European Data protection authorities have said that pop-ups that appear on websites asking users to consent to data collection are in breach of GDPR rules and that the data collected in this way must now be deleted.
The Irish Council for Civil Liberties, who took the case against the practise, said it will stop the intimate details of people's online activities being passed around by thousands of companies.
Pop-up consent boxes have become a regular feature of web browsing since GDPR came into effect in May 2018.
The Irish Council for Civil Liberties was concerned about the type of data being collected when people clicked and gave consent.
It made a case to 28 European Data regulators against the practise and those authorities, led by the Belgian Data Protection Authority, have decided these pop-ups are in breach of GDPR and that the data they have obtained must be deleted.
Dr Johnny Ryan of the Irish Council for Civil Liberties described the decision as "momentous".
"The tracking industry, which operates behind the scenes on virtually every website and app, it turns out it was continuing to take our data and share it among thousands of companies," Dr Ryan said.
"It covered this with a kind of a legal veneer, a note to you that asked you to say okay to this, without knowing what you were saying okay to.
"Today's decision ends that regime and it means that you can no longer be subject to the kind of profiling that was happening behind your back".
Legal challenge considered
The Interactive Advertising Bureau (IAB) Europe, which is responsible for the majority of these pop-ups, says it acknowledges the data authorities' decision, but that it has grave reservations about the substance of that decision.
It said it is considering a legal challenge, but that it will work with the data protection authorities to come up with a plan to remedy the problems with the system within the next six months.
Experts in the data protection sector are still examining the implications of the findings. They say while it is unlikely to spell the end of consent pop-ups, there is likely to be changes to how these boxes collect data about users and what they can do with it.
Edoardo Celeste, Assistant Professor in Law, Technology and Innovation at the School of Law and Government of Dublin City University, said the decision was very significant.
"The decision is acknowledging that the transparency and consent framework is not in line with the GDPR. It also acknowledges claims that have been made over the past few years by major data protection and privacy activist," Mr Celeste said.
"The fact that this decision is directed to IAB, which is an organisation that encompasses among its members, major ad tech companies, is also extremely relevant, because its members as well will have to cooperate with IAB in order to bring their practices in line with the GDPR and European fundamental rights.
"The Belgian data protection supervisory authority made it clear that users should have a clear understanding of what they are consenting on."