22
Fri, Nov
57 New Articles

Digital Advertising and Adtech Under the EU Digital Markets Act and Digital Services Act

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The broader online advertising sector will be affected by the EU Digital Markets Act (DMA) and Digital Services Act (DSA), even though they apply directly only to certain types of organisations, with expanded obligations on the largest organisations.

For example, under the DSA "online platforms" will not be permitted to display ads based on "profiling" of GDPR "special category" data (like health data), with potentially GDPR-beating fines.

We discuss the implications in turn, mainly focusing on the position of adtech players other than gatekeepers/platforms, for advertising both on websites and in mobile apps.

Digital Markets Act

On 6 September 2023, the European Commission designated several gatekeepers for a total of 22 core platform services (CPSs). Gatekeepers have six months thereafter to comply with their DMA obligations, mainly related to competition and transparency. Online advertising services in themselves can be designated as CPSs, as in the case of Amazon Advertising, Alphabet/Google's CPS (Google Ads, Display & Video 360 (“DV 360”), Search Ads 360, Campaign Manager 360, Waze Ads, Google Ad Manager, AdSense for display and video ads and AdMob and where, essentially, it is advertising-related, Google Analytics), and Meta Ads.

Given the importance of the designated CPSs to online advertising, the measures required of gatekeepers will have knock-on impacts on other adtech players, not just in relation to designated advertising CPSs (Amazon, Alphabet/Google, Meta above), but also where any other CPSs may be associated with online advertising services, including advertising networks, advertising exchanges and any other advertising intermediation services.

Overview

Gatekeepers must obtain end-user consent (to GDPR-standard) to process, for providing online advertising services, personal data using services of third parties that make use of the gatekeeper's CPSs. They cannot prompt non-consenting end-users for consent more than once a year. This will likely have knock-on effects for others in the adtech ecosystem.

There are also requirements regarding increased gatekeeper transparency for advertisers and publishers. The Commission can fine gatekeepers up to 10% of total worldwide turnover in the preceding financial year for intentional or negligent non-compliance with these requirements, plus periodic fines for non-compliance with any Commission decision regarding these requirements. However, the DMA does not provide any explicit direct rights for other adtech players against gatekeepers.

Advertisers

On request by an advertiser (or its authorised agent), gatekeepers must:

  • provide information on a daily basis, free of charge, on each advertisement placed by the advertiser regarding:
    • price and fees paid by that advertiser, including any deductions and surcharges, for each of the relevant online advertising services provided by the gatekeeper;
    • remuneration received by the publisher, including any deductions and surcharges, subject to the publisher's consent (or, if the publisher does not consent, information on the daily average remuneration received by that publisher, including any deductions and surcharges, for the relevant advertisements); and
    • metrics on which each of the prices, fees and remunerations are calculated; and
  • provide access to the gatekeeper's performance measuring tools and data necessary for advertisers to conduct their own independent verification of the advertisements inventory, including aggregated and non-aggregated data, in such a way that advertisers can run their own verification and measurement tools to assess the performance of the gatekeeper's CPSs.

Accordingly, advertisers should gear up for:

  • seeking such information and access to metrics/data-analysis tools from gatekeepers, enabling comparison of different publishers' prices, for example; and
  • being requested (or perhaps being required under gatekeepers' amended terms?) to consent to providing their detailed pricing information if requested by publishers (below), but very likely choosing to refuse such consent given commercial sensitivities about pricing information – however, note that their daily average price/fees paid information must still be provided to publishers regardless of the advertiser's lack of consent.

Publishers

On request by a publisher (or its authorised agent), gatekeepers must:

  • provide information on a daily basis, free of charge, on each advertisement displayed on the publisher's inventory regarding:
    • the remuneration received and fees paid by that publisher, including any deductions and surcharges, for each of the relevant online advertising services provided by the gatekeeper;
    • the price paid by the advertiser, including any deductions and surcharges, subject to the advertiser's consent (or, if the advertiser does not consent, information on the daily average price paid by that advertiser, including any deductions and surcharges, for the relevant advertisements); and
    • the metrics on which each of the prices and remunerations are calculated; and
  • provide access to the gatekeeper's performance measuring tools and data necessary for advertisers to conduct their own independent verification of the advertisements inventory, including aggregated and non-aggregated data, in such a way that advertisers can run their own verification and measurement tools to assess the performance of the gatekeeper's CPSs.

Accordingly, publishers should similarly gear up for:

  • seeking such information and access to metrics/data-analysis tools from gatekeepers; and
  • being requested (or perhaps being required under gatekeepers' amended terms?) to consent to their pricing information if requested by advertisers (as above), but very likely choosing to refuse such consent, in which case their daily average pricing/remuneration information must still be provided regardless of their lack of consent.

Digital Services Act

Overview

Focused more on regulating online content, the DSA already applies to designated "Very Large Online Platforms" (VLOPs) and "Very Large Online Search Engines" (VLOSEs) with the average monthly active user-numbers exceeding 45 million. For other in-scope organisations, it applies from 17 February 2024. Again, we cover only adtech-related implications.

On 25 April 2023, the Commission designated two VLOSEs, Google Search and Bing, and several VLOPs: Alibaba AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube and Zalando. Amazon and Zalando are currently judicially-appealing their designations to the EU Court of Justice.

There is some overlap between organisations designated as gatekeepers under the DMA and as VLOPs/VLOSEs under the DSA, but strictly the obligations are different and additive: they must comply with both laws, if subject to both.

The DSA defines "advertisement" as information designed to promote the message of a legal or natural person, irrespective of whether to achieve commercial or non-commercial purposes, presented by an online platform on its "online interface" (including websites, mobile apps) against remuneration specifically for promoting that information. So, political ads and ads by charities will also be caught.

