Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: Navigating through ambiguities - data protection considerations for online personalized advertising
The discipline of marketing and advertising has received quite some attention from data protection practitioners over the years. The marketing and advertising sector was critically examined for its use of profiling, followed by big data and, most recently, real-time bidding. Despite all this, many may wonder why companies, and, in particular, their marketing departments, are still keen on engaging in this highly controversial activity of personalizing advertising messages.
In this Insight article, Dr. Sachiko Scheuing, from Acxiom, examines recent regulatory developments affecting personalized advertising and how organizations can ensure they are compliant.
The marketing department's perspective
For many years, the only form of advertising available to marketers was mass advertising, for example, TV commercials between football matches and lit-up billboards at a busy crossing. As such, they were very expensive, making these channels of communication exclusively available to large corporations.
With the advent of the internet, accelerated by the rise of smartphone ownership, technology has made it possible to display advertising to small groups of people. The smaller-sized audience has reduced the cost of advertising significantly, making it accessible to small and medium-sized enterprises (SMEs) and even to start-ups on shoestring budgets.
Another advantage of being able to advertise to smaller groups is that messages can be made more relevant to each of the selected groups, making consumers more interested in the advertised product or service. As an example, the same vacuum cleaner robot can be advertised to career-oriented young people showing an image of a young lady on a video conference or to a family with small children with a video showing a living room with toys on the floor. The theory goes that the more relevant the ad, the more positive the experience consumers have with the brand. Having a positive experience leads to giving the brand more attention, which in turn translates to higher chances of buying the product1.
Online personalized advertising has an additional advantage in that it can measure the effectiveness of a campaign. The traceability of the impressions and conversions helps marketing departments learn from every campaign and use this knowledge to improve the effectiveness of future campaigns. Measurable advertising campaign results also allow companies to incentivize marketers so that they can command performance-based bonuses when hitting their targets, just like salespeople.
In line with the risk-based approach of the General Data Protection Regulation (GDPR), data protection officers (DPOs) and data protection advisors recommend viable risk mitigation methods to be adopted. Firstly, data protection agreements with advertising services providers can be tightly worded, reducing controller liability. However, it must be caveated that bargaining powers to negotiate the data protection agreements are reserved only to a few brands with large advertising budgets that can be leveraged.
Privacy advisors can also suggest an alternative to behavioral advertising, such as the use of cartographic information on neighborhood characteristics, instead of information gathered through online tracking, for audience selection. Risk minimization efforts through technical and organizational measures may also be advisable, including the use of Privacy-Enhancing Technologies (PETs) and data cleanroom during the data matching and comparison phase of the personalization process.
The regulator's perspective
Data protection authorities across Europe are showing a strong preference to use consent as the legal basis when processing data for online personalized advertising, a position strengthened by requirements under the Digital Markets Act (DMA), on top of the ePrivacy Directive. The fundamental concern is about the most popular type of ad personalization which uses behavioral profiling, generated through cumulating browsing behavior and the like. Taking Recital 24 of the GDPR into consideration, the European Data Protection Board (EDPB) sees online marketing using profiles based on web visit tracking as carrying high data protection risk2. Since it is unlikely that processing carrying high risk passes the balancing test, basing tracking-based advertisement personalization on legitimate interest is challenging.
However, the GDPR takes a risk-based approach. Technical and organizational measures to reduce the level of risk to the data subjects, such as pseudonymization and the use of PETs, have been briefly mentioned in the context of the Cookie Pledge discussion with the EU Commission. There may be more discussions on risk reduction in the future. Currently, however, the only personalization method deemed acceptable by EU regulators is that of contextual advertising, where advertising to be displayed is determined by the characteristics of the website or app where the advertising appears3. An example of contextual advertising can be that of placing an ad for a car rental service on a hotel booking website, assuming that a person booking a hotel room is likely to be interested in renting a car.
From the marketers' perspective, contextual advertisement is stigmatized as an obsolete, less effective technique (which in turn means less bonus pay-out). On the other hand, there are advanced contextual advertisements, which is seeing an uptake. Advertisers are trying out new contextual advertising, which means this niche market has the potential to grow.
