Two European court rulings delivered over the past two months have permanently shifted the boundaries of what is considered lawful digital consent under GDPR and the ePrivacy Directive. These judgments have immediate implications for every organization relying on cookie banners, tag managers, and third-party frameworks to demonstrate compliance.
Both cases take direct aim at two foundational pillars of digital marketing infrastructure: the Transparency and Consent Framework (TCF) and Google Tag Manager (GTM). Together, they send a clear message to data controllers, publishers, and privacy officers: surface-level compliance is no longer enough. The legal requirement is now for enforceable, verifiable consent - built directly into the architecture of your digital systems.
The TCF No Longer Provides Legal Cover
On 14th May 2025, the Belgian Market Court upheld the finding that IAB Europe’s Transparency and Consent Framework version 2.2 is not compliant with the GDPR. The court confirmed that the TC String - the encoded consent signal passed to advertising vendors - qualifies as personal data. Distributing it across hundreds of ad tech companies cannot be justified under a blanket “legitimate interest” claim.
More critically, the ruling affirms that any organization using the TCF becomes a joint controller for that data. This shifts legal responsibility upstream to websites and publishers who adopt the framework through their Consent Management Platforms (CMPs).
The court also rejected IAB Europe’s corrective action plan as insufficient. The defects were not procedural but structural. In effect, the judgment declares that the TCF in its current form cannot be repaired - it will require a fundamental redesign.
Any organization that continues to operate with a TCF-based consent framework is now assuming legal risk that cannot be offset by policy documentation or vendor contracts alone.
The GTM Decision Shows Why Delayed Cookies Are Not Enough
The second ruling 10 A 5385/22 came on 18 March 2025, from the Administrative Court of Hanover in Germany. The court found that Google Tag Manager violates both Article 6 of the GDPR and Section 25(1) of the German TTDSG (now continued under §25 TDDDG following the Telecommunications Digital Services Data Protection Act update). The core issue was that GTM begins data transfers before the user has had any opportunity to consent.
Specifically, the court found that:
- The initial gtm.js call transmits the user's IP address to Google, constituting personal data processing.
- Local storage and cookies are written to the device before any user interaction, breaching ePrivacy Directive Article 5(3).
- Third-party scripts are executed without transparency or prior approval, circumventing meaningful consent.
The judgment highlights that even if a CMP delays cookie placement, this does not ensure compliance if the underlying tag management infrastructure initiates tracking or data access prematurely. The technical reality of execution is what determines legality - not the theoretical sequence declared in a consent script.
The same scrutiny now applies to Google Consent Mode 2.0. Although it was introduced to help organizations align with consent requirements, it is only compliant if GTM and the page architecture enforce strict pre-consent control. In practice, many implementations of Consent Mode 2.0 still allow external tags or signals to fire before consent is collected. Courts and regulators are no longer accepting this disconnect between declared intent and technical behavior.
The Real Shift: Consent as System, Not Symbol
These decisions reflect a deeper shift. Consent is no longer something that can be layered onto an existing infrastructure. It must be built into the system - enforced in execution logic, observable in network behavior, and verifiable through records.
A CMP banner alone is not enough. Delaying cookies is not enough. The architecture must prevent any data from being accessed, stored, or transmitted until the user has made an informed and voluntary choice. This is a design problem, not just a legal one.
Organizations now face a structural challenge. Legacy tools and workflows that were designed around superficial consent patterns are no longer fit for purpose. The shift will not be solved by updating banner language or switching frameworks. It requires a rethinking of how consent is technically enforced at every layer of the data stack.
Rebuilding Consent: The Architecture Compliance Now Requires
To meet these legal and operational demands, a new approach is emerging. Organizations seeking to future-proof their compliance posture are moving toward consent architectures that are enforceable by design, verifiable in audit, and independent of third-party control.
A defensible and sustainable consent system typically includes the following characteristics:
Strict pre-consent control
No external scripts or data transfers should occur before the user gives consent. This includes blocking the initial load of GTM itself. Google Consent Mode 2.0 must also be conigured so that no tags are permitted to trigger until consent is explicitly obtained.
Self-hosted CMP logic
Consent banners, configuration logic, and logs should be delivered from the organization’s own domain. Loading these from a third-party server can itself create a pre-consent network request that violates ePrivacy Directive requirements.
Tag injection only after opt-in
Google Tag Manager and similar tools should only be injected into the page after the user has opted in. Delaying tag firing is not sufficient if the tag loader initiates any external calls before consent.
Note: This also counts for Server-Side / First-Party Tag Management - consent is required.
Consent-as-evidence
Systems must maintain tamper-proof, auditable records of consent decisions, including purpose categories, timestamps, and method of collection. This goes beyond simple logs and enables organizations to demonstrate legal basis under audit.
Predictable and transparent pricing
Usage-based billing models create operational instability. Flat-fee licensing per domain ensures that evolving compliance demands - such as regional variation or improved enforcement logic - do not trigger unpredictable cost increases or inhibit necessary changes.
Our own implementation at AesirX CMP (Consent Management Platform) is purpose-built around these principles. It prevents data leaks prior to consent, supports granular consent logging, and operates under a flat pricing model to remove barriers to sustainable compliance. Full documentation and version details are available at aesirx.io.
This approach is not a workaround. It is a compliance foundation that matches the direction of EU regulatory enforcement and legal interpretation.
What to Review in Your Current Stack
In light of these developments, organizations should use the coming quarter to conduct a consent architecture review. Start with these five questions:
- Does your CMP still push a TCF string or preload GTM or Server-Side / First-Party Tag Management before consent?
- Do any network calls or script executions occur on first page load before the user interacts with the banner? (You can check for free with our Privacy Scanner)
- Does your vendor mapping rely on legitimate interest to justify tracking shared through frameworks like TCF?
- Does your CMP pricing model create financial risk when implementing updates, localization, or scaling to new regions?
- Have you documented a remediation timeline that can be shown to regulators, not just plans or intentions?
These rulings are not just enforcement signals. They represent the new baseline for what counts as lawful digital data processing. Systems that cannot enforce consent at the code level will not withstand the next round of audits or complaints.
Engineering Consent that Survives the Next Court Case
Organizations now have a clear choice: retrofit and defend outdated structures, or transition to a model where consent is technically enforced, verifiably recorded, and built for adaptability.
As a privacy technologist, I encourage teams to treat this not as a compliance burden but as a governance opportunity. Consent is no longer a checkbox. It is a measurable, enforceable contract between users and systems.
If your organisation is unsure whether your current CMP configuration or tag architecture is compliant, I am happy to schedule a technical privacy review. Identifying pre-consent data flows is often faster than expected - and essential to mitigating risk before it becomes enforcement.
We are no longer in the era of symbolic compliance. The law now expects consent that is real - and systems that can prove it.
Ronni K. Gothard Christiansen
Technical Compliance Specialist & CEO, AesirX.io
Helping organizations align system architecture with enforceable digital privacy.
If internal resources are limited, our Alliance for Compliance offers a path to fast-track implementation, monitoring, and continuous privacy validation.
