Every few decades, major shifts happen that change how an industry fundamentally operates and who the new winners and losers are. We are in the midst of one such shift in the digital advertising industry. This has been driven by three critical changes in the ecosystem, all privacy-related:
While the effects of these changes have been felt by the advertising industry globally, the EU, in particular, has been at war with behavioral advertising for a few years now. And winning. In the past three weeks, there have been significant announcements from Meta, Snap, and TikTok about upcoming changes to their products in the EU. It’s probably fair to say these changes mark the end of an era for behavioral advertising in the EU, and the platforms have made peace with that.
In this piece, we’ll dive into:
Let’s start with some simple concepts. An ad shown to you can be contextual or behavioral (sometimes both).
A contextual ad is something that is shown alongside organic results (non-ads) in the context of whatever you are doing. For example, if you are on a food delivery app like DoorDash and you see an ad for a restaurant alongside organic results, that is a contextual ad. In that case, your identity doesn’t really matter. DoorDash knows your location and what you’re looking for and therefore shows you a relevant ad. Knowing your identity and interests does help improve the relevance of these ads, but it’s secondary to the context itself.
A behavioral ad is something that’s shown to you because of your past behavior. For example, you might have visited an office chair brand’s page on Instagram, and therefore you get served ads for another office chair brand; that’s exactly what happened to me with the ad on the right. This can either be based on direct behavior (like the office chair example) or inferred behavior — people like you who looked for chairs also looked for monitors. One step further, people who looked at chairs are also likely to work from home more and therefore be open to lunch service. All of those are potential ads that can be shown to you.
A subset of products, most often search products, are perfect for contextual ads — Google Maps, Google Search, DoorDash, Yelp, Thumbtack, TripAdvisor, and Zocdoc, to name a few. The user has high intent to do something specific. However, most high-intent products are low-medium frequency. You are not looking for plumbers every day on Thumbtack, and you are not looking to order food delivery every hour of the day on DoorDash; therefore, the amount of contextual ad inventory is lower — highly effective but lower in volume.
On the other hand, social media platforms where users spend hours doomscrolling have a large volume of non-contextual inventory. Random ads are annoying and ineffective, and therefore the most effective way to monetize this inventory is through behavioral ads.
Unsurprisingly, behavioral ads require a lot of data, specifically data about you. Before ~2018 (when EU’s GDPR kicked in), there was essentially a free flow of data about you, collected through a long list of highly effective AdTech mechanisms. Some notable examples:
Note that these identifiers, for all practical purposes, were permanent. You could go deep inside your settings and reset these IDs, but most people never do that. This resulted in a couple of second-order effects.
First, companies that are “data brokers” started purchasing data from several different data providers and building “profiles” about you; for example, app 1 could tell the broker that you bought an expensive piece of furniture, website 2 could tell them you have an account with a high-end bank, and the data broker could put that together and categorize you as “high propensity of spend” person; note that when I say “you,” that refers to your identifiers (mobile advertising ID or third party cookie ID)
Second, Attribution/measurement of advertising campaigns became more and more precise; through a combination of technical mechanisms, an advertiser could say you first saw an ad on Facebook, then an ad on Google Search, then a display ad on NYTimes, and eventually bought an item from their website, so each of those three advertising platforms get shared credit.
While this sounds privacy invasive (and it is), this resulted in a highly efficient advertising ecosystem. Advertisers knew exactly which users they were targeting, and since they had all these extra behavioral signals to know how likely a user was to engage, they were willing to pay higher cost per impression (CPM) for ad inventory, thereby generating more revenue for a media publisher. Precise attribution/measurement turbocharged this further.
However, you can see how this was becoming the wild west — highly effective advertising no doubt, but also an uncontrolled orgy of data acquired with non-existent or questionable user consent. This rightfully raised concerns about data consolidation in the hands of both data brokers and large technology companies, and an intervention was inevitable. It was less a matter of if and more a matter of when.
Let’s dive into each of the three privacy interventions that arose in an attempt to tame the Wild West.
First, Apple introduced the App Tracking Transparency (ATT) framework. It sounds jargon-y, but the change is relatively simple. Prior to ATT, every app by default had access to your advertising ID, i.e. it was opt-in by default. This meant you could easily be tracked across apps and therefore shown effective behavioral ads. For example, you installed the Strava app to track your runs, you are now on Facebook, and you are shown an ad for Strava Premium. After ATT, the access to this identifier became opt-out by default, i.e. an app had to show you a pretty aggressive prompt to get access to your identifier, and you explicitly needed to say yes. The average opt-in rate ended up close to ~34% (with a lot of caveats).'