The data subject's perspective
While data protection authorities are concerned with tracking-based personalized advertising, companies are facing a very different challenge from the consumers. A McKinsey study found that 71% of consumers expect personalization. Even worse, 76% of the respondents find it frustrating when confronted by irrelevant communication. In addition, a 2022 study by the Global Data and Marketing Association found that 81% of those surveyed were either pragmatists who are prepared to make trade-offs if they see value in information or services they get in exchange, or are unconcerned about sharing their personal data. The study also showed a growing awareness of the role of data sharing in our society, with more than half of the respondents agreeing with this statement. Because marketers want consumers to associate a positive experience with their company, and since acceptance, as well as an expectation of data use is increasing, it is logical to continue to improve the digital personalization of commercial messages.
Data subjects are also faced with consent fatigue. Research revealed that the daily ritual of accepting numerous consent requests not only makes the exercising of the right to data protection irrelevant but also promotes the general feeling of resignation that people do not have control over anything.4 More than 50 years ago, legislators with foresight adopted data protection laws so that people could proactively have more control over their data by exercising informational self-determination5. Bombarding people with consent seems to be drawing consumers in the exact opposite direction of what data protection laws want to achieve.
These two developments, changing consumer attitudes towards data use and consent fatigue, may be an indication that the moment has come to reexamine legitimate interests as a more appropriate legal ground than consent in the context of online personalization of advertising.
The changing legislative landscape
When evaluating online personalized advertising activities, the GDPR and ePrivacy Directive continue to be the two most important laws to consider. The ePrivacy Directive's Article 5(3) is particularly relevant as it requires user consent for storing and reading information on end user devices. When the 2009 ePrivacy Directive came out, it was nicknamed the 'cookie law' as it triggered the proliferation of consent for setting and reading cookies, also used for personalizing advertising.
In the recent past, additional laws such as the EU Artificial Intelligence Act (the AI Act), the Digital Services Act (DSA), and the DMA have been added to this mix. Generally, the direct impact of the AI Act on marketing is expected to be minimal. Where artificial intelligence (AI) is used for personalizing advertising, additional obligations are triggered mostly in areas outside of data protection. For instance, when marketers use AI-generated images, audio, or video that appear authentic or deploy chatbots, additional transparency requirements are triggered.
The effect of the DSA on digital personalized advertising
The DSA, with its focus on ad content, addresses disinformation and targeting practices. The law applies to companies providing intermediary services, hosting services, online platforms, and marketplaces. Organizations falling under the thresholds for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must comply with a more stringent set of obligations6. There are also exceptions for micro or small enterprises.
As far as personalized advertising is concerned, the DSA bans targeted advertising to minors based on profiling, as well as the use of profiling based on special categories of personal data, such as religion and political opinions. The ban seems to indicate that personalization of advertising using profiles based on special categories of data is not permitted, even with explicit consent (see Articles 26(3) and 28(2) of the DSA). The ban is not expected to dramatically change current practices. For instance, companies in the medical and healthcare industry have already been restricting themselves to generic audience selection criteria (such as life-stage, urbanicity, and hobbies) and contextual advertising for digitally personalizing commercial messages for many years.
The DSA also brings enhanced transparency to digital personalized advertising, such as information on who paid for the ad, the intended audience, and how long the advertising was displayed. The exception of transparency obligations under Articles 13(4) and 14(5) of the GDPR are not available in DSA. This means, for instance, that information must be provided even in situations where data subjects were already informed.
Recognizing the new sets of obligations, the European Interactive Digital Advertising Alliance (EDAA), known for the AdChoices-icon and YourOnlineChoices.eu, promptly developed the Advanced Advertising Transparency Programme (AATP) that can help companies fulfill requirements under the DSA.
The effect of the DMA on digital personalized advertising
The DMA aims to foster a fairer digital marketplace by preventing dominant companies, referred to as 'gatekeepers,' from abusing their dominance in specific digital markets. The European Commission has designated seven companies, Alphabet, Amazon, Apple, Booking, ByteDance, Meta, and Microsoft, as gatekeepers.
Firstly, gatekeepers must obtain consent for targeted advertising or for combining users' data from across the different services they provide. Here it should be noted that there is a technical uncertainty surrounding how consent should be interpreted under the DMA. To begin with, the DMA is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU), which provides for establishing measures for a functioning internal market. Interestingly, Article 16 of the TFEU, which concerns the protection of personal data, was not the legal ground for the DMA, which means the DMA cannot be a lex specialis of the GDPR. Nevertheless, there are references made to consent in the DMA, for instance under Articles 2(32) and 5(2) and Recital 37. However, the DMA does not seem to treat consent as a legal ground as laid out in Article 6(1)(a) of the GDPR.
Coming back to gatekeepers' requirement to obtain consent, gatekeepers generally have direct relationships with their users (data subjects), which makes the additional collection of consent required under the DMA slightly easier. However, when consent is refused or withdrawn, the gatekeeper cannot request that consent more than once a year. Some gatekeepers have started to mandate consent collection to companies in the marketing ecosystem. Indeed, gatekeepers are permitted to collect consent through third parties. However, this should be limited to exceptional cases and not the rule. When 'normal' companies need to collect consent to use gatekeepers' services, these companies are put under some of the obligations of the DMA that were designed to balance the market power between gatekeepers and all other companies in the marketplace.
Secondly, the DMA requires gatekeepers to provide publishers and advertisers with costs and pricing information. In addition, gatekeepers have to grant access to measurement tools and performance data, which will greatly help marketers. As a side note, parts of the measurement information may be personal data. In this case, it is currently being debated if the legal basis of processing can be Article 6(1)(c) of the GDPR, otherwise known as the legal obligation.
In the meantime, the gatekeepers have deployed their first iteration of compliance solutions for the DMA. In recent months, advertisers and publishers have started to receive ad performance information through gatekeepers' performance measuring tools. It is expected that the details of provided information, such as the type, granularity, and breadth of data to be made available, will be further specified in the coming time by representatives of the gatekeepers, commission, and the marketing industry.
More changes for marketers
Apart from new laws like the AI Act, DSA, and DMA, online personalized advertising is also being affected by changes to existing laws. The draft e-Privacy Regulation, aimed at updating the ePrivacy Directive to better align with the GDPR, is rumored to be withdrawn. UK marketers are also monitoring the legal landscape carefully. Since Brexit, the UK Government has been working on a draft law, namely the Data Protection and Digital Information (DPDI) Bill, intended to update the GDPR. However, in May 2024, the DPDI Bill was withdrawn following the dissolution of Parliament. Then, in the King's Speech in July, the new Government's plan to work on the Digital Information and Smart Data (DISD) Bill was announced. This means that data protection rules in the UK are set to be updated in the near future.
In addition to legislative changes, marketing departments are confronted yet again by a major shift in the market. In July 2024, Google announced that it will keep third-party cookies in Chrome after all. Chrome accounts for 60% of all browsers used in the EU7. Some companies have just made major investments, for instance, to better leverage their customer data (so-called first-party data) for marketing activities in response to Google's earlier announcement to deprecate third-party cookies. Marketers must now readjust to this new reality.
Conclusion
Online personalized advertising offers substantial benefits to companies and their marketing departments. However, shifting consumer attitudes toward ad personalization and data use are influencing how marketing strategies are developed. Data protection authorities have expressed concerns about the risks associated with tracking-based personalized advertising, prompting a search for alternative approaches. At the same time, new regulations, such as the DSA and the DMA, alongside evolving market dynamics, continue to reshape the landscape of ad personalization. As these trends converge, DPOs and privacy advisors can help marketers navigate through these complexities to balance effective advertising with compliance and consumer trust.
Dr. Sachiko Scheuing European Privacy Officer
Acxiom, Frankfurt
1. See Chapter 2 of Scheuing, S., (2024). How to Use Customer Data: Navigating GDPR, DPDI and a Future with Marketing AI. Kogan Page Publishers.
2. See, for instance, page 9 of Guidelines on Data Protection Impact Assessment (DPIA)
3. The EDPB's support of contextual advertising can be read, for instance, in their feedback to the European Commission's initiative, Cookie Pledge
4. For example, see Choi, H., Park, J., and Jung, Y. (2017). The role of privacy fatigue in online privacy behavior, Computers in Human Behavior, Elsevier ScienceDirect, 5 December
5. This is discussed in further detail in chapter one of my book Scheuing, S., (2024). How to Use Customer Data: Navigating GDPR, DPDI and a Future with Marketing AI. Kogan Page Publishers.
6. In April 2023, the European Commission named 17 VLOPs and 2 VLOSEs under the DSA
7. Browser Market Share Europe