European regulators have dealt a blow to one of the digital ad industry’s most vocal advocates, the Interactive Advertising Bureau, declaring that its privacy measures which are meant to safeguard consumer data don’t pass legal muster. The ruling out of Europe on Friday was a significant rebuttal of practices set up by IAB Europe and threatens to undermine the way digital advertising is conducted, not only overseas but in the U.S., according to industry watchers.

The EU regulators said they “found serious GDPR infringements in the system Google and others use to legitimize online tracking,” according to the announcement of findings against the IAB.

Later Friday, IAB Europe CEO Townsend Feehan responded in a blog post that characterized the ruling as a “preliminary” view with “no binding effect.” IAB Europe disputed the findings. “We respectfully disagree with the APD’s apparent interpretation of the law,” Feehan’s post said. (APD is the Belgian data protection authority.)

“If upheld, the APD’s interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers,” the post said.

The decision calls into question the IAB’s ability to design frameworks for internet advertising that satisfy the regulators enforcing recent laws like the EU’s General Data Protection Regulation, which was implemented in 2018. The U.S. has seen similar laws emerge, like the California Consumer Privacy Act. The new laws are trying to establish clearer rules about the types of data that companies can collect, and make companies get consent from consumers to use that data.

Consumers have seen the changes, especially on websites, where they see more notices from companies requesting permission to track their online behavior. The EU’s ruling found that the IAB’s solution for getting permission, which was widely adopted, including by Google, does not meet legal standards.

Johnny Ryan, a privacy advocate in the EU, has been among those leading the charge and has criticized the process of data-backed, programmatic online advertising. Critics claim that “real-time bidding,” where internet ads are auctioned off and rely on swapping massive amount of user data, breaks the law under GDPR.

“This has major implications for real-time bidding,” Ryan said in a phone interview, regarding Friday’s ruling.

Ryan points to examples of personal data being used in real-time bidding to place ads on suspicious websites, relying on sensitive sexual orientation and health data. Top publishers in Europe and the U.S. are concerned about the world of programmatic advertising, too, where data about their audiences is sometimes traded, giving advertisers the ability to reach their viewers elsewhere at lower prices, devaluing the main publisher’s inventory.

Proponents of the open web and targeted advertising argue that harsh restrictions will ultimately hurt the online ad marketplace. Both Google and Facebook have emerged as defenders of the open web ad market, and say that without tools that enable some forms of tracking, the price of ads go down, ultimately harming publishers.

Facebook and Google are adopting new measures within their ad platforms that try to comply with new regulations, giving more controls to users to understand how data is used, but also maintaining the efficiency of digital ads.

The IAB is trying to develop practices that could be adopted throughout the industry. In February, through IAB Tech Lab, the organization launched Project Rearc to come up with new ways of handling online ad inventory.

The ruling from the EU could diminish confidence in IAB’s ability to navigate the waters, according to one ad tech industry executive, who spoke on condition of anonymity. “You look to IAB to build those standards for the entire industry, so if it’s not compliant, obviously, it’s alarming,” the executive says.

The IAB was not immediately available to respond to the EU’s ruling.

The EU’s finding against IAB came from the Belgian Data Protection Authority, which is forwarding the decision to a litigation body to take up the case early next year.

“The industry has been too focused on trying to protect incumbent ad tech interests, especially those that dominate today’s ad marketplace, at the expense of consumer trust,” says Jason Kint, CEO of Digital Content Next, a publisher advocacy group. “They clearly can’t, and shouldn’t, speak for publishers, which enjoy and thrive on direct and trusted relationships with consumers.”