Recently, Google and Apple have changed their policy for targeted online advertising. Privacy-conscious users have been switching to alternatives for years, however, completely avoiding being tracked by online tech giants is virtually impossible. Nevertheless, the online ad industry has grown tremendously in the last decade, and targeted behavioural advertising has become ubiquitous in the online world. Therefore, the new DMA/DSA package aims for more transparency when it comes to online advertising. At the same time, it leaves room for potential individual competition law enforcement in the targeted online ad world.
Targeted Online Advertising – How Does it Work?
Targeted online advertising is at the core of the business model of many digital companies. Technologies used to track users online mainly include “cookies”, a small text file downloaded and stored onto the user’s computer or smartphone when the user accesses a website. It allows the website to identify that user’s device and record their preferences but also their actions. It is essential to make the distinction between first- and third-party cookies. First-party cookies are stored directly by the website the user is visiting. Some are necessary to remember the language settings or the items placed into a shopping cart, while others collect analytics data. In contrast, as the name suggests, third-party cookies are generated by domains other than the website visited and are used to track users across websites, retargeting, and serving ads.
In its 2020 notice on digital advertising markets, the OECD described many other methods, such as tracking log-ins or IP addresses, tracking pixels, or device fingerprinting. Big data analysis and AI technology, particularly automatic decision-making, have substantially facilitated and advanced the collection and analysis of people’s online behaviour in real-time. Predictive analytics, for example, uses AI and machine learning to predict future behaviour and is heavily used in online targeted advertising.
Recent Policy Changes of GAFAs – Who is on Board and Who is Not?
Several GAFAs have recently changed their policies regarding targeted online advertising, particularly regarding individual tracking.
A recent change in Google’s targeted ad policy made headlines. In January 2020, Google, the most significant digital ad company in the world, announced it would gradually phase out the – previously been described as fundamental – third-party cookies from the Chrome browser with the so-called Privacy Sandbox (which itself might create other competition law problems according to the press release accompanying the recently-opened investigation by the CMA).
On March 3, 2021, Google reiterated its alleged commitment. Google specifically declared that: “Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products“. The company also explicitly rejected other discussed individual-tracking alternatives based on email addresses due to the lack of a sustainable future for such a technology.
Instead, the Privacy Sandbox relies on tracking for publishers and marketers only on a group level, something Google refers to as “FLoCs” for federated learning of cohorts. Based on “privacy-preserving APIs” (as named by Google), this technology works to analyse personal web browsing history in the browser itself without sending the individual information outside. The individual is assigned in the web browser to a specific cohort. For example, the cohort constituted of users visiting real-estate websites gets targeted as a whole instead of users being targeted on a specific basis. In the end, this technology will still allow advertisers to show ads that are relatively targeted.
It is important to stress that Google’s changed policy is only aimed at cross-website tracking. First-party cookies or other types of tracking methods were not part of Google’s announcement. Furthermore, Google’s recent announcement only applies to its web service and not its various apps. Also, Google is not the first company to restrict third-party cookies; Apple’s web browser Safari and Firefox developed by Mozilla have already blocked those cookies. The impact of those changes had so far been limited since both browsers have a market share much smaller than the Chrome browser.
This is different when it comes to Apple’s recent policy change. Last year, Apple announced that it would require all apps to receive opt-in permission from users to access the iPhone unique advertising identifier (called IDFA for “identifier for advertisers”). This IDFA is a unique identifier for mobile devices and is used to target and measure advertising effectiveness on a user level. Until the recent policy change, the use of the IDFA was permitted unless the user specifically opted out. Through the IDFA, the user is tracked across websites and apps, thereby improving targeted ads’ relevance. The new mechanism, referred to as “ATT” for App Tracking Transparency, will work on an explicit opt-in basis.
Some are not so happy about this change. Facebook, for example, was very critical of Apple’s policy change and wants to continue to rely on targeted advertising heavily. The social media platform also launched a new ad campaign to convince iPhone users to enable ad tracking across apps. Several associations representing various online advertising players even went to the French Autorité de la Concurrence and requested interim measures against Apple, which the Autorité ultimately rejected – more on that in a minute.
While many other advertising companies, social media platforms, and other tech companies would like to continue using targeted advertising, we also see the emergence of companies wholly relying on ad-free or privacy-friendly business models. Discord (a VoIP and instant messaging platform), for example, has grown a lot in popularity without relying on advertising at all. Instead, the platform relies on a “freemium” model where revenues are generated from subscriptions, much like other digital companies like Spotify or Netflix (which only offers a paid service). We also see the emergence of services generating their revenues from ads while respecting users’ privacy, such as DuckDuckGo or Qwant, two rivals to Google Search.
We can clearly see that the market is gradually evolving and considers users’ desires for more privacy online. Yet, targeted advertising is still part of the business model of the current market leaders in various degrees.
