Privacy News

Are cookie banners illegal?

Google's and Amazon's tracking-based advertising are under fire in the EU. In a landmark decision, the Brussels Court of Appeal invalidates cookie consent banners built on the Transparency & Consent Framework of IAB Europe.

Are cookie banners illegal? Google's and Amazon's tracking-based advertising are under fire in the EU.

On 14 May 2025, the Brussels Court of Appeal upheld the decision of the Belgian Data Protection Authority (DPA) of 2 February 2022. The ruling says that the Transparency & Consent Framework (TCF) of IAB Europe - basically the system behind cookie banners for real-time bidding of advertisements - is in violation of the GDPR and, thus, illegal across the entire European Union. But what does this ruling mean for you and the annoying cookie banners that jump in front of your face all the time? Let's dive into this!

The technical standard used by advertising companies to collect GDPR consent online is illegal. The consequences could be huge - for media outlets, but also for industry giants such as Google, Amazon, Microsoft, X, and others.

Decision of the Belgian DPA

The Belgian data protection authority APD has ruled - and the Brussels Court of Appeal has now confirmed this - that a central mechanism for cookie banners violates the European General Data Protection Regulation (GDPR). The decision was made in a so-called one-stop procedure. This means it applies to the entire EU. The procedure stems from a complaint by the Irish Council for Civil Liberties and other European civil rights organizations and could potentially be a huge blow to the European advertising industry.

Read more about the decision here.

Tough blow to the data industry

Based on this ruling, TCF-based cookie banners are now illegal across Europe because these violate the GDPR on multiple levels:

  • Invalid consent collection (Articles 5(1)(a), 6 GDPR)
  • Lack of transparency (Articles 12–14 GDPR)
  • Insufficient security of personal data (Articles 5(1)(f), 25, 32 GDPR)

Advertisers justifying cookie tracking as “legitimate interest” are also in breach of the GDPR. The court explicitly rejected the use of “legitimate interest” as a legal basis for real-time bidding (RTB) and similar forms of online tracking due to their severe privacy risks. So, cookie banners offering legitimate interest toggles for ad tracking are illegal.

Dr Johnny Ryan, Director of Enforce at the Irish Council for Civil Liberties, said:

“Today’s court’s decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham consent popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people.”

How does cookie consent & targeted advertising work?

Targeted advertising on the internet works like this (simplified explanation): Every visit to a website using cookie tracking for targeted advertisement triggers an auction among the providers of advertisements. A decision is made in a matter of milliseconds as to which advertisements the user will see based on the user’s profile and some other factors (= real-time bidding).

Real-time bidding

For this real-time bidding (RTB) to work, the advertising companies want to know a lot about the person currently browsing their website: Age, gender, interests, websites visited, place of residence, purchasing power and more. This data is used to display the best suited ad, the one that the user will most likely click.

Read here why we at Tuta call on banning targeted advertisements altogether and why we believe that the ad-based business model must die.

Turn ON Privacy in one click.

However, under the GDPR such tracking is only allowed if the user consents to it. The Transparent and Consent Framework (TCF) by the Advertising association IAB Europe supposedly asks for this consent: If users click on “accept cookies” or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string. This identifier forms the basis for the creation of individual profiles. Then the profiles are used to match them against the advertisements to be displayed. In doing so, the TC string is forwarded to hundreds and hundreds of partners in the OpenRTB system.

The entire ad industry (when talking about targeted ads) is based on the TC string, which makes it the most important standard in the online advertising ecosystem.

How does the decision influence the ad industry?

In a landmark ruling, the Belgian APD has decided in 2022 - which was now confirmed by the Brussels court - that sharing the TC string with hundreds of partners violates the General Data Protection Regulation. According to the supervisory authority, the system used by advertisers to collect consent for targeted advertising on the Internet does not comply with the principles of legality and fairness.

In its ruling, the Belgian APD has issued a fine of 250,000 euros against the advertising association IAB Europe, which develops and operates the TCF mechanism. Furthermore, IAB must now delete the personal data already collected - which is worth a goldmine to the ad industry. How much? This can be estimated by looking at a similar ruling imposed on Google in 2024 which forced the tech giant to delete $5 billion worth of user data illegally collected in Incognito Mode. Even more significantly, however, are the conditions that the Belgian APD is imposing on the advertising industry to continue using the Transparency and Consent Framework at all.

Thousands of website operators, almost all online media and also large advertising companies such as Google, Microsoft, Amazon, X, and others use the mechanism to pass on the supposed consent of users to the processing of their personal data for advertising purposes.

Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian APD says:

“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalized ads. Although it concerns the TCF, and not the whole real-time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”

Even if the decision does not directly affect the entire advertising system on the internet, it will have a major impact on the protection of web users’ personal data, says Hijmans.

Why is the decision significant?

The Belgian data protection authorities argue that not only the advertising profiles are personal data, but the TC string - that is used for targeted advertisements - must be considered personal data as well. This string can be combined with the IP address and, thus, make any user identifiable.

The court ruling made this absolutely clear:

The TC String is personal data. As the CJEU confirmed in this very case, this applies whether IAB Europe has access to it or not.”

As a consequence, the IAB Europe violates the GDPR with the TCF protocol used to generate TC strings. Furthermore, the consents given by the users to the data tracking (cookies) is ineffective as there is no sufficient legitimate interest of the website owner to ask for such consent in the first place.

The authorities argue that the legitimate interest of the users outweigh the legitimate interest of the advertisement companies due to the high risk associated with tracking based real-time bidding advertising.

Additionally, the information provided to users when giving consent was too general and vague for them to understand the nature and the scope of the processing of their data, especially given the complexity of tracking-based advertisement.

So the main question that arises from this discussion about legal details on tracking is: Are cookie banners illegal? Similar to the question whether Google Analytics is illegal in the EU, the answer is a Yes and No.

While many current cookie banner implementations in the EU are now illegal - for instance because they justify ad tracking as legitimate interest or because they are too vague as to what data is being collected and why - the use of cookies banners in general is not illegal in the EU.

But what does this mean for the future of cookies?

Cookie banners have become a real nuisance online, sometimes even as annoying as the ads itself - which people can block via ad-blockers, even within Gmail. What annoys people most about cookie banners is that it’s usually very easy to “Accept All” - while the option to “Reject All” is often not given. However, this procedure of websites - to only show an “Accept All” button - is now also under fire in Germany so that hopefully a “Reject All” button will soon be available everywhere.

In any case, following the current ruling from Brussels, publishers need to adapt the use of cookie banners. Publishers must:

  • Use genuine opt-in consent for tracking cookies (no pre-checked boxes)
  • Provide clear, concise information about what data is collected and why
  • Do not rely on “legitimate interest” as a basis for ad tracking

First consequence? Google’s new ‘Reject All’ button

A first sign of European authorities applying customer rights in a stricter way is that Google is finally adding a ‘Reject All’ button to its cookie banners.

Ist das alte Google-Cookie-Banner in Europa illegal? Google hat inzwischen eine Schaltfläche "Alle ablehnen" hinzugefügt. Ist das alte Google-Cookie-Banner in Europa illegal? Google hat inzwischen eine Schaltfläche "Alle ablehnen" hinzugefügt. Is the old Google cookie banner illegal in Europe? Google has added a ‘Reject All’ button by now.

Good news for privacy fans

For internet users who value data protection, the decision of the Belgian DPA and the Brussels Court of Appeal to declare cookie banners illegal in its currently used form is very good news.

Firstly, because ad tech companies will have to delete the user data they have collected through the TCF mechanism.

Secondly - and more importantly - the decision of the Belgian data protection authorities could lead to the whole system of personalized advertisements being overturned.

This could finally put an end to targeted advertising.

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.