Beyond the Pop-Up: Navigating Digital Advertising Compliance After the TCF Ruling

September 30, 2025

On 14 May 2025, the Belgian Court of Appeal ruled that the Transparency &Consent Framework (TCF) which is a system used by companies such as Google, Amazon, Microsoft, and X to get user consent for tracking, is illegal under European privacy law. This decision applies across all of Europe and could significantly change how online advertising works.

What is the TCF?

The Transparency & Consent Framework or TCF is a system created in 2018 by Interactive Advertising Bureau (IAB) Europe, which is a trade body of the tracking and data industry.[1] It is the system behind the pop-ups you see on websites that ask if you “accept cookies” or agree to data tracking.

The TCF was meant to help companies follow privacy laws like the General DataProtection Regulation (GDPR). It allowed users to grant or withhold consent for their data to be used and to object to certain uses of their data. But behind the scenes, the TCF was also designed to support a system called Real-TimeBidding (RTB).

What is Real-Time Bidding?

When you open a website or app that shows ads, advertising companies bid in real-time for the chance to show you a targeted ad. This process involves collecting and sharing detailed personal information about you like what you’re reading or watching, where you are, etc.[2] This data is then broadcast to potentially hundreds of companies each time an ad is shown. To make this legal under GDPR, companies claimed they had your consent because of the TCF system.

Why was the TCF challenged?

The TCF was challenged by privacy advocates for the first time back in 2018[3] where they argued that it enabled mass surveillance through online advertising by failing to protect users’ data and obtain meaningful consent.[4]

On 14 May 2025, following years of legal proceedings, the Belgian Court of Appeal ruled that the TCF is illegal under the GDPR. The court found that the system:

  • Does not properly request consent from users
  • Fails to ensure data security or confidentiality
  • Does not provide adequate transparency about how user data is processed

These findings reflect violations of several key provisions of the GDPR including:

  • Article 5(1)(a) – Lack of transparency and fairness
  • Article 5(1)(f) – Failure to ensure data integrity and confidentiality
  • Article 6 – No valid legal basis for processing (invalid consent)
  • Articles 12, 13 and 14 – Failure to inform users adequately
  • Articles 25 and 32 – Lack of data protection by design and insufficient security safeguards

The court also noted that for seven years, the TCF had served as a legal facade for RTB, a system that broadcasts personal data to hundreds of companies without real control or oversight, making informed, valid consent effectively impossible.

What does this mean for users?

A shift to better models: The ruling could push the industry toward safer, non-tracking-based advertising methods. Future versions of the TCF will incorporate the court’s guidance to strengthen user privacy while keeping advertising viable.[5]

Why this ruling matters?

This ruling is a very strong enforcement action taken under the GDPR. It shows that“consent” pop-ups don’t always mean real consent. It also sends a signal that EU courts are ready to uphold strong digital rights, and businesses need to innovate toward ethical data practices.[6]

 

[1] An Unending Data Breach Immune to Audit? Can the TCF and RTB Be Reconciled with the GDPR?by Johnny Ryan, Cristiana Santos :: SSRN

[2] Belgian court: The TCF framework is not GDPR-compliant Born's Tech and Windows World

[3] “RTB” adtech & GDPR – DrJohnny Ryan FRHistS

[4] https://www.iccl.ie/digital-data/eu-ruling-tracking-based-advertising-by-google-microsoft-amazon-x-across-europe-has-no-legal-basis/

[5] Understanding the Belgian Market Court Ruling on IAB Europe’s TCF

[6] EU CourtRules Against Tracking Ads, Strengthens GDPR