Belgian Data Protection Authority: Central standard for cookie banners unlawful

Belgian Data Protection Authority: Central standard for cookie banners unlawful

The Belgian data protection authority Autorité de protection des données (APD) has declared a central standard for online advertising to be inadmissible under data protection law. It has imposed a fine of 250,000 euros on the advertising organization IAB Europe. In addition, the IAB was asked to delete all collected data. Because the decision was made under the "One Stop Shop" principle of the General Data Protection Regulation, it applies across the EU - and could have a huge impact on the advertising and media industry.

The Transparency & Consent Framework (TCF) is the central standard behind cookie banners and personalized advertising. The core task of the TCF is the passing on of consent to data processing for advertising purposes. As soon as users click on "Accept" on a cookie banner, a so-called TC string is generated and sent to all partners who participate in the so-called OpenRTB system. Based on this TC string, user profiles are compiled, which then form the basis for real-time advertising auctions, with which individual advertising spaces are often auctioned off among hundreds of companies.

Personal Data

In their decision, coordinated with European colleagues, the Belgian data protection officers state that not only the advertising profile, but also the TC string must be considered personal data, since the string can be combined with the IP address to make the user identifiable.

This finding alone is a debacle for the advertising industry, since these TC strings themselves must now be treated according to the rules of the GDPR. This not only means that users must give their informed consent so that this data can be transferred without any problems - it also requires an official person responsible for the further processing of data by thousands of companies.

Advertising industry rejects responsibility

IAB Europe had already made it clear in the past few months that it did not want to assume this role. The TCF was constructed as a "voluntary standard" precisely to avoid such liability. But those who do not take part in the system have to reckon with considerable losses in the advertising business.

The privacy advocates also have problems with the specific design of the TCF. According to the decision, the categories to which users should agree in the case of cookie banners are far too vague for users to be able to understand the scope of the data transfer in the background. There is also no way for users to effectively understand the processed data.

"People are being asked to give their consent, but most of them are unaware that their profiles are being sold many times a day in order to serve them personalized ads," Hielke Hijmans, data protection officer in charge of the case, said. The IAB Europe now has two months to explain how they want to put the system on a legal basis.


IAB Europe intends to take legal action against this decision. In particular, the organization objects to the statement that it should be responsible for the data as a "controller". In addition, IAB Europe emphasizes that it was not the TCF itself but the specific design that was found to be inadmissible. One is optimistic that a mutually satisfactory solution can be found with the authority within six months.

The case stems from a complaint by the Irish Council for Civil Liberties (ICCL) and other European civil liberties organizations. "Today's decision frees hundreds of millions of Europeans from consensus spam and from the deeper threat of their most personal information being passed around among thousands of companies," said ICCL Representative Johnny Ryan. After the decision of the Belgian data protection officers, the billion-dollar business with personalized advertising could not function as before.

Can the system still be saved?

Meanwhile, the advertising industry is already working to save the business model. In the run-up to the decision, IAB Europe had already begun to adapt to the new circumstances. For example, a "Vendor Compliance" program was set up to allay concerns about the disclosure of advertising profiles to hundreds of bidders. However, critics such as Ryan consider this attempt to be futile, since the data would be spread far too widely to exercise effective control.

What does GDPR mean in practise?

Google is done with Third-Party Cookies


Photo by Ivan Samkov from Pexels


GDPR Compliant Data Collection

We offer a wide range of GDPR compliant tools for you to collect data from your customers.

Scroll to top