The consent you never really gave: cookie pop-ups ruled unlawful under GDPR
An EU appeals court has confirmed in a ruling that a mechanism called the Transparency and Consent Framework (TCF) — which enables tracking and, consequently, tracking-based online advertising — is not compatible with the cornerstone of Europe’s data protection law: the GDPR (General Data Protection Regulation).
In passing the ruling, the court affirmed the position taken by the Belgian Data Protection Authority, which had reached the same conclusion on the legality of the TCF back in 2022.
On paper, at least, this looks like a big win for privacy, privacy advocates, users, and privacy-focused services like AdGuard. And while the ruling only applies to the EU, it’s still a positive development.
It remains to be seen how it will affect Big Tech companies, such as Google, Amazon, Microsoft, Adobe, and Meta, that are responsible for the lion’s share of such tracking. The Interactive Advertising Bureau (IAB), which created TCF, will have to pay a fine and make changes to it. European regulators will oversee these changes.
Why it matters to you
It may sound like a bunch of legalese removed from reality, but it's not. This matters to regular people because they interact with this system daily, unbeknownst to them. This system powers those annoying cookie consent pop-ups that (in a veiled way) ask for permission to track users. The new ruling effectively means that this model doesn’t cut it anymore.
Will the consent cookie notice disappear and be replaced with something else? Will the system undergo fundamental changes, or will only the wording be tweaked? We’ll find out once the rulings begin to take effect. In the meantime, we’ll continue blocking pop-up cookie notices for AdGuard users — as long as it doesn’t break the site. And if blocking the notice does cause issues, we’ll implement alternative techniques to ensure that tracking around the cookie consent process is kept to a minimum.
How AdGuard handles cookie pop-ups
At AdGuard, we’ve had a dedicated Cookie Notices filter for quite a while, and we’ve been blocking cookie dialogs from various Consent Management Platforms (CMPs) — tools that help websites collect and manage user consent — according to our filter policy.
This filter is designed to block both the cookie pop-ups and the underlying CMP requests. In most cases, it’s enough to simply block or hide the relevant scripts. But in more complex situations, for example, when a site does not show content unless a consent decision is made, we apply more advanced techniques:
- Using scriptlets to bypass the request,
- Setting cookies or localStorage keys to simulate a choice, or
- Simulating user interaction — like clicking the “Reject” button (our preferred option) or “Accept” (only as a last resort).
Whenever we do simulate a choice, especially “Accept,” we make sure to block any analytics scripts loaded as a result, using our Tracking Protection filter.
Here’s how our CTO and AdGuard co-founder, Andrey Meshkov, sees the ruling and its implications:
Our point has always been this: even if a cookie dialog does appear, AdGuard users are clearly choosing to protect themselves from tracking, for example, by enabling the Tracking Protection filter. So even when we let a dialog load, we don’t allow tracking to happen. Either we automatically deny consent, or we block the trackers outright. From our perspective, this approach has always been technically sound and compliant.That said, we’ve long been concerned about the fact that CMP platforms often track user behavior around the consent process itself — even before consent is given.Now that it’s been confirmed that the current TCF framework doesn’t meet GDPR standards, we believe websites should start treating blocking a CMP as a valid and clear signal that the user is refusing consent. We hope this ruling makes it easier and safer for users to manage their consent without having to navigate confusing or manipulative pop-ups every time they go online.
