THE BOTTOM LINE
- Privacy-Tech Gets a Green Light: Businesses offering privacy-enhancing tools, like browsers that block third-party cookies by default, have received a significant legal endorsement, solidifying their market position and business model.
- Accelerated Shift for Advertisers: Digital advertisers and publishers must accelerate their transition away from third-party cookies. Relying on them for user tracking and ad targeting is now legally and commercially riskier.
- User Control Is King: This opinion signals that tools empowering users to control their data will likely be upheld by EU courts, even if they disrupt established business models in the advertising sector.
THE DETAILS
The dispute, brought before the Court of Justice of the European Union (the EU’s highest court), pitted the digital advertising industry against the developer of a web browser that blocks third-party cookies by default. The advertising lobby, IAB Europe, argued that automatically blocking these tracking tools amounted to an act of unfair competition and the illicit circumvention of a “technological measure,” effectively likening it to breaking digital locks on copyrighted content. This case asked a fundamental question: is a tool designed to protect user privacy an illegal instrument that undermines the ad-tech ecosystem?
In his highly influential opinion, Advocate General Szpunar firmly rejected the ad industry’s arguments. He reasoned that cookies are not the kind of technological protection measure that EU copyright law is designed to safeguard. That law aims to prevent the piracy of creative works (like movies or software) by outlawing tools that break digital rights management (DRM). Cookies, the AG clarified, are merely text files placed on a user’s device to store information for tracking and advertising purposes; they do not control access to copyrighted content. Therefore, a browser that blocks them isn’t engaging in illicit circumvention.
Furthermore, the Advocate General flipped the argument on its head by referencing the EU’s ePrivacy rules. He noted that EU law requires user consent before cookies can be placed on a device. From this perspective, a browser that blocks them by default is not an illegal tool but rather a mechanism that helps users exercise their legal right to privacy. It facilitates compliance with the law’s consent requirements, empowering users to decide what, if any, tracking they will allow. This positions privacy-by-default settings not as a market disruption, but as a pro-compliance feature that aligns with the broader direction of EU data protection law.
Source: Court of Justice of the European Union
