Court case Tussenarrest 2022/AR/292 – Court Ruling (Belgium, 2022)

Court Ruling
DPA HofvanBeroep7 September 2022Belgium
final
Court Ruling

A Belgian court ruled on complaints against IAB, a digital advertising company, for not properly handling user consent regarding cookies. This case is significant because it shows that companies must follow strict rules when it comes to user consent for data tracking.

What happened

IAB faced complaints for failing to provide clear consent options for cookies and tracking users on websites.

Who was affected

Website visitors who encountered IAB's tracking practices were affected by the lack of proper consent mechanisms.

What the authority found

The court found that IAB did not comply with GDPR requirements for obtaining user consent and providing clear information about data processing.

Why this matters

This ruling sets a precedent for how consent should be managed in digital advertising, urging companies to improve their consent practices to comply with privacy laws.

GDPR Articles Cited

AI-verified

Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 14(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 30(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 37(GDPR)
Art. 38(GDPR)
Art. 39(GDPR)
Art. 4(1) GDPR
Art. 4(7) GDPR
Art. 5(1)(a) GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(1)(a) GDPR
Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 14(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 30(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 37(GDPR)
Art. 38(GDPR)
Art. 39(GDPR)
Art. 4(1) GDPR
Art. 4(7) GDPR

Original data from scraper before AI verification against source document.

Decision AuthorityHof van Beroep
Source verified 11 April 2026
articles corrected
amount discrepancy
authority corrected
Belgium enforcementDPA HofvanBeroep actionsAll Court case Tussenarrest 2022/AR/292 actions
Full Legal Summary
Detailed

The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject. Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string. The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organi

Outcome

Court Ruling

A ruling by a national court on a data-protection matter.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Reject Harder Than Accept
critical

Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.

Art. 7 GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

No Granular Cookie Choice
high

Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.

Art. 4(11) GDPR

Related Cases (0)

No other cases found for Court case Tussenarrest 2022/AR/292 in BE

This is the only recorded case for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

unknown (claimant)

2021 · DPA OLGLinz

CNIL

2019 · Court of Justice of the European Union

Details

Ruling Date

7 September 2022

Authority

DPA HofvanBeroep

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 80%

Cite as: Cookie Fines. Court case Tussenarrest 2022/AR/292 - Belgium (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: