Adtech Regulation under the EU’s draft Digital Services Act

A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.

However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.

Adtech Regulation under the EU’s draft Digital Services Act

1. Real Time Information around Ads (Article 24)

Online platforms (i.e. hosting services that store information and disseminate it to the public on request of a user), would be subject to “transparency” obligations. The provision is nice and short but what it requires is maybe not so simple:

For each specific advertisement shown to each user we need to ensure that they can identify, clearly and in real time:

a) that it’s an ad (OK, we should generally be doing this anyway, though there are always questions over native ad formats and advertorial);

b) the person on whose behalf the ad is shown (for goods and services, this may often be obvious from the context, but for e.g. political or cause advertising then the person paying may not be the same as the person named in the ad. Do we need to insist that advertisers include this in ad copy? Or does this need to accompany or overlay the ad? Where ads are served programmatically, Platforms may need to try to pass this responsibility onto agencies or DSPs);

c) meaningful information about the main parameters used to decide to whom the ad is displayed (because you clicked… because you are looking at a page… because you’re in x segment?).

“Can identify … in real time” seems to be the main challenge here. It doesn’t seem to say that we have to have this information visible at all times. So will a hover or a click be sufficient, similar to what we see today (“why am I seeing this ad”)? On the other hand, making the user engage with the ad to receive the information seems contrary to what the European Commission would be aiming to do. Either way there will be plenty of development work to do for each platform (and adtech partners) to find a way to present this information.

2. Publicly Available Ad Repository (Article 30)

For very large platforms (those with 45 million monthly active EU users, or 10% of the future EU population), additional transparency obligations would apply, i.e. information about all each ad displayed must be kept in a repository for a year after it ran for the last time. The repository must be publicly available via APIs. The information to be included (at least) is:

a) the content of the ad;
b) the advertiser;
c) the period during which the advertisement was displayed;
d) whether the advertisement was targeted and, if so, the main parameters used for targeting;
e) the total number of recipients of the platform that were reached and, where applicable, aggregate numbers for the target group or groups.

No personal data of any user should be included in the repository.

The real objective behind this one doesn’t seem obvious: who is it for (those who can get access to an API)? The individual user won’t be able to see whether they have been targeted or not (though they might be able to obtain that information via a GDPR data subject access request). What we might get is further information regarding the types and methods of targeting being used by each platform, and so be able to gauge whether they are working in accordance with their published privacy policy, consent management tools, and applicable laws. Again, creating a database and the external accesses to it seems quite a significant piece of work.

3. Recommender Systems Configuration (Article 29)

Very large platforms that use recommender systems (fully or partly automated systems for suggesting or ordering information for a user, whether in response to a search or otherwise) will need to offer additional options. The main parameters of the system must be set out in terms and conditions, along with any options for the user to change or influence those parameters, which must include at least one option not based on profiling. If there are various options, then users need to be provided functionality to be able to easily select or change between them at any time.

Although this is not strictly advertising-related, this would clearly affect the promotions and products, services and content that the user will be most easily able to see. And this gives users another control over profiling e.g. based on searches that might have been used to inform ad targeting.

4. Traceability of Traders (Article 22)

Returning to all online platforms, and not just the very large ones, where they “allow” users to enter into distance contracts with traders, then they must collect KYC information on the traders before such traders can use the platform to “promote messages” or offer products and services.

The information to be obtained is:

a) the name, address, telephone number and electronic mail address of the trader;
b) a copy of the identification document or electronic ID of the trader;
c) the bank account details of the trader, where the trader is an individual;
d) the name, address, telephone number and electronic mail address of any other economic operator responsible for products (e.g. the manufacturer or importer);
e) the trader’s trade registration number or other registration details;
f) a self-certification by the trader committing to only offer products or services that comply with EU laws.

It could be clearer but this doesn’t seem to mean all advertisers, just those that consumers can contract with over the platform. So e-commerce platforms or other online intermediation services would certainly need to comply (and with the follow up work of checking the details online, suspending traders whose information is wrong or incomplete, storing it, making items a, d, e, and f available to users, and deleting it at the end of our contract with the trader). Social media platforms that have “buy now” functionality could also be caught. What about a free game or competition or newsletter sign up?

5. Where next?

There are a few more interesting details in the proposed Regulation. So in the “recitals” we see “The requirements of this Regulation on the provision of information relating to advertisement is (sic) without prejudice to the application of the relevant provisions of [GDPR] and specifically the need to obtain consent of the data subject prior to the processing of personal data for targeted advertising.” Eden Legal does not believe that this is what the GDPR says (other legal bases are available) and, if adopted as is, it risks laying a trail to somewhere that GDPR doesn’t necessarily lead.

Transparency and KYC are not ‘Bad Things’ as such. And the intentions behind the provisions discussed here are understandable. However, the practicalities of obtaining, storing and making available transparency information, and redesigns that this may mean for publishers’ sites seem bound to require additional consultation and clarification.

In addition, a genie may have been released from a lamp (I’m sure they never lived in bottles): we already have an opinion from the European Data Protection Supervisor indicating their view that these transparency obligations do not go far enough and what we should really be considering here is:

1) a phase-out leading to a prohibition of targeted advertising based on “pervasive tracking”; and

2) further restrictions on (a) the categories of data that can be processed for targeting purposes (e.g., limitations regarding combination with data collected “off platform”); (b) the categories of data or criteria based on which ads may be targeted or served (e.g., criteria that might involve special categories of data or be used to exploit vulnerabilities); and © the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.

That was not really the focus of the proposed Act but it may find support from European Parliamentarians and start a debate that may not easily disappear. It also reveals some deep scepticism on the part of the EDPS regarding adtech. Unsurprising, but for sure publishers and platform operators will be making the points that those concerns need to be balanced with the real world commercial realities of how services are funded, and in any event by the time the regulation is adopted and enters into application, we may be living in a – maybe not cookie-less – but definitely less-cookied adtech environment.

Image credit: Image by Epic Top 10