Targeted Online Advertising and the DSA/DMA Package – Focus On Transparency
When it comes to targeted online advertising, the DSA/DMA package’s focus is to bring more transparency. The package does not seek to ban or curb targeted advertising per se. In fact Google and Apple’s new policies have a more radical take on targeted advertising than the proposed DMA/DSA rules as both companies (drastically) limit user tracking on alleged privacy grounds.
The DMA and online advertising
In the core of the Digital Markets Act proposal (DMA), online advertising is mentioned in Article 5(g), requiring that gatekeepers provide advertisers and publishers, upon their request, with the price paid for the ads and the remuneration paid to the publisher. This provision aims to promote (price) transparency in the online advertising markets, and the primary beneficiaries of this provision are publishers and advertisers, not end-users. In addition, Article 6(1)(g) requires gatekeepers to provide advertisers and publishers access (for free) to the ad performance measuring tools of the gatekeepers so they can do an independent check of the ad inventory. Furthermore, Article 5(a) prohibits data combination unless the company gets user consent. This provision could have an effect on online advertising since it restricts the ability of the gatekeeper to build profiles it can exploit via personalised advertising.
In its current form, the DMA proposal is not intended to regulate the online targeted advertising market. With only transparency objectives, it is also far from deciding whether to prohibit the entire practice or not based on its societal costs and impacts. This results from the DMA’s priority, which is to restore market contestability and fairness; hence its current focus is on business users to the detriment of end-users (i.e. consumers) which are not sufficiently mentioned in the proposal.
The DSA and online advertising
Regarding specifically online advertising, the Digital Services Act (DSA) primarily aims to promote transparency rather than strictly regulate the practice. Without going into details, Article 24 requires online platforms to ensure that the recipient of the service (meaning the final users) can identify that the information is, in fact, an ad, who is behind that ad, and what were the criteria used to determine the selection of the ad displayed. Article 30 only applies to very large online platforms (VLOP) (defined in Article 25(1)) and requires that very large online platforms that display advertisements on their websites must maintain for one year a repository of all the ads displayed.
The impact of the current DSA proposal on the online targeted ad market is arguably limited since it only imposes an obligation to inform end-users about the ad and, for VLOP, to maintain an online repository. The proposal does not question the online-targeted-ads business model. It limits itself to asking for more openness and hopes that external entities such as researchers will better use these new repositories better to understand the impact of targeted ads and the risks. Aside from these two articles imposing new and much-needed transparency obligations, the DSA ignores behavioural and micro-targeted advertising’s growing issues.
Room for Improvement and Individual Competition Enforcement?
As described above, the online ad industry has grown tremendously in the last decade, and targeted behavioural advertising has become ubiquitous in the online world. Some have expressed scepticism regarding the limited impacts, particularly of the DSA, on the online advertising markets. In its March 2021 opinion on the DSA, the European Data Protection Supervisor (EDPS) called for “a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking” (emphasis added). Such a proposal is much more ambitious than what is currently included in the DSA proposal and goes much further than the current simple information and transparency obligations. From our understanding of its opinion on the DSA, the EDPS’ suggestion would apply only to online behavioural advertising, which tracks users extensively and insidiously around the web. Online platforms would still be able to display ads; however, they would be targeted at a general group of users (this is what Google refers to as a “cohort”) instead of micro-targeted.
While individual enforcement of targeted advertising policies has primarily been discussed from a data protection point of view, competition law may also have a role to play. Many of the digital giants hold substantial market power in different online advertising markets. Google, for example, has been described as the market leader for online search advertising, Facebook for social media advertising. Abusive conduct in online advertising markets related to targeted advertising has also already been reported on, such as discriminatory practices, lack of transparency, or unique access to user data. Competition authorities around the world also investigated and fined companies for related practices, such as the Commission’s decision on Google’s search advertising platform called AdSense, or Germany’s case against Facebook. However, most cases did not deal with targeted advertising itself.
As mentioned above, Apple’s policy change prompted several large advertising companies to request interim measure before the French Autorité de la Concurrence to delay or prevent the implementation of the new ATT mechanism. The applicants had claimed that by implementing the new opt-in mechanism, Apple would be imposing unfair trading conditions on app developers (Article 102(a) TFEU) and/or imposing undue additional obligations on application developers (Article 102(d) TFEU). Since the complainants, in this case, were ad companies themselves, their complaint did not address the question of whether the current state of play in the targeted advertising market constituted a competition law problem. Briefly, the Autorité rejected the request for urgent interim measures since the applicants’ pleas, and the preliminary assessment did not demonstrate a clear violation of either Article 102(a) or (b) TFEU – a higher benchmark than in ordinary proceedings. Nevertheless, the preliminary assessment already provides insights about the use of competition law to prevent a dominant platform from taking steps to promote user privacy and curb tracking, especially cross-app tracking, on its platform. Notwithstanding this first decision, the Autorité will continue to investigate the substance of the arguments, especially relating to the claim that the new opt-in mechanism might be a way for Apple to self-preference to the detriment of app developers.
The views, thoughts, and opinions expressed in this blog post belong solely to the authors, and not necessarily to the authors’ employers.