When YouTube detects an ad blocker or other privacy tool that blocks ads as part of its functions, you’ll see a warning stating that “Ad blockers violate YouTube’s Terms of Service” or “Ad blockers are not allowed on YouTube.” There are a few different versions of this message, including some that entirely prevent you from playing videos and others that allow you to view a number of videos with your blocker enabled before streaming is blocked.

A pop-up asking you to turn off your ad blocker is hardly an unusual sight on the internet, but could it be against the law?

All versions of YouTube’s ad blocker detection that WIRED is aware of use a JavaScript program that runs in the client browser, although YouTube says that it could use non-invasive server-side methods to identify if a video ad served to a user has not been played.

Hanff’s complaint claims that YouTube’s client-side detection code meets the description, in Article 5(3) of the ePrivacy directive 2002/58/EC, of a process used to “gain access to information stored in the terminal equipment of a subscriber or user.” If that’s the case, the user must be provided with “clear and comprehensive information” about what this information will be used for and given the “right to refuse such processing.”

You’ll be familiar with this process from the cookie consent forms that appear whenever a website wishes to capture non-essential information about you and your browser. Right now, neither an explicit notification nor an opt-out are displayed when YouTube obtains data about whether ad blocking tools may be active on your device or network connection.

YouTube representative Christopher Lawton tells WIRED that “ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube. The use of ad blockers violate[s] YouTube’s Terms of Service.”

YouTube’s current terms, last updated on January 5, 2022, don’t explicitly mention the use of ad blocking tools, nor any detection measures, although a Permissions and Restrictions clause that forbids user activity to “circumvent, disable, fraudulently engage, or otherwise interfere with the Service” could be read as covering this scenario.

But Hanff, who holds an advanced master of laws in privacy, cybersecurity and data management from Maastricht University, maintains that, “under EU Consumer Protection Law, you’re not legally allowed to enforce any terms in the contract which infringe on the fundamental rights and freedoms of an EU resident.” The reason cookie consent forms are so intrusive is because consent for device access can’t be bundled up with other terms and conditions.