Earlier this month, the European Union Parliament passed sweeping new rules aimed at limiting how companies and websites can track people online to target them with advertisements. Targeted advertising based on people’s online behavior has long been the business model that underwrites the internet.
It allows advertisers to use the mass of personal data collected by Meta, Google, and other tech companies as people browse the web to serve ads to users by sorting them into tens of thousands of hyperspecific categories.
But behavioral advertising is also controversial. Critics argue that the practice enables discrimination, potentially only offering certain groups of people economic opportunities. They also say serving people ads based on what big tech companies assume they’re interested in potentially leaves people vulnerable to scams, fraud, and disinformation.
Notoriously, the consulting firm Cambridge Analytica used personal data gleaned from Facebook profiles to target certain Americans with pro-Trump messages and certain Britons with pro-Brexit ads.
The 2016 U.S. presidential election and the Brexit vote, according to Jan Penfrat, a senior policy adviser at European digital rights group EDRi, were “wake-up calls” to the Europe Union to crack down. Lawmakers in the U.S. are also looking into ways to regulate behavioral advertising.
There’s been a long back and forth about how much to crack down on targeted advertising in the Digital Services Act (DSA), the EU’s big legislative package aimed at regulating Big Tech.
Everything from a total ban on behavioral advertising to more modest changes around ad transparency has at some point been on the table.
On Jan. 19, the Parliament approved its final position on the bill. Included is a ban on targeted advertising to minors, a ban on tracking sensitive categories like religion, political affiliation, or sexual orientation, and a requirement for websites to provide “other fair and reasonable options” for access if users opt-out of their data being tracked for targeted advertising.
The bill also includes a ban on so-called dark patterns —“design choices that steer people into decisions they may not have made under normal conditions—such as the endless clicks it takes to opt out of being tracked by cookies on many websites.”
That measure is critical, according to Alexandre de Streel, the academic director of the think tank Centre on Regulation in Europe, because of how tech companies responded to the General Data Protection Regulation (GDPR), the EU’s 2016 tech regulation.
In a study on online advertising for the Parliament’s crucial Committee on the Internal Market and Consumer Protection, de Streel and nearly a dozen other experts documented how “dark patterns” had become a major tool used by websites and platforms to persuade users to provide consent for sharing their data.
Their recommendations for the DSA—which included more robust enforcement of the GDPR, stricter rules about obtaining consent, and the dark patterns ban—were included in the final bill.
“We are going in the right direction if we better enforce the GDPR and add these amendments on ‘dark patterns,’ ” De Streel told The Markup.
German member of European Parliament Patrick Breyer joined with more than 20 other MEPs and more than 50 public and private organizations last year to form the Tracking Free Ads Coalition. Though its push for a total ban on targeted advertising failed, the coalition was behind many of the more stringent restrictions. Breyer told The Markup the new rules were “a major achievement.”
“The Parliament stopped short of prohibiting surveillance advertising, but giving people a true choice [of whether to be targeted] is a major step forward, and I think the vast majority of people will use this option,” he said.
The EU will address digital political advertising in a separate bill that could potentially be more stringent around targeting and using personal data.
Despite passing the European Parliament, the DSA is far from settled. Due to the EU’s unique law-making process, the legislation must now be negotiated with the European Commission and the bloc’s 27 countries.
The member states, as represented by the European Council, have adopted an official position considerably less aggressive—opting for only improved transparency on targeted advertising—and, according to Breyer, are “traditionally very open to [industry] lobbying.”
Whether the DSA’s wins against targeted advertising survive this process “will depend to a large degree on public pressure,” said Breyer.
So far, Big Tech companies have publicly tread lightly in response to the European push to limit targeted advertising.
In response to The Markup’s request for comment, Google spokesperson Karl Ryan said that Google supports the DSA and that it shares “the goal of MEPs to continue to make the internet safer for everyone….”
“We will now take some time to analyze the final Parliament text to understand how it could impact us and our different users,” he said.
Meta did not respond to a request for comment.
But privately, over the last two years, Google, Facebook, Amazon, Apple, and Microsoft have ramped up lobbying efforts in Brussels, spending more than $20 million in 2020.
The advertising industry, meanwhile, has been public in its opposition. In a statement on the recent vote, Interactive Advertising Bureau Europe director of public policy Greg Mroczkowski urged policymakers to reconsider.
“The use of personal data in advertising is already tightly regulated by existing legislation,” Mroczkowski said, apparently referencing the GDPR, which regulates data privacy in the EU generally. He further noted that the new rules “risk undermining” existing law and “the entire ad-supported digital economy.”
On Wednesday, the Belgian Data Protection Authority found IAB Europe–which developed and administered the system for companies to obtain consent for behavioral advertising while complying with GDPR—in violation of that law. In particular, the authority found that the pop-ups that ask for people’s consent to process their data as they visit websites failed to meet GDPR’s standards for transparency and consent.
The pop-up posed “great risks to the fundamental rights” of Europeans, the ruling said. The authority ordered IAB to delete data collected under its Transparency and Consent Framework and has six months to comply.
“This decision is momentous,” Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, told The Markup. “It means that digital rights are real. And there is a significance for the United States, too, because the IAB has introduced the same consent spam for the CCPA and CPRA [California Consumer Privacy Act and California Privacy Rights Act].”
In a statement to Tech Crunch, IAB Europe said it “reject[s] the finding that we are a data controller” in the context of its consent framework and is “considering all options with respect to a legal challenge.” Further, it said it is working on an “action plan to be executed within the prescribed six months” to bring it within GDPR compliance.
Google and Meta may be preparing for whichever way the wind is blowing.
Google is developing a supposedly less-invasive targeted advertising system, which stores general topics of interest in a user’s browser while excluding sensitive categories like race. Meta is testing a protocol to target users without using tracking cookies.
A handful of European companies like internet security company Avast, search engine DuckDuckGo (which is a contributor to The Markup), and publisher Axel Springer see tighter rules around data privacy as a means to push the industry toward contextual ads or tech that matches ads based on a website’s content, and to therefore break the Google-Meta duopoly over online advertising.
On Jan. 18, Reps. Anna Eshoo (D-CA) and Jan Schakowsky (D-IL) and Sen. Cory Booker (D-NJ) introduced legislation to Congress to prohibit advertisers from using personal data to target advertisements—particularly using data about a person’s race, gender, and religion. Exceptions would be made for “broad” location information and contextual advertising.
“The hoarding of people’s personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence,” Booker said in a statement announcing the bill in January.
While there is a bipartisan desire to rein in Big Tech, there is no consensus on how to do it. The bill most likely to pass the divided Congress is designed to stop Amazon, Apple, Google, and other tech giants from privileging their own products. Congressional action on targeted advertising does not appear likely.
Still, it is possible the Federal Trade Commission will take action.
Last summer, President Biden issued an executive order directing the FTC to use its rulemaking authority to curtail “unfair data collection and surveillance practices.” In December, the FTC sought public comment for a petition by nonprofit Accountable Tech to develop new data privacy rules.
Meanwhile, many U.S. digital rights activists, such as the nonprofit Electronic Frontier Foundation, are hopeful that new rules in Europe will force changes globally, as occurred after the GDPR.
“The EU Parliament’s position, if it becomes law, could change the rules of the game for all platforms,” wrote EFF’s international policy director Christopher Schmon.
It’s still early days, but many see the tide turning against targeted advertising. These types of conversations, according to Penfrat at EDRi, were unthinkable a few years ago.
“The fact that a ban on surveillance-based advertising has been brought into the mainstream is a huge success,” he said.
Written by: Harrison Jacobs
Also published here