ECJ ruling: Cookies and GDPR – Who has to give consent now?

ECJ ruling: Cookies and GDPR – Who has to give consent now?

On May 30, 2025, the focus will be on data protection and the processing of personal data, especially in the context of personalized advertising. The European Court of Justice (ECJ) recently made a decisive ruling that clarifies the requirements for obtaining user consent when processing this data. The judgment (ref. C-604/22), which is based on a preliminary ruling from a Belgian court, clarified that consent is mandatory before displaying personalized advertising.

The court ruled that the “TC string,” an updated standard for storing and transmitting user data, counts as personal data within the meaning of the General Data Protection Regulation (GDPR). This classification means that the TC string can potentially reveal the identity of the user and is therefore subject to the strict requirements of the GDPR. According to the ruling, advertising companies such as the Interactive Advertising Bureau Europe (IAB) must ensure that they obtain users' consent to collect and process their data.

Data storage technologies

The use of partner cookies and similar online identifiers is already widespread. These technologies make it possible to store or read information such as browser type, language, screen size and supported technologies on end devices. This data is then used to deliver targeted advertising. For example, a car manufacturer could specifically advertise electric vehicles to urban users after 6:30 p.m.

Such advertising measures are often based on user profiles that are created from previously collected behavior on the respective platform. An example of this is an online retailer that specifically shows advertising for running shoes to users who have previously searched for these products. In addition, information about interactions with advertising is used to measure advertising performance and improve the relevance of the content.

Responsibility of advertising companies

The ECJ ruling makes it clear that companies that process personal data, such as the IAB, are classified as “controllers” within the meaning of the GDPR. This means that they must decide on the purposes and means of data processing. Failure to comply can result in measures and fines, as recently imposed by the Belgian Data Protection Authority against the IAB.

In digital advertising, it is crucial that users are not only informed, but can also actively object to the collection and processing of their data. The data collected can include everything from location and age to search history and purchases made, highlighting the complexity of the topic.

In order to comply with the requirements of the GDPR, the IAB has developed the “Transparency and Consent Framework” (TCF). This platform makes it easier to obtain the necessary consent for data processing and ensures that the rights of users are respected. This also creates the basis for, for example, carrying out anonymized evaluations to improve products and offers.

Overall, the current discussion about advertising, data protection requirements and the role of those responsible shows how important it is to deal transparently with user data while at the same time meeting legal requirements. A close link between advertising and data protection is more necessary than ever in order to gain and maintain user trust in the long term.