Targeted Advertising & Profiling in Court
Targeted advertising and user profiling have become focal points in privacy litigation, raising critical questions about consent, transparency, and data protection.
In the age of digital marketing, targeted advertising and user profiling have become key tools for platforms, publishers, and advertisers. However, these data-driven techniques are under intense legal scrutiny, especially under the General Data Protection Regulation (GDPR) and the ePrivacy Directive. European courts and data protection authorities (DPAs) are increasingly examining the legality, transparency, and consent mechanisms behind behavioral advertising, with rulings that carry significant implications for the ad tech ecosystem.
/wp:paragraph wp:paragraphThis article explores high-profile case studies and enforcement actions across the EU, focusing on how profiling for advertising purposes has been challenged under privacy laws—and what lessons platforms and marketers should take away.
/wp:paragraph wp:heading1. CNIL v Google (France, 2020): Cookie Consent and Tracking
/wp:heading wp:paragraphIn 2020, the French Data Protection Authority (CNIL) fined Google €100 million for placing advertising cookies without prior user consent on its French domains. The cookies enabled tracking for personalized ads but were activated before users made any meaningful choice.
/wp:paragraph wp:paragraphKey Issues:
/wp:paragraph wp:list- Lack of valid consent under the ePrivacy Directive.
- Users were not sufficiently informed about the purpose of cookies or how to reject them.
- The cookie banner provided only an "Accept" option, without an equivalent "Refuse."
Legal Grounds:
/wp:paragraph wp:list- ePrivacy Directive (2002/58/EC) as implemented in French law.
- Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user’s device.
Outcome:
Google was fined and subsequently updated its consent banners to provide granular choices and symmetric options for acceptance and refusal.
Lesson:
Consent for profiling and targeted advertising must be freely given, specific, informed, and unambiguous—and implemented before any tracking begins.
2. Bundeskartellamt v Meta (Germany, ongoing): Combining Data Across Services
/wp:heading wp:paragraphThe German Competition Authority (Bundeskartellamt) initiated proceedings against Meta (formerly Facebook) for combining user data from Facebook, Instagram, WhatsApp, and third-party websites without proper consent.
/wp:paragraph wp:paragraphKey Legal Twist:
Although the case originated under competition law, the authority relied heavily on GDPR violations—arguing that Meta’s failure to obtain valid consent gave it an unfair advantage in the advertising market.
Court Developments:
/wp:paragraph wp:list- The German Federal Court of Justice upheld the regulator’s decision to restrict data processing practices.
- The CJEU was asked for a preliminary ruling to clarify the intersection of data protection and competition law (Case C-252/21, pending as of 2025).
Legal Questions:
/wp:paragraph wp:list- Whether the combination of data across services without consent violates Articles 6 and 9 GDPR.
- Whether the user is offered a real choice or is coerced into acceptance via bundled services.
Lesson:
Profiling based on cross-platform data must be backed by a valid legal basis, usually opt-in consent, and must not be a condition for using the core service.
3. NOYB Complaints Against IAB Europe’s TCF (EU-wide): Real-Time Bidding Scrutiny
/wp:heading wp:paragraphThe nonprofit NOYB (None of Your Business) filed multiple complaints against the IAB Europe’s Transparency and Consent Framework (TCF), which is widely used in real-time bidding (RTB) for targeted ads.
/wp:paragraph wp:paragraphMain Allegations:
/wp:paragraph wp:list- The TCF failed to provide genuine, informed consent.
- Profiling under RTB shared user data with hundreds of vendors in real time, often without user awareness.
- The framework was deemed non-compliant with GDPR's principles of data minimization, purpose limitation, and lawful basis.
Belgian DPA Ruling (2022):
/wp:paragraph wp:list- Found IAB Europe responsible as a joint controller for data processing in the TCF.
- Ordered significant changes to the consent mechanism and data sharing practices.
Outcome:
IAB Europe was required to redesign the TCF, introduce stronger safeguards, and better control downstream data use by vendors.
Lesson:
Consent frameworks used for programmatic advertising must not only meet GDPR standards, but also ensure enforceable governance across the ad tech chain.
4. Planet49 Case (CJEU, C-673/17): Pre-Ticked Boxes and Consent Validity
/wp:heading wp:paragraphThe Planet49 case before the Court of Justice of the EU (CJEU) examined whether pre-ticked boxes constitute valid consent for cookies used in promotional games and behavioral advertising.
/wp:paragraph wp:paragraphCJEU Ruling:
/wp:paragraph wp:list- Consent must be active, meaning pre-checked boxes do not suffice.
- The duration and third-party access of cookies must also be disclosed to the user in advance.
Legal Implications:
/wp:paragraph wp:list- Confirmed that both GDPR and ePrivacy require affirmative action and clear disclosure for lawful profiling.
Lesson:
Platforms must design consent interfaces that ensure clear user engagement, not passive or implied agreement.
Key Takeaways for Platforms and Ad Tech Operators
/wp:heading wp:paragraphConsent is central—and must be granular, informed, and revocable.
Profiling for targeted ads requires a valid legal basis, typically Article 6(1)(a) GDPR.
Transparency must be comprehensive: who processes the data, for what purposes, and for how long.
Joint controllership may apply—platforms and advertising partners may share responsibility for GDPR compliance.
Consent frameworks (e.g., CMPs, TCFs) must be auditable and enforceable across all recipients of user data.
Looking Ahead: The Role of the ePrivacy Regulation and DSA
/wp:heading wp:paragraphAs enforcement under GDPR intensifies, the future of profiling regulation will also be shaped by:
/wp:paragraph wp:list- The long-delayed ePrivacy Regulation, which may standardize consent rules across the EU.
- The Digital Services Act (DSA), which introduces obligations on transparency of online advertising and recommender systems—especially for Very Large Online Platforms (VLOPs).
Together, these frameworks will significantly affect targeted advertising models, particularly those reliant on real-time bidding, data brokering, or opaque personalization.
/wp:paragraph wp:headingConclusion
/wp:heading wp:paragraphProfiling and targeted advertising are no longer grey areas in EU privacy law. The courts and regulators are setting clear limits on how user data can be used, shared, and monetized—especially when it comes to behavioral targeting. Platforms and ad tech providers that fail to align with GDPR and ePrivacy standards face growing legal, financial, and reputational risks.
/wp:paragraphReady to leverage AI for your business?
Book a free strategy call — no strings attached.
