London - Paris

Death of 3rd Party Cookies : Is Privacy Protection Possible For The Future AdTech In The EU ?

Death of 3rd Party Cookies : Is Privacy Protection Possible For The Future AdTech In The EU ?

Let’s talk about the future of the pervasive and privacy intrusive tracking from the AdTech industry.

Will a new system really better protect the right to privacy in the EU?

First, one should not forget that privacy in the EU is a fundamental human right protected by the Charter of Fundamental Rights of the European Union [1]

The AdTech industry has become a monster controlled by very large, and most of the time unknown to the general public, actors, advertising intermediaries and brokers, exchanging personal data on real time bidding platforms. The deals are made only in a fraction of seconds on these data  exchanges.

So what is programmatic advertising?

In its simplest form, programmatic advertising is the automated transaction of buying and selling advertising online.

It’s the process of using different platforms to sell inventory on publishing sites and on the advertising side, buying inventory and place ads on a publishers site. This is also sometimes referred to as programmatic marketing.“ [2]

How much an “average” user of a website knows about it when presented with complex and obscure consent panels from the Transparency and Control Framework developed by the IAB Europe [3] ? Most certainly nothing .

For more information on the new proposed IAB Europe TCF scheme under GDPR, read this study : “Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers?“  [4]

To say the least, this scheme is not GDPR compliant in the sense that it does not provide the persons with a clear and comprehensible information to what and why they agree.

The presentation of legal basis of the processing is very confusing, it sometimes alternates between the legitimate interest and consent without making any sense.


An example from a French CNIL study  :

“ By automatically collecting this public data, the LINC has put a study online for each of these standards to understand how this ecosystem is structured, based on the 5,000 most visited French sites (Alexa ranking).

These studies reveal an ecosystem of around 620 advertising systems and more than 6,000 intermediaries selling advertising inventory, an ecosystem characterised by a high level of intermediation, thus multiplying the number of players with access to Internet users’ data.“[5]

Projection on the market size in the USA

2021: 87.5 % of the entire digital ad market of  $81 billion

2019  “Automation will account for $59.45 billion in ad dollars this year, or 84.9% of the US digital display ad market. Of that, two-thirds of those automated dollars will go to mobile. Nearly one of every two ad dollars goes to video.” [6]

From Outbrain Blog [7]

The automated selling of private information was developed in the USA in 2009 and since then, it has become a monster serving its own purpose more than the ones of the online publishers, one of the source of personal data collected from users, and of the persons who get served “personalised” ads that do not always help them to better consume .

For example: persons that have been classified as in low earnings get presented offers of loans to further push them in debt.


On obscure proprietary algorithms, AI  and criteria. I could not find a description of any of those.

The only indication of the extremely detailed information collected on individuals could be found for example in the Google Ad offer. Visiting the Google Ad support platform [8] shows the very detailed targeting offered to its clients.

Some AdTech actors claim that they have already switched to some sort of contextual targeting:

“ Interest Targeting: Target your audience based on their real interests, because our profiles are based on actual content consumption, not search or social sharing.“ [9]

One of the largest payer in the AdTech is Outbrain, it advertises on its website “Reaching 1.5B+ users each month requires the right targeting solutions”.


“Use Criteo Shopper Graph to find your customers online. Over 10,000 websites worldwide continuously share their data with us, allowing you to accurately target your shoppers across their devices.“ [10]

“We may associate Criteo identifiers on the basis of:

– our own association methods based on the data we already collect through our technologies;

– the data that may be transmitted to us by an Advertiser or Publisher in an optional and pseudonymised manner, such as your CRM identifiers and/or email addresses in hash and/or encrypted form;

– the associations that partners can send us, which they have obtained by using various methods that offer the same level of guarantee as ours in terms of respect for your privacy.“ [11]

 Where is my personal data in this maze? How could I possibly control what has been inferred on me, rightly or wrongly ? Do they control the legal basis of data obtained from partners ?


The current targeted advertising system hardly profits to the main users, the publishers.

“publishers are forced to participate in the uneven race for clicks and attention, sacrificing their readers’ privacy and – increasingly – the quality of the content they produce, only to hand as much as 70% of profits over to advertising middlemen at the end of the day.

