Shutterstock
Background information
4130

Consent without control: why cookie banners fail to meet standards

Florian Bodoky
21.5.2025
Translation: Patrik Stainbrook

After several years of legal disputes, it’s been decided: the Transparency and Consent Framework violates the EU’s General Data Protection Regulation. Clicking OK on a cookie banner isn’t enough to validate the data processing that many companies engage in.

The debate around the so-called Transparency and Consent Framework (TCF) has kept various activists, companies and authorities in European data protection on their toes for years. As early as 2022, the Irish Council for Civil Liberties (ICCL) filed a complaint with the Belgian data protection authority. It claimed the TCF enables systematic violations of the General Data Protection Regulation (GDPR).

Johnny Ryan, the mastermind behind the lawsuit.
Johnny Ryan, the mastermind behind the lawsuit.
Source: iccl.ie

A landmark ruling has now been issued from Brussels. The Belgian Court of Appeal has upheld the main points of the data protectionists’ complaint. In particular, they confirmed that the so-called TC String stores personal data covered by the General Data Protection Regulation (GDPR). The court is hereby following an assessment by the European Court of Justice (ECJ), which had already ruled on this issue in 2024. Mind you, it’s unlikely that cookie banners will disappear today or tomorrow. Nevertheless, this ruling could turn the digital advertising system in Europe on its head.

What is the TCF?

The Transparency and Consent Framework was launched by advertising association IAB Europe. It enables advertisers to obtain user consent for data processing and to pass it on to other advertisers in real time. The so-called TC string plays a key role here. It’s a character string storing every time a user gave consent (or refused). This is generated by so-called consent management platforms and stored together with the cookies in a user’s browser. The string is then reused within the advertising network by other ad tech companies.

This in turn operates with so-called real-time bidding, a process in which advertising space on websites is auctioned off within milliseconds. The winning company is usually the one with advertising that best matches the profile of the user currently on the website – it’s why you may see a different ad on website X than I do. A user’s profile is made up of the information in their TC string. The more information there is, the more valuable the advertising space is to advertisers.

Advertising space is allocated in milliseconds.
Advertising space is allocated in milliseconds.
Source: Florian Bodoky

So, what’s the problem?

Data protectionists have long criticised several aspects of this system. One is a lack of transparency. Ordinary consumers are generally unable to understand what personal data is being processed and for what purpose. You’re denied effective control over consent since you can’t really understand what you’re giving your consent to when clicking Accept all on a cookie banner.

In an ecosystem where data is transmitted to hundreds of players in fractions of a second, the principle of informed consent seems more fiction than reality. The key question here was whether data stored in a TC string was personal data. The court decided it is.

As a result, the TCF violates some articles of the GDPR:

Article 5, paragraph 1, a and b

  • The collection and use of TC strings is often incomprehensible to users.
  • You often can’t see what data goes where, violating the principle of transparency.
  • The purposes of data processing are often too general or unclear.
  • Users can’t give differentiated consent – e.g. yes to advertising, but not to tracking for market research.

Article 6, paragraph 1, a

  • The processing of personal data is only permitted with effective consent.
  • TC strings can also be forced onto users by non-transparent cookie banners or dark patterns.

Article 7, paragraph 1

  • Merely storing a TC string isn’t sufficient as proof of valid consent.
  • There’s often a lack of information about when, how and by whom consent was given.

Who’s to blame, and what will be the consequences for the guilty parties?

The originator of the TCF, IAB Europe, was originally seen as culpable for the data protection debacle. This isn’t entirely true, as the Belgian Court of Appeal has now ruled. It’s true, the court sees the originator as partially responsible – but only for the collection and management of consent within the system. The consent management platforms and their respective advertisers are also responsible for the subsequent processing of data until advertising is displayed.

According to the GDPR (article 26), the term «joint controllers» means that several parties are responsible for certain steps in processing. Together, they decide which purposes and means of data processing are used. It must be clearly regulated who fulfils which tasks, and users must have a specific contact person in order to claim their rights.

Townsend Feehan, CEO of IAB Europe, isn’t sad about the verdict.
Townsend Feehan, CEO of IAB Europe, isn’t sad about the verdict.
Source: iebeurope.com

The penalty currently imposed focuses on a fine against IAB Europe, amounting to 250,000 euros. However, these fines have been suspended as IAB Europe has already developed a revised version of the TCF. This version 2.2 is intended to correct all points of criticism. The legitimate interest that was previously used as a legal basis for personalised advertising no longer applies. In addition, transparency is to be increased and comprehensibility improved. The data protection authority has accepted this in principle.

However, this ruling could have other consequences. After all, the majority of European websites rely on the TCF. It means that a very large number of users are affected by unlawful data processing – raising the question of possible claims for compensation. However, these are likely to go against the advertisers who have worked with this data without a legal basis.

What’s next?

The decision can be seen as a milestone. One question now arises: what will happen? The authorities have to create technical solutions that meet the requirements of the GDPR. Data protection by design and by default – i.e. the protection of data right from the design stage – must be in place in order to comply with the GDPR. The newest version of the TCF is the touchstone for IAB Europe.

Cookie banners probably won’t disappear overnight.
Cookie banners probably won’t disappear overnight.
Source: DSGVO-Team.de

What does this mean for Switzerland?

The Belgian court’s ruling has no direct legal effect. Switzerland is subject to its own data protection law, which applies independently of the GDPR. However, Swiss companies, for example, must make their websites GDPR-compliant if they address users in the EU, place advertisements on EU websites or process data of EU citizens. Otherwise, EU authorities may impose sanctions. And, of course, data protection authorities can use this ruling as a guide when it comes to checking the TCF for compliance with their own data protection law.

Header image: Shutterstock

41 people like this article

User Avatar
User Avatar
Florian Bodoky
Editor
Florian.Bodoky@digitecgalaxus.ch

I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue. 

Security
Follow topics and stay updated on your areas of interest

These articles might also interest you

  • Background information

    SPTO revision: Federal Council looking to expand surveillance through an ordinance

    by Florian Bodoky

  • Background information

    What is the Digital Services Act?

    by Florian Bodoky

  • Background information

    Microtransactions in games: the new EU guidelines explained

    by Florian Bodoky

30 comments

Avatar
later