The EU is in the process of adopting the Digital Markets Act and the Digital Services Act. Both acts include rules applying to online-targeted advertising, commonly understood as the conveyance of messages over the Internet directed at a particular group of people who are perceived to be interested in the message in order to advance commercial or other interests. This blog post provides an overview of the existing and soon to be adopted EU data related rules applying to online-targeted advertising. It does not cover rules relating to ranking systems.
Existing Data Related Rules
Currently, online targeted advertising must abide by certain data related rules of the following laws:
- the ePrivacy Directive (Directive 2002/58/ED, as amended);
- the GDPR (Regulation (EU) 2016/679, as amended);
- the eCommerce Directive (Directive 2000/31/EC);
- the Unfair Commercial Practices Directive (Directive 2005/29/EC, as amended);
- the Directive on Misleading and Comparative Advertising (Directive 2006/114/EC, as amended);
- the Audiovisual Media Services Directive (Directive (EU) 2018/1808); and
- the Consumer Rights Directive (Directive 2011/83/EU, as amended).
Below we summarize these rules:
- The ePrivacy Directive applies to the extent that online targeted advertising requires deploying cookies and similar technologies that store information on or gain access to information already stored in a user’s terminal equipment (e.g., laptop and phone). Online targeted advertising often relies on these tools to function.
- Unless the online targeted advertising is a service (or part of a service) that a user specifically requested, consent is needed for deploying the cookies and similar technologies. This consent must meet the standard of the GDPR, which essentially means that it must be freely given, specific, informed and unambiguous indication of the user’s wishes.
- The directive applies regardless of whether the user’s information is classified as personal data or not under the GDPR. It essentially applies to gaining access to any information (personal or not) stored on the device, or storage of such information on a device.
- The EU has been working since 2017 on a regulation that is meant to replace the ePrivacy Directive. However, negotiations have been stalled since the end of 2021. The regulation is unlikely to change the general rule that consent is required for dropping cookies or similar technologies for online targeted advertising unless such advertising is part of the requested service.
- The GDPR applies to the extent the online targeted advertising involves the processing of personal data, which is broadly defined as any information relating to an identified or identifiable individual. The GDPR includes several obligations for entities processing personal data. Two important obligations are that of (i) providing notice and (ii) having a legal basis.
- The GDPR requires informing individuals that their personal data is used for online targeted advertising, how long it is retained, with whom it is shared, and other particulars. (see Articles 13 and 14 GDPR)
- The processing of personal data for online targeted advertising must be based on one of the legal basis set out in Article 6 GDPR. If the personal data includes sensitive data (such as data revealing someone’s religion, health status or sexual status), the processing must also be based on one of the exceptions in Article 9(2) GDPR.
- The e-Commerce Directive applies to commercial communications, which includes online targeted advertising.
- The directive requires that the online targeted advertising be clearly identifiable as such and that it identifies the natural or legal person on whose behalf the advertising is shown.
- The directive also requires that promotional offers, such as rebates, and promotional competitions or games, be clearly identifiable, and that the associated conditions be easily accessible and presented clearly and unambiguously. It also includes specific rules on online targeted advertising by regulated professions (such as healthcare professionals and legal professionals).
- The Unfair Commercial Practices Directive applies to business-to-consumer commercial practices, which includes online targeted advertising. It prohibits “unfair” advertising, including advertising that is misleading or aggressive.
- Online targeted advertising is unfair if it is (i) contrary to the requirements of professional diligence or (ii) it materially distorts or is likely to materially distort the economic behavior of the average consumer, or of the average member of the group when a commercial practice is directed to a particular group of consumers, with regard to the product.
- Annex I of the directive includes examples of commercial practices that are unfair. For example, it mentions that “exhorting” children to buy advertised products or to persuade their parents or other adults to buy advertised products for them is unfair.
- The Directive on Misleading and Comparative Advertising applies to online targeted adverting. Its rules aim primarily to protect advertisers from each other.
- The directive prohibits misleading advertising and sets out conditions for comparative advertising.
- The Consumer Rights Directive applies to the conclusion of sales and service contracts with consumers.
- The directive requires providing consumers with a minimum set of information before they are bound by a contract. Among other things, it requires indicating whether a price was personalized on the basis of automated decision-making.
- The Audiovisual Media Services Directive applies to video-sharing platforms, including advertising shown on these platforms.
- The directive sets out standards for commercial communications by the platforms themselves and by users. For example, it prohibits the use of surreptitious or subliminal techniques of advertising if they are not readily recognizable as such.
The draft Digital Markets Act and the draft Digital Services Act will include rules on online targeted advertising. Below we provide a summary of these new rules.
- The Digital Markets Act (“DMA”) applies to specific organizations designated as “gatekeepers”, which include companies providing platforms showing advertising and companies offering online advertising services (e.g., advertising networks, advertising exchanges and any other advertising intermediation services).
- The DMA restricts the processing of personal data for providing online advertising. For example, gatekeepers are not allowed to use for online advertising purposes the personal data of end users that use a gatekeeper’s platform to access and use third party services.
- Gatekeepers must also provide advertisers and publishers upon their request with access to the performance measuring tools of the gatekeeper and the data necessary for advertisers and publishers to carry out their own independent verification of the advertising inventory.
- The Digital Services Act (“DSA”) applies to providers of intermediary services, including Internet service providers, cloud providers, search engines, social networks, online marketplaces, and other online platforms.
- The DSA prohibits presenting advertising based on profiling (e.g., online targeted advertising) using: (i) personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor; or (ii) special categories of personal data (as defined under the GDPR).
- The DSA requires identifying online targeted advertising as such. It also requires providing the following information: (i) the identity of the natural or legal person on whose behalf the advertisement is presented; (ii) the identity of the natural or legal person that paid for the advertising (if different from the person under (i)); and meaningful information about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, information on how to change these parameters.
- The DSA requires very large online platforms to:
- adapt their advertising system and adopt measures that limit or adjust the presentation of advertisements in association with the services they provide, where applicable; and
- compile and make publicly available in a specific section of their online interface information about the online advertising shown on their platforms.
- The DSA requires the European Commission to encourage the development of:
- voluntary codes of conduct for online advertising and ensure that these codes pursue an effective transmission of information in compliance with competition law and data protection laws; and
- voluntary standards by relevant European and international standardization bodies in the area of online advertising.