Court case Tussenarrest 2022/AR/292 – Court Ruling (Belgium, 2022)

Court Ruling
DPA HofvanBeroep7 September 2022Belgium
final
Court Ruling

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A Belgian court ruled against IAB, a digital advertising company, for failing to properly manage user consent for cookies. The court found that IAB's consent framework did not meet legal requirements, which is important for protecting users' privacy online. This case shows that companies must ensure they have clear and effective consent mechanisms in place.

What happened

IAB was found to have inadequate consent management for cookies, violating user privacy rights.

Who was affected

Website visitors whose consent for cookie usage was not properly obtained were affected by this decision.

What the authority found

The court ruled that IAB's consent framework did not comply with GDPR requirements for user consent and transparency.

Why this matters

This ruling sets a precedent for stricter enforcement of consent requirements in digital advertising. Companies using cookie consent frameworks must review and improve their processes to comply with privacy laws.

GDPR Articles Cited

AI-verified

Art. 4(1) GDPR
Art. 4(7) GDPR
Art. 6(1) GDPR
Art. 24(1) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(1)(a) GDPR
Art. 6(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 14(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 30(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 37(GDPR)
Art. 38(GDPR)
Art. 39(GDPR)
Art. 4(1) GDPR
Art. 4(7) GDPR

Original data from scraper before AI verification against source document.

Decision AuthorityHof van Beroep
Reviewed AuthorityGegevensbeschermingsautoriteit
Source verified 11 April 2026
articles corrected
amount discrepancy
authority corrected
Belgium enforcementDPA HofvanBeroep actionsAll Court case Tussenarrest 2022/AR/292 actions
Full Legal Summary
Detailed

The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject. Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string. The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organi

Outcome

Court Ruling

A ruling by a national court on a data-protection matter.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Reject Harder Than Accept
critical

Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.

Art. 7 GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

No Granular Cookie Choice
high

Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.

Art. 4(11) GDPR

Related Cases (0)

No other cases found for Court case Tussenarrest 2022/AR/292 in BE

This is the only recorded case for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

unknown (claimant)

2021 · DPA OLGLinz

CNIL

2019 · Court of Justice of the European Union

Details

Ruling Date

7 September 2022

Authority

DPA HofvanBeroep

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Court case Tussenarrest 2022/AR/292 - Belgium (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: