Anyone who agrees to cookies on websites is disclosing personal information about themselves. The ECJ ruled that the previous collection of this data for advertising purposes violated data protection.
Anyone who surfs the Internet knows this: a cookie banner opens and then you have to click to remove the annoying banner. Either “agree” or “reject”, a new page often opens where you can determine exactly which information can be processed and how. But many people don’t know what happens next.
The clicks are used to create a so-called TC string, a long identifier made up of many letters and numbers. This identifier, among other things, can be used to identify whoever is surfing. Where the person is, how old they are, what they have recently searched for online and what they recently bought.
Data auctioned using real-time bidding
Using this identifier, advertising is then displayed on the website at lightning speed. The open spaces on the site are auctioned using the so-called real-time bidding process, i.e. in a real-time auction. And while the page is being built, the appropriate advertising for the respective user appears.
For law professor Indra Spiecker, it’s a very tailor-made system: “It’s tailored exactly to you, to the group you belong to. That’s why you get different offers than your neighbor, your husband, your children, friends and so on.”
This whole system in Europe is managed by an association based in Belgium called IAB (Interactive Advertising Bureau) Europe. Its members are primarily companies in the digital advertising and marketing industry, such as publishers and e-commerce companies that earn money by selling advertising space on websites.
ECJ strengthens the view of data protection officers
Now the Belgian data protection authority did not agree with the system and imposed a fine of 250,000 euros. The association sued against it and the European Court of Justice in Luxembourg, as the highest EU court, had to decide on it. The ECJ confirms the data protection advocates’ view: Yes, personal data would be collected here despite the packaging in a long TC string with many letters and numbers.
For law professor Spieker, it is logical that the encryption system does not convince the European judges: “It can’t really be any other way, because you want to know which user I’m sending my product to? And that’s what you want “We just know what the user is like”.
User data collection doesn’t continue like this in Europe
The legal dispute is not yet over. Following instructions from Luxembourg, the Belgian courts must examine more closely whether the advertising industry association is really responsible. But the European judges have given clear guidelines. Such monitoring of Internet users must be closely examined by the courts. “The core message is that we will not allow users to become and remain manipulated with the help of technology. And that is a very central message,” says Spieker.
Even if the legal proceedings have not yet been finally concluded, it now seems very obvious that the current recording of Internet users cannot continue. The industry would probably already have to think about how it can place advertising in another way that is as targeted as possible.
Tailored messages for users during election campaigns
Incidentally, the ECJ ruling is not only important for purely commercial sales. Tailor-made messages are already being distributed to users for political election campaigns. This decision will also make it more difficult to record the political attitudes and preferences of Internet users.
Gigi Deppe, SWR, tagesschau, March 7, 2024 4:11 p.m