Instead of the promise of thriving online publishing, the ad tech industry made publishers fight a war for survival.” [12]

The source of the personal data collected and inferred will rapidly change after Google announced the end of 3rd party cookies, tracking the users on websites most of the time without their informed knowledge.

 However, I do not believe any of the new systems will provide a better control to the users on their privacy .

Google remains all powerful in the advertising business [13]

“The next 12 months will see the industry prepare for Google Chrome withdrawing its support of third-party cookies, bringing it in line with the industry’s other leading web browsers.

Marketers will still be able to target audiences using first-party data, for instance, by serving ads in walled gardens such as Facebook or logged-in users on a publisher’s website.“

(…) “ what appears apparent is that 1:1 targeting using third-party data is soon to be a thing of the past.

Per Google’s documentation released thus far, contextual ads will soon be targeted using more nuanced means that target users based on cohorts “ [14]

It is basically a return to the way advertising was done before the RTB craze.

In the meantime, large data intermediary companies are sitting on a huge amount of information collected on us through  quite shady means, dark patterns are common in the collection of consent from websites.

The national Data Protection Authorities have been slow or inexistant up until recently  in defending the users rights under the E-Privacy directive. [15]

The scattered and sometimes lax enforcement  of the directive in the EU has certainly favoured the collection of consent to behavioural tracking on a large scale in the EU, at least until the GDPR went into application in 2018. [16]


Google and Amazon did not wait for the consent of the users, based in France, to attach ad cookies to their electronic device.

Contextual advertising is  concerned as well by the E-Directive when it uses location data for example (see § 129 to §131 of the decision on Google [18])

Moreover, the information given to the users based in France was not conform to the requirements of the French law implementing the E-Privacy directive [19]

Consent to tracking is  (should ) now be more difficult to obtain but there is still a lot of confusion on the side of publishers in the EU.

A study on e-privacy/ GDPR compliant way to obtain valid consent from users on websites points to 22 legal requirements [20]

As the ICO, the  UK Data Protection Authority, underlined:

“identifying a lawful basis for the processing of personal data in RTB remains challenging, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient in respect of data protection law requirements;

– the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;

– the scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place; “ [21]


One is amazed by the number of persona one can get included in.

The persons have no way to control or correct these classification made by proprietary machine learning and AI.

We do not know what these large data intermediary companies think they know about us and what they are selling about us.

“Google and IAB’s RTB systems have in fact been constructed in a way that makes it impossible to control data once it is shared on the ad exchange – neither by the publisher who shared it, much less by the user. This is a data breach that affects basically everyone that has ever used the Internet. The violations of other GDPR principles stem from this feature inherent to real-time bidding systems.“ [22]

This is unacceptable and contrary to every principle of transparency supposed to protect us from privacy invasion.


One could make a parallel with the move to imposed transparency on the parameters of ranking on large intermediary platforms offering a market place for business users.

The EU legal regime on consumer and business protection relies on the principle of transparency.

The EU Regulation (EU) 2019/1150 of the European Parliament and of the Council [23]  of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services and its guidelines [24] are supposed to impose the obligation on a platform like Google or Amazon  for example, to inform the businesses on the factors they use to rank their users:

Ranking  (…) can essentially be thought of as a form of data-driven, algorithmic decision-making. When providers present, organise or communicate information on goods or services for consumers or search results, they ‘rank’ results on the basis of certain parameters.”

“Providers design their ranking methods, including proprietary algorithms, in different ways. These approaches to ranking are frequently adapted and in general not disclosed. From the consumers’ perspective, the quality of search results may differentiate services and, therefore, the detailed functioning of ranking methods may be a provider’s competitive edge or trade secret (…) “ [25]

 Why not impose the right of the persons, at the source of all the data exchanged for digital advertising purpose, to access the parameters  used by the data hoarders…brokers and traders to classify them and to “feed“ them with what they are supposed to buy.

One should be allowed as well to correct or object the information inferred from one’s data.


In the recent proposal for Guidelines on the targeting of social media users [26], the EDPD recalls that:

“it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering”

“Even if the processing of personal data is based on consent of the data subject, this would not legitimize targeting which is disproportionate or unfair.“

The GDPR is not the only legal regime imposed on the AdTech activities in the EU,  at the moment the e-privacy Directive [27]  applies if cookies or any other tracking process like gif, pixels, plug in… are placed on the user’s electronic device.

