDPR in Protecting Privacy
The General Data Protection Regulation, which came into force in 2018, is a landmark piece of EU legislation designed to protect personal data and privacy. It sets strict requirements for obtaining user consent, ensuring transparency, and limiting the scope of data processing. The ruling against IAB Europe reinforces the idea that surveillance-based advertising, which relies heavily on the collection and monetization of personal data, is incompatible with data privacy principles.
Moreover, the court’s decision reinforces the EU’s commitment to enforcing privacy laws and holding companies accountable for violations of users’ privacy rights. The ruling also emphasizes the importance of informed consent and the need for advertisers to adopt more ethical, transparent practices in the collection and use of personal data.
Conclusion
This ruling signals a transformative shift in the digital advertising landscape. With the EU firmly stepping up against tracking-based ads and surveillance-based advertising, businesses will need to adapt to more privacy-conscious models to meet the rising demands for transparency and compliance.
This case stresses that protecting privacy is not just a legal obligation, but a fundamental responsibility in today’s data-driven world. As the legal journey continues, this decision paves the way for a future where ethical and transparent advertising practices take precedence, offering hope for stronger privacy protections not only in Europe but globally.