The DSA's advertising provisions are relevant not only to VLOPs/VLOSEs, but also to other "online platforms" that offer services in the EU, being hosting services that, at the request of a recipient of the service (e.g. users including consumers and organisations), stores and disseminates information to the public. Dissemination to the public is a broad concept here – please see our previous DSA blog and DSA at-a-glance diagram (downloads a file).

Essentially, services enabling user-to-user content (including organisations-to-consumers, consumers-to-consumers and organisations-to-organisations) are online platforms, including many publishers and online marketplaces, with some exceptions such as online news sites allowing user comments.

Commission fines on online platforms under the DSA can reach 6% of turnover and 5% daily, or 1% of turnover/annual income, depending on the provisions infringed.

All online platforms

Special category data

Ads based on "profiling" of GDPR "special category" data are banned under the DSA.

  • "Profiling" for GDPR purposes means any automated use of personal data to evaluate certain personal aspects relating to individuals, particularly to analyse or predict aspects regarding their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; and
  • "Special category" data is very broad, meaning personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual's sex life or sexual orientation.

This is likely to drive contextual-only advertising on sites/apps dealing with health matters, for example. It is not stated whether the prohibition applies when the online platform conducts the profiling, or when another person does so, such as advertisers. However, cautious online platforms are likely to change their terms to require warranties from advertisers and others that ads to be presented on the platform are not based on profiling (if not already included in their terms), and perhaps require audit rights to verify that (unless only contextual ads are possible).

Minors

Online platforms must not display advertisements to a user (whether on websites or mobile apps) based on profiling using that user's personal data, if they are aware "with reasonable certainty" that the user is a minor, although they are not required to process additional personal data to assess whether or not the user is a minor.

Transparency regarding advertisements

In terms of advertising transparency for consumers, online platforms must ensure that, for each advertisement presented to each user, users can identify "in a clear, concise and unambiguous manner and in real time":

  • that the information is an advertisement, including through "prominent markings" which might follow any standards developed for this;
  • the advertiser's identity, and who paid for the advert if different; and
  • "meaningful information directly and easily accessible from the advertisement" about the "main parameters" used to determine to whom the advertisement is presented and, where applicable, how to change those parameters.

The adtech industry will need to consider what "meaningful information" about "main parameters" to provide, and how. The development of standards would certainly be useful here, and a possible standard for transmission of data between advertising intermediaries in support of these transparency obligations is specifically mentioned. In October 2023, IAB Europe published a summary of a proposed solution for supply chain standards to help online platforms meet supplementary advertising transparency requirements, with a standardised protocol (e.g. suggested data formats for user parameters (not the parameters themselves)), leveraging existing supply chain mechanisms including the OpenRTB bid request/response. In December 2023, it issued for public comment (consultation now closed) a DSA transparency specification to assist online platforms to comply with the DSA's advertising requirements to provide users with real-time access to certain information about ads shown to them.

Online platforms must also ensure that if users (including organisations) want to declare that their content is or includes "commercial communications", other users can identify this, again in a clear and unambiguous manner and in real time, including through prominent markings which might follow standards.

VLOPs/VLOSEs

VLOPs/VLOSEs must conduct assessments of systemic risks in the EU arising from the design or functioning of their in-scope services and related systems, including algorithmic systems, or from the use made of their services. In doing this, they must take into account, in particular, of whether and how any of these systemic risks may be influenced by systems for selecting and presenting advertisements, among other things.

They must also implement "reasonable, proportionate and effective mitigation measures", tailored to the specific systemic risks identified, particularly considering these measures' impacts on fundamental rights. Such measures may include, where applicable, adapting their advertising systems and adopting targeted measures aimed at limiting or adjusting the presentation of advertisements in association with the services they provide.

VLOPs/VLOSEs that display ads on their websites/apps must make publicly available, in a "specific section" of their websites/apps, a searchable repository (including APIs) about those ads for at least a year after the ad was last displayed, with information on:

  • The ad's content including product/service/brand name and "subject matter";
  • the advertiser's identity, and who paid for the advert if different;
  • the period during which the advertisement was presented;
  • whether the ad was targeted specifically to one or more groups of service users and, if so, the main parameters used, including where applicable main parameters used to exclude particular groups;
  • other commercial communications published where the user publishing the content chose to identify it as commercial/advertising; and
  • total number of service users and, where applicable, aggregate numbers broken down by Member State for the group or groups of recipients that the advertisement specifically targeted.

Personal data must be redacted first. Where a VLOP/VLOSE has removed or disabled access to particular ads for alleged illegality/incompatibility with their terms, statements of reasons must be included instead, and similarly stating court orders to remove ads. The Commission may issue guidelines on these repositories.

These repositories will obviously be useful to researchers and others. Some repositories have already been published – for example, Meta has expanded its Ad Library, while Google is expanding its Ads Transparency Center, both with a specific category for political ads in particular. Recently, the EU General Court suspended Amazon's obligation to publish this repository, pending the outcome of its broader challenge against its VLOP designation, but the court refused to suspend the obligation for Amazon to offer users recommendations not driven by profiling.

Practical considerations

There are practical issues to be considered, such as whether to simply use the IAB protocol in all cases rather than having to assess whether a particular publisher is an "online platform" as defined, or a mere "hosting provider".

Similarly, there are practical issues regarding advertising based on profiling special category data or data of minors, and the approach to profiling, such as whether or not it matters who conducts the profiling.

February 2024 is imminent, so adtech players should start considering their positions sooner rather than later. Our DMA/DSA experts would be pleased to assist if you would like to discuss any of the issues raised.

By Antonis Patrikios and Zdenek Kucera, Partners, and Kuan Hon and Tatiana Kruse, Of Counsels, Dentons