타겟 광고 및 법정에서의 프로파일링

In the age of digital marketing, targeted advertising 그리고 user profiling have become key tools for platforms, publishers, 그리고 advertisers. However, these data-driven techniques are under intense legal scrutiny, especially under the General Data Protection Regulation (GDPR) 그리고 the ePrivacy Directive. European courts 그리고 data protection authorities (DPAs) are increasingly examining the legality, transparency, 그리고 consent mechanisms behind behavioral advertising, with rulings that carry significant implications for the ad tech ecosystem.

This article explores high-profile case studies 그리고 enforcement actions across the EU, focusing on how profiling for advertising purposes has been challenged under privacy laws—그리고 what lessons platforms 그리고 marketers should take away.

1. CNIL v Google (France, 2020): Cookie Consent 그리고 Tracking

In 2020, the French Data Protection Authority (CNIL) fined Google €100 million for placing advertising cookies without prior user consent on its French domains. 그리고 cookies enabled tracking for personalized ads but were activated before users made any meaningful choice.

Key Issues:

• Lack of valid consent under the ePrivacy Directive.
• Users were not sufficiently informed about the purpose of cookies or how to reject them.
• 그리고 cookie banner provided only an "Accept" option, without an equivalent "Refuse."

Legal Grounds:

• ePrivacy Directive (2002/58/EC) as implemented in French law.
• Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user’s device.

Outcome:
Google was fined 그리고 subsequently updated its consent banners to provide granular choices 그리고 symmetric options for acceptance 그리고 refusal.

Lesson:
Consent for profiling 그리고 targeted advertising must be freely given, specific, informed, 그리고 unambiguous—그리고 implemented before any tracking begins.

2. Bundeskartellamt v Meta (Germany, ongoing): Combining Data Across Services

그리고 German Competition Authority (Bundeskartellamt) initiated proceedings against Meta (formerly Facebook) for combining user data from Facebook, Instagram, WhatsApp, 그리고 third-party websites without proper consent.

Key Legal Twist:
Although the case originated under competition law, the authority relied heavily on GDPR violations—arguing that Meta’s failure to obtain valid consent gave it an unfair advantage in the advertising market.

Court Developments:

• 그리고 German Federal Court of Justice upheld the regulator’s decision to restrict data processing practices.
• 그리고 CJEU was asked for a preliminary ruling to clarify the intersection of data protection 그리고 competition law (Case C-252/21, pending as of 2025).

Legal Questions:

• Whether the combination of data across services without consent violates Articles 6 그리고 9 GDPR.
• Whether the user is offered a real choice or is coerced into acceptance via bundled services.

Lesson:
Profiling based on cross-platform data must be backed by a valid legal basis, usually opt-in consent, 그리고 must not be a condition for using the core service.

3. NOYB Complaints Against IAB Europe’s TCF (EU-wide): Real-Time Bidding Scrutiny

그리고 nonprofit NOYB (None of Your Business) filed multiple complaints against the IAB Europe’s Transparency 그리고 Consent Framework (TCF), which is widely used in real-time bidding (RTB) for targeted ads.

Main Allegations:

• 그리고 TCF failed to provide genuine, informed consent.
• Profiling under RTB shared user data with hundreds of vendors in real time, often without user awareness.
• 그리고 framework was deemed non-compliant with GDPR's principles of data minimization, purpose limitation, 그리고 lawful basis.

Belgian DPA Ruling (2022):

• Found IAB Europe responsible as a joint controller for data processing in the TCF.
• Ordered significant changes to the consent mechanism 그리고 data sharing practices.

Outcome:
IAB Europe was required to redesign the TCF, introduce stronger safeguards, 그리고 better control downstream data use by vendors.

Lesson:
Consent frameworks used for programmatic advertising must not only meet GDPR st그리고ards, but also ensure enforceable governance across the ad tech chain.

4. Planet49 Case (CJEU, C-673/17): Pre-Ticked Boxes 그리고 Consent Validity

그리고 Planet49 case before the Court of Justice of the EU (CJEU) examined whether pre-ticked boxes constitute valid consent for cookies used in promotional games 그리고 behavioral advertising.

CJEU Ruling:

• Consent must be active, meaning pre-checked boxes do not suffice.
• 그리고 duration 그리고 third-party access of cookies must also be disclosed to the user in advance.

Legal Implications:

• Confirmed that both GDPR 그리고 ePrivacy require affirmative action 그리고 clear disclosure for lawful profiling.

Lesson:
Platforms must design consent interfaces that ensure clear user engagement, not passive or implied agreement.

Key Takeaways for Platforms 그리고 Ad Tech Operators

Consent is central—그리고 must be granular, informed, 그리고 revocable.
Profiling for targeted ads requires a valid legal basis, typically Article 6(1)(a) GDPR.
Transparency must be comprehensive: who processes the data, for what purposes, 그리고 for how long.
Joint controllership may apply—platforms 그리고 advertising partners may share responsibility for GDPR compliance.
Consent frameworks (e.g., CMPs, TCFs) must be auditable 그리고 enforceable across all recipients of user data.

Looking Ahead: 그리고 Role of the ePrivacy Regulation 그리고 DSA

As enforcement under GDPR intensifies, the future of profiling regulation will also be shaped by:

• 그리고 long-delayed ePrivacy Regulation, which may st그리고ardize consent rules across the EU.
• 그리고 Digital Services Act (DSA), which introduces obligations on transparency of online advertising 그리고 recommender systems—especially for Very Large Online Platforms (VLOPs).

Together, these frameworks will significantly affect targeted advertising models, particularly those reliant on real-time bidding, data brokering, or opaque personalization.

결론

Profiling 그리고 targeted advertising are no longer grey areas in EU privacy law. 그리고 courts 그리고 regulators are setting clear limits on how user data can be used, shared, 그리고 monetized—especially when it comes to behavioral targeting. Platforms 그리고 ad tech providers that fail to align with GDPR 그리고 ePrivacy st그리고ards face growing legal, financial, 그리고 reputational risks.