The most revealing detail is not that websites track users. It is that the strings that record whether a person agreed to be tracked now qualify as personal data. On March 7, 2024, the Court of Justice of the European Union ruled that TC Strings, which store user consent preferences, qualify as personal data, placing the record of consent inside the same regulatory perimeter as the information consent was meant to govern. The ruling directly affects the Transparency and Consent Framework, the system that sits beneath much of Europe's digital advertising market.
That framework was never designed as a legal afterthought. The IAB Transparency and Consent Framework supports publishers, advertisers and technology vendors in meeting the transparency and user consent requirements established by GDPR. It is designed to standardize the process of obtaining consent from website users to collect and process personal data, and has been managed by the IAB Tech Lab since its first release in April 2018. The architecture emerged as Europe tightened privacy law: the IAB Tech Lab developed the framework in collaboration with IAB Europe in preparation for GDPR enforcement in May 2018. Consent became infrastructure.
The institutions behind that infrastructure are explicit about their purpose. IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Through national IABs and companies across media, technology and marketing, its mission is to lead political representation and promote industry collaboration, delivering standards and programmes that enable businesses to thrive in the European market. Across the Atlantic, the Interactive Advertising Bureau is a global business organization for online advertisers and marketers. It has more than 650 members, and develops industry standards, best practices, research and legal support. The market did not inherit these rules. It built them.
Infrastructure built for privacy becomes subject to privacy
The mechanics those rules govern are pervasive. Browsing data and other information are collected through cookies, pixels, fingerprinting, web storage and scripts. Websites and apps use different technologies to collect information about what people do online, and may track online activity with a cookie or pixel even after a user leaves a site. Some companies go further: privacy policies describe actively scanning device characteristics for identification. At the same time, companies, service providers, advertising partners and 186 IAB partners store and access information on devices with user consent to improve experiences, personalize content and analyse traffic, while reserving the right to access and store information without consent when necessary to provide services and ensure security. Consent is not a single click. It is a chain of permissions attached to a chain of technologies.
The business case for that chain is straightforward. McKinsey asked 60 shoppers to create mobile diaries of personalized interactions with brands over two weeks. They produced more than 2,000 entries. Among the findings, customers said they wanted relevant recommendations they would not have thought of themselves. One common personalization practice is reminding shoppers of items they viewed but did not buy. Companies also watch for dissatisfaction: a customer may abandon a purchase and later leave a negative review on a third-party site. Brands can be the first to know, and send a personalized offer that encourages the customer to return. The more continuous the data, the more specific the intervention.
The record of consent now carries obligations of its own
That commercial logic now collides with the legal status of the mechanism that authorizes it. If the consent record itself is personal data, then the infrastructure that circulates consent acquires obligations that once attached primarily to the data being collected. The court's ruling means TC Strings must be protected to the same standards as other forms of personal data. The response has already begun: a new consent category called Special Purpose 3 has been introduced to further safeguard and manage user privacy choices.
The uncomfortable fact is that the digital advertising industry spent years treating consent as the solution to privacy, only to discover that consent has become another object requiring protection. The organizations that built the standards still exist to help businesses thrive, the technologies that track users still operate across websites and apps, and consumers still reward personalization. But the record that says "yes" now carries obligations of its own. The system has not lost legitimacy. It has lost the assumption that the infrastructure of privacy stands outside privacy law.
