A landmark year for digital privacy

By Rickard Lawson Feb 21, 2022

Tags Google Analytics , featured , thought leadership , privacy

Reading 3 min

For digital marketers, 2022 has started off with a series of BIG news! 

"I agree” now means nothing

In a landmark ruling, the Belgian DPA ruled that the IAB (the Advertising Industry’s own organization) standard “TCF” was unlawful. TCF (or Transparency and Consent Framework) claimed to be “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach” and is basically why every website you open starts with a consent form and the button “I agree”. The ruling in Belgium proved that the form itself is a sham and if you “agree” or not has no impact - your data is still being harvested and resold.

Google, Facebook and Microsoft - all illegal

The second big news was the Austrian ruling that common web tools like Google Analytics and Facebook pixels are illegal under EU law. 

Austria’s data protection authorities determined that using Google Analytics on European websites is prohibited. This is the consequence of a EU verdict known as “Schrems II”.  Max Schrems, the lawyer who successfully sued Facebook for violating European people’s privacy won another case back in 2020, this time against Google. His organization NOYB (None Of Your Business) successfully argued that these services were a clear violation of the European GDPR because they enabled the transfer of data to the US, and thus exposed European residents’ data to American mass surveillance. 

What's going on here?

The problem with companies the size of Google and Facebook is that they are beyond the regulatory reach of any single country. Their scope and tempo of innovation outpaces the regulatory bodies and courts, and what we are seeing now is the legislative version of playing Catch Up with the tech giants. The industry's attempts to "fix" the problem is a failure and flies in the face of consumers who unknowingly click "I agree" to something no one actually agrees to.

Privacy legislation like the GDPR is part of a trend from regulators that clearly point in one direction: Digital privacy is a basic human right. No company should have access to data about what you do online when you are not on their site. There is no question about the direction: increased focus on digital privacy is on the rise.  The question big tech is asking is “how much longer can we get away with monetizing personal data?”. The answer: not much longer!

The EU is coordinating their regulatory efforts, and that means that a ruling in Belgium, Austria or Norway impacts all of the EU countries. If Google Analytics is illegal in one EU country, the same is true for the rest of the union.

What does this mean for me?

Put simply: If your website uses tools like Google Analytics you are breaking the law. This leaves you with three simple options:

  1. Do nothing.
    There are multiple cases being brought forward by regulators across Europe against different companies, big and small. These will serve as precedent for practice in different markets and dictate how breaches will be punished. One example is the Norwegian Consumer Council fining the dating app Grindr close to 10 million Euro. Doing nothing exposes you to the liability of future sanctions. You should ask yourself “Is the value of me sending data to Google or Facebook worth the risk” if you choose to look the other way.

  2. Wait for Google or Facebook to fix the problem.
    It’s fair to assume that the value of the EU market is so great that the tech giants will sort this out  tout de suite, but this plan is flawed. The regulatory issue is between countries, not companies. In other words, the Schrems II case rests on interpretation of the “contract” between the European Union and the United States (known, ironically, as “Privacy Shield”). Waiting for international alignment of regulatory bodies is truly the long game for patient players! Meanwhile, the risk of liability remains open.

  3. Do something.
    Replacing Google Analytics and tracking pixels on your website is ABSOLUTELY within the reach of companies that want to ensure they are compliant and actually respectful of their customers' privacy. Digital marketing existed and thrived long before tracking pixels became ubiquitous and will continue to do so long after their demise.  A number of GDPR compliant analytical tools already exist and more will come. If the answer to the question above (“Is the value of me sending data to Google or Facebook worth the risk”) is “NO”. Then the cost of eliminating this liability is about 10 EUR per month. 


If you choose to take action, the outcome should be improved focus on online privacy for your customers and reduced liability for your company. The decision process should be simple.

More to come

2022 is shaping up to be a(-nother) big year for digital privacy. It’s the end-of-the-beginning-of-the-end for third party cookies, the skepticism to open RTB advertising increases and is replaced by brand-safety focused private deals, increase in non-intrusive advertising like native Ads continues and privacy safe targeting like contextual is surging. 

There is no reason to expect less turbulence in 2022 and all the more reason to make sure you are paying attention to the changes in technology and legislation. 

We are all consumers, so remember this simple rule of thumb: If you yourself are NOT OK with being subjected to the practices your company uses to sell its services, then chances are: neither are your customers.

Good luck!

If you have questions about how to check your website, change your marketing practices or want to learn how you can go from PUSH to PULL marketing - click here:

Contact Strossle