We won’t go into much detail here, but this prompt was launched by Apple in the guise of embracing privacy — a smart chess move. The consensus opinion today is that this was an opportunistic move from Apple, which no doubt improves privacy but also heavily hurts Apple’s competitors as they prop up their own ads business. The impact was that user identity was available much less often.
Note here that for behavioral advertising to happen in the Strava-Facebook example, there is not one but two apps that need to have received opt-in from you, i.e. the addressable market does not drop to 34%, it drops to 34% * 34% = ~12%. Therefore, cross-app behavioral advertising on iOS is no longer effective at scale.
Second, Google announced that it will deprecate third-party cookies in 2024. The consensus opinion is that the change helps Google achieve a dual purpose: appease regulators who are breathing down their neck for potential anti-trust behavior in AdTech, while taking control back from what’s now a fairly bloated advertising tech stack. Google’s new mechanisms post third-party cookies will still allow cross-site retargeting, but in a more private way where all information is stored on-device within the browser, i.e. there are no more cross-site “cookie IDs” assigned to you. While the new mechanism preserves some of the status quo, cross-site behavioral advertising is going to have much less fidelity and, therefore, effectiveness.
Which brings us to the third intervention — privacy regulations. The most aggressive of these is the EU’s GDPR, which went into effect in 2018. The California Consumer Privacy Act (CCPA) went into effect in 2020. While the progression has been gradual, the reason these laws matter for advertising companies today more than ever is because the laws take aim at the only remaining and mission-critical advertising mechanism — behavioral advertising within companies’ own apps (i.e. you do a bunch of different things inside the Facebook app and Facebook gets to use that data to show you behavioral ads within the app).
A primary feature that makes the California laws (arguably the strictest privacy law in the US) less aggressive than the EU’s GDPR is that it does not require explicit opt-ins and only requires platforms to provide opt-outs. For example, the 2020 California Consumer Privacy Act (CCPA) requires companies that are considered “data sellers” under the law to provide explicit opt-outs on web pages, but the default is still opt-in.
EU’s GDPR takes this up another notch and requires explicit opt-in/consent for behavioral advertising. This consent needs to be freely given, specific, informed, and unambiguous. For example, Meta cannot gate content behind a behavioral advertising consent prompt.
So, the simplistic inference from this is that Meta needs to get explicit consent for all behavioral understanding, including the last remaining mechanism — showing ads within their own platform. If Meta is forced to do this, the opt-in will likely be small (the Apple opt-in rates were ~34%), and this majorly shrinks Meta’s addressable advertising market in the EU.
To not meet that fate, Meta made a creative legal argument:
Last month, the Norwegian Data Protection Authority provided their enforcement decision that Meta’s use of “legitimate interests” as the legal basis is not valid. Paraphrasing the enforcement decision:
Four days after the Norwegian Data Protection Authority’s ruling, Meta announced that they would be changing their legal basis from “legitimate interests” to “consent.” In practice, what this means is that Meta is conceding that behavioral advertising within their own app in the EU can no longer be opt-in by default. While Apple’s changes significantly cut down the ability to advertise cross-app, Meta was holding on to hope that it would be able to preserve all in-app behavioral advertising (including in the EU), and the writing is now on the wall. Snap and TikTok followed suit shortly after with their own announcements that non-personalized versions of their products will soon be available to users. A total of 19 platforms that are in scope are likely to follow suit.
It is still to be seen what percent of users opt into behavioral advertising. If the Apple opt-in rates are any indication, it may get to the ~34% rate seen there, but it may also go higher if platforms are allowed to be creative about opt-in language and user interfaces.
It is hard to say what exactly the long-term effects of ending the opt-in-by-default regime for behavioral advertising in the EU will be, but here are some educated guesses:
The advertising market exploded over the last several decades due to the availability of essentially infinite user data, which brought both large efficiencies in advertising and major privacy risks. Regulation was necessary. Great regulation is about finding the balance between promoting innovation/letting new businesses emerge that move society forward and having guardrails so people are protected. Did the EU go too far? I personally think they did, and if that is true, the effects will start showing in a 5–10 year horizon, and course correction will follow.
Until then, this is the new reality of behavioral advertising in the EU. The regulators and legislators came all guns blazing, and they won.
🚀 If you liked this piece, consider subscribing to my weekly newsletter. Every week, I publish one deep-dive analysis on a current tech topic/product strategy in the form of a 10-minute read. Best, Viggy.
Also published here.