They can mostly be placed on the users’ devices only with their consent (art 5-1) in case

of :

“the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user” [28]

new E-Privacy regulation was due to be adopted at the same time as the GDPR but, at of the time of writing, it seems to be constantly pushed back especially on the problem of the legal basis on which data could be processed.

The original text mentioned only GDPR like consent to collect data but the data industry is pushing for the legitimate interest basis [29], a much more vague and difficult to interpret in practice legal basis. So far, the data protection authorities have not strictly checked on the effective use of this basis in the AdTech industry.

When one sees the size and the interests of the companies with a business model based on the exchange of data, the economic stakes are very high.

There is a clear blockade against a GDPR-like consent to collect data through electronic transmission from natural persons, including all data from the Internet of Things (IOT), a huge market for data hoarders… intermediaries and platforms.



To evade the strict consent requirement of the GDPR and from the future E-privacy regulation, the AdTech industry is restructuring its offer.

Some researchers are positive that one can find a respectful way to collect and infer information on persons to sell them personalised advertising.

For an extensive study of alternative model of AdTech systems, I recommend reading for example the interesting study from the Electronic Frontier Foundation, “To track or not to track? Towards privacy-friendly and sustainable online advertising“ [30]

It seems that the return to contextual targeting would be “an actual win-win for all groups who should benefit from online advertising: users, publishers and advertisers.“ [31]

 However I am not sure that the data intermediaries and platforms  will let go their power that easily and will not fight like it is happening for the E-Privacy Regulation.

 I am a bit less enthusiastic on contextual tracking being outside the GDPR material application.

The contextual ad targeting needs often location data that are personal data under GDPR and e-privacy directive (and the future E-privacy Regulation)

What we look at during our browsing says a lot on us, with so many personal data already collected.

 I do not see any of the big player giving up a chance to cross all the information on individuals but in an even more proprietary way. (hence the term “walled garden“ used in advertising : “A Walled Garden is a closed ecosystem in which all the operations are controlled by the ecosystem operator. [32] “

Google Display Network uses this system[33] but I do not think that this is not tracking submitted to GDPR consent when I read this in Google’s information :

“While the Search Network can reach people when they’re already searching for specific good or services, the Display Network can help you capture someone’s attention earlier in the buying cycle.

You can put your ads in front of people before they start searching for what you offer, which can be key for your overall advertising strategy.

You can also remind people of what they’re interested in, as in the case of remarketing to people who’ve previously visited your site or app.“

This is still tracking from an electronic communication and it still concerns tastes , interests of persons.

 I do not see why it would not be classified as personal data under GDPR.

A lot of personal information can be inferred from this scheme and what about the collection of IP addresses, location, navigaton type?

“A user is less likely to feel they’re being followed around by an advertisement if it is related to the content they’re consuming at the moment. Even if the ad is following the user around, it’s much less evident when it fits contextually.“ [34]

 What ? I call this a dark pattern, a deception towards the users.

Old habits are hard to change…

The publishers’ responsibility is heightened since they are the one setting the parameters like topics or keywords.

“Contextual advertising eradicates the risk of discrimination and manipulation through data. This doesn’t mean that the content of the ad itself cannot be unfair or discriminatory. However, the fact that such ads are visible at a specific subpage regardless of who visits it, means that it should be easier for publishers to monitor them and for users to report them.“ [35]

 I doubt it


The AdTech environment will change but there is doubts that the changes will not profit the already installed, and very powerful on holding proprietary personal data, intermediaries and platforms.

Where is the persons’ power to influence or to check the data collected on them ?

Apart from a real informed consent, to which the advertising industry is resisting, I do not see any of those systems not resulting to tracking again and again the persons in stealth mode.

The future of the EU data policy is being decided at the moment.

The Data Governance Act [36] (to which data intermediaries for AdTech are excluded)

introduces a Data Altruism Consent Form [37] that the Commission should edit.

It will be interesting to see how this unified consent form (for personal data and non-personal data) will articulate  with the consent required under GDPR and the e-privacy consent for personal data processing .

[1] Art 7: Everyone has the right to respect for his or her private and family life, home and communications                                                   

[2] The ultimate guide to programmatic advertising .Bannerflow, accessed dec.8, 2020.

[3] Transparency & Consent Framework (TCF) v 2.0 ,  IAB Europe,

[4] Célestin Matte, Cristiana Santos, Nataliia Bielova. 7 mai 2020- Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers?. APF 2020 – Annual Privacy Forum, Oct 2020, Lisbon, Portugal.pp.1-24. hal-02566891

[5] “Discover the advertising web with the !les Ads.txt and Sellers.json“ Benjamin Poilvé, Oct.2, 2020. LINC- CNIL   

[6] “US Programmatic Ad Spending Forecast 2019” Lauren Fisher – eMarketer Insider Intelligence – April 25, 2019 –

[7] “What is Programmatic Advertising?“- Moran Brayer- Feb.3, 2020- blog Outbrain

[8] Your guide to Google Ads – accessed Dec.9, 2020-,3181080,3126923,&visit_id=637431033948351524-3931166758&rd=1

[9]  “ Find Your Audience Reach your most valuable customers on the world’s largest native network.” Outbrain – accessed Dec.8, 2020 –

[10] Criteo website accessed dec.8, 2020

[11] Ibid. “What are the methods used by Criteo to associate identifiers? “

[12] “The ePrivacy saga: the false choice between privacy and funding online publishing“, Karolina Iwańska, dec.7, 2020, Euractiv.

[13]  “Google is now blocking the ads publishers sell if they don’t meet Google’s standards “ Joshua Benton- NiemanLab – Dec.7, 2020 –

[14] “Ad Tech and Privacy Lingo for Navigating a Post-Cookie World” Ronan Shields, Adweek, dec.8, 2020.

[15] DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

[16] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[17] Délibération SAN-2020-013 du 7 décembre 2020, CNIL , Délibération de la formation restreinte no SAN-2020-013 du 7 décembre 2020 concernant la société AMAZON EUROPE CORE-

Délibération SAN-2020-012 du 7 décembre 2020, CNIL, Délibération de la formation restreinte no SAN-2020-012 du 7 décembre 2020 concernant les sociétés GOOGLE LLC et GOOGLE IRELAND LIMITED-

[18] Ibid. délibération GOOGLE

[19] Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés, mise à jour le 01 janvier 2020,

[20] See table 6 p 100 of this paper for a description of the requirements “Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners“  Cristiana Santos, Nataliia Bielova and Célestin Matte, Technology and Regulation, 1-12- 2020

[21] “Update report into adtech and real time bidding“  ICO –  20 Jun 2019 – underlining by the author –

[22] “To track or not to track? Towards privacy-friendly and sustainable online advertising“ – Karolina Iwańska

Panoptykon Foundation- November 25,  2020-


[24]  European Commission- “ Guidelines on ranking transparency pursuant to Regulation (EU) 2019/1150 of the European Parliament and of the Council“

[25]  Ibid. §13

[26] Guidelines 8/2020 on the targeting of social media users Version 1.0 – Adopted on 2 September 2020 for public consultation

[27] DIRECTIVE 2002/58/EC, op.cit. note 15

[28] Ibid. art 5-3

[29] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, ARTICLE 29 DATA PROTECTION WORKING PARTY. Adopted on 9 April 2014

[30] “To track or not to track? Towards privacy-friendly and sustainable online advertising“ – Karolina Iwańska

Panoptykon Foundation- November 25,  2020-

[31] Ibid. page 32

[32]  “What is a Walled Garden? And why it is the strategy of Google, Facebook and Amazon Ads platform?“ Pierre de Poulpiquet .Medium,  Nov.3, 2017

[33] Google Display Network

[34] “Contextual Advertising 101: How it Works, Benefits & Why It’s Necessary for Relevant Ads“ ted Vrountas- Instapage blog – March 18, 2020 –

[35] Ibid.

[36] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act), 25 November 2020

[37] Ibid. Art 22

Marie-Claire PEROUX LLM is a French jurist specialised in EU Law.

I have always been passionate about privacy protection.
I help SMEs to understand and comply with GDPR and the EU privacy protection regime.
I publish a blog to inform entrepreneurs, MementoSafe, 

Photo kindly provided by Marie-Claire PEROUX ©