Listen to our chat on how this ruling impacts Google, Meta, and X:

A sweeping legal shift is shaking the foundations of digital advertising across Europe, as landmark court decisions have found that tracking-based advertising—often employed by giants such as Google, Microsoft, Amazon, and X—is fundamentally incompatible with EU data privacy law. The recent rulings not only disrupt revenue models underpinning much of today’s free internet, but also mark a significant turning point in the debate over surveillance capitalism, consumer privacy, and tech industry compliance.

Europe’s highest courts have repeatedly scrutinized “behavioral” or tracking-based ads, where platforms follow users across apps and websites to harvest personal data later used to deliver targeted content. On March 7, 2023, the Court of Justice of the European Union (CJEU) rendered a decisive verdict against the practice, ruling that the General Data Protection Regulation (GDPR) does not sanction the auctioning of personal data for ad targeting—even if users are bombarded with consent pop-ups. The CJEU’s finding: invasive tracking and profiling cannot rely on so-called consent mechanisms as currently designed, fundamentally undercutting the legal basis for these ubiquitous practices, as reported by EDRi.

At the center of the storm is the Transparency and Consent Framework (TCF), devised by the IAB Europe, an advertising industry body. The CJEU’s judgment recognized IAB Europe as a “joint data controller” alongside its advertiser partners, concluding that the TCF collects fragments of information that, when pieced together, constitute personal data capable of identifying and profiling users. This recognition signals that responsibility for personal data does not only rest with those directly accessing it, but also with parties shaping how it is processed and purposed.

As coverage by Engadget highlights, following the CJEU’s decision, national regulators are now swiftly enforcing the block on tracking-based ad mechanisms. The Belgian Data Protection Authority, for instance, previously found that the TCF and its industry-standard consent pop-ups failed to comply with core GDPR requirements—specifically around genuine user consent and transparency. According to Storyboard18, the Belgian court explicitly ruled against the framework for its “lack of transparency,” branding it illegal and spotlighting the inability of individuals to meaningfully understand or control the use of their data.

These rulings have sent tremors throughout the tech sector. Platforms and ad-tech providers that underpin much of the internet’s ad infrastructure now face mounting legal and compliance challenges. As the Irish Council for Civil Liberties (ICCL) reported, the implications could be profound for global ad-tech and social networks: “Google, Microsoft, Amazon, and X are all immediately affected,” with the judgment effectively declaring that their tracking-based ad operations have “no legal basis” in European markets.

Tech companies are scrambling to adapt, but the scope of the rulings offers little room for maneuver under current business models. Alternatives such as contextual ads—targeted based on the content users are viewing, rather than on surveillance-driven profiles—are gaining attention. Regulators, meanwhile, are sending a clear message to the industry: the era of opaque data harvesting and algorithmic targeting, without robust user control and privacy guarantees, is drawing to a close.

The broader significance extends beyond advertising. These decisions challenge the premise of “free” online platforms funded by personal data exploitation. For policymakers, privacy advocates, and industry strategists, the verdict is clear—European courts are leading a global rethinking of what constitutes legitimate, accountable digital business in the age of data.