The impact of the Digital Services Act on the world of advertising technologies

This article is part of a series of publications marking the first 100 days since the full implementation of the European Digital Services Act on February 17, 2024. You can read more from this series here.

Google’s cookie phaseout, or the process of phasing out third-party cookies, has been threatening the advertising industry, particularly ad tech and the AdTech world, since 2020. While this has allowed the industry to prepare for privacy compliance under various regulations, Google has allowed cookies to be phased out cookies within five years, fully coming into force in 2025. While the industry has made progress in implementing a privacy-compliant, cookie-free world, AdTech in the European Union has been preparing for the last two years for the broader regulation that came into force into force: Digital Services Act (DSA). The DSA came into force in 2022 and applies to all digital services from February 2024. While the heart of the regulation lies in its requirements for content moderation and limiting disinformation, there are specific guidelines on ad transparency that impact AdTech.

Implications of DSA for the AdTech industry

Most importantly, DSA puts consumers at the forefront of consent, control and access to their own data. Section 26 of the DSA provides detailed guidance on online advertising platforms. This includes requiring platforms to provide real-time information to consumers who clearly label the ad as an ad; disclosure of the advertiser’s source of origin, including the entity that paid for it; and determining the steering parameters used. In addition, in Art. Article 39 highlights the compliance requirements for algorithmic advertising transparency for very large online platforms (VLOPs) and very large online search engines (VLOSEs). Before applying the DSA in 2024, the commission designated Google and Bing as VLOSE and a list of companies that had more than 45 million users under the VLOP criteria.

The European Commission has recognized some online consumer brands as very large platforms, including fast fashion and retail brands Shein and Temu, in addition to the visible VLOP list: Meta, TikTok, Amazon and X, among others. Notifications of DSA non-compliance have been sent to most online sellers in numerous articles, including on fraud in product design, lack of consumer health and safety protection, and failures in algorithm transparency, consumer profiling and advertising. Many VLOPs and VLOSEs are under formal investigation or subject to DSA enforcement requests as of April 2024. The Enforcement Commission has contacted Meta, X and TikTok regarding the protection of minors, risk assessment and content moderation, including including on election integrity and disinformation. Moreover, ad