The EU is intensifying scrutiny of digital advertising, targeting tracking-based models and redefining personal data. Legal rulings challenge IAB Europe's TCF, confirm shared GDPR liability, and outlaw key consent practices. With the DSA and DMA adding pressure, the shift toward privacy-first, consent-driven, and less intrusive ad models is accelerating across Europe.
EU digital advertising under scrutiny: From consent frameworks to surveillance-based ads
In recent years, the European Union has been steadily tightening its grip on digital advertising practices, particularly regarding trackingbased ads that rely on user profiling.
A series of legal rulings and regulatory decisions—including landmark court judgments and evolving interpretations of what constitutes personal data—have created substantial challenges for the industry. Central to these developments is IAB Europe’s Transparency and Consent Framework (TCF), long touted as the goto compliance mechanism for GDPR-driven advertising. Yet, courts have increasingly found the framework wanting.
Since its launch in 2017, the TCF aimed to standardize how publishers, advertisers, and ad-tech partners obtain, record, and share user consent compliant with the GDPR. But NGOs, including the Irish Council for Civil Liberties and Bits of Freedom, filed multiple complaints alleging serious GDPR violations. In February 2022, the Belgian Data Protection Authority (DPA) ruled that the TCF’s consent mechanisms failed to provide legally valid, freely given and informed consent and fined IAB Europe EUR 250,000.
On March 7, 2024, the Court of Justice of the European Union (CJEU) confirmed that the “TC String” — the technical encoding of a user’s consent preferences within the TCF — qualifies as personal data under GDPR, even if it doesn’t directly identify an individual. The CJEU also held that IAB Europe could be deemed a joint controller, depending on whether it exercises control for its own purposes.
On May 14, 2025, Belgium’s Market Court delivered a nuanced ruling further delineating liabilities in the digital ad ecosystem. It reaffirmed that TC Strings are personal data when linked to identifiable individuals through reasonable means, such as an IP address. It also confirmed that IAB Europe is a joint controller, but only for the processing of TC Strings — not for OpenRTB or broader ad-tech operations.
The court further underlined that other actors (CMPs, vendors, publishers) are also joint controllers under GDPR unless there's a clear, contractual allocation of responsibilities, so liability is shared equally by default. Responsibility cannot be offloaded onto one party; joint controllership requires proactively structured agreements.
In a related but independent case, the Brussels Court of Appeal ruled that the consent model underpinning trackingbased advertising—including within the TCF—is illegal under EU privacy law. Non-governmental organizations like Amnesty International hailed the decision as a significant win for privacy, labeling it a “major win for the right to privacy” and urging a move away from surveillance-based advertising.
Tech outlets and civil liberties groups echoed similar sentiments. The ruling targeted industry giants from Google to Amazon and Microsoft who rely heavily on real-time bidding systems based on user data.
The rulings not only struck at advertising practices but also broadened what counts as personal data. Te recap:
TC Strings were confirmed to be personal data if they can be linked to an identifiable individual—shifting the focus from direct identifiers to potential identification through inference.
Several EU rulings, such as those related to Google Analytics use in Austria, have also expanded perspectives on what constitutes identifiability and permitted data transfer mechanisms.
Beyond web ads, academic studies show GDPR had limited but measurable impact in reducing trackers per publisher, though many apps still fail to secure meaningful consent for thirdparty tracking.
The legal environment is thus adapting to encompass not only obvious identifiers but also behavioral signals that, in aggregate, reveal personal profiles.
The broader regulatory ecosystem adds further constraints:
The Digital Services Act (DSA), in force since November 2022, targets digital advertising more directly. It requires transparency (e.g., ad repositories), bans profiling based on sensitive data, and places stricter limitations on targeting ads to children.
The Digital Markets Act (DMA), effective since May 2023, cracks down on “gatekeeper” platforms (e.g., Google, Meta). Meta has faced fines for its “consentorpay” model, charging European users for adfree experiences without offering a privacyrespecting but free version. Apple and Meta were fined in April 2025 under DMA rules.
The combined effect of these decisions and regulations signals a profound shift:
Surveillance-based advertising is increasingly imperilled. Systems relying on mass profiling with opaque user tracking have never technically been GDPR safe but are likelier to be detected now than before.
Expanded liability under GDPR: IAB Europe and other ecosystem players now face joint and potentially equal responsibility without clear responsibility-sharing agreements.
Consent mechanisms must be genuinely informed and freely given. Fragmented, contractually siloed or default consents no longer cut it—especially when consentorpay tactics are seen as coercive.
Legal definitions of personal data are evolving. Even metadata or encoded user preferences qualify if re-identifiable by reasonable means.
Push towards privacy-first advertising models. Expect the EU ad-tech ecosystem to shift toward contextual ads, less invasive models, and enhanced transparency.
The European Union is recalibrating its approach to digital advertising—from passive regulation to active interference. The Brussels appeals court has dealt a decisive blow to tracking-based models, while the Belgian Market Court has clarified liability frameworks. Meanwhile, GDPR’s scope, layered by DSA and DMA mandates, is rendering traditional real-time bidding and surveillance methodologies legally risky.
Ad-tech players must rethink consent mechanisms, re-structure data controller relationships, and refocus on privacy-centric advertising models. A comprehensive consent management platform is one step in the right direction.
©2025 CookieHub ehf.
