Back to Cases
technologyAdvertising Technology · 2022
IAB Europe
The Belgian DPA (GBA) found that IAB Europe's Transparency and Consent Framework (TCF) — the industry consent mechanism used by virtually every publisher and ad tech company across the EU — violated GDPR in multiple fundamental ways, including that the encoded TC String constitutes personal data, that IAB Europe is a data controller for its creation, and that 'legitimate interest' cannot serve as legal basis for behavioural advertising profiling at scale. The decision had immediate EU-wide consequences as thousands of websites relied on TCF as their primary GDPR consent mechanism. IAB Europe was given six months to bring the TCF into compliance.
Fine Imposed€250,000.0
Authority
GBA-BE
Regulation
GDPR as enforced by the Belgian Data Protection Authority (GBA/APD)
Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)
Statusactive
Key Takeaways
- The architect of industry-wide consent infrastructure can be held directly liable as a GDPR controller if that framework enables unlawful processing at systemic scale — industry standards do not provide regulatory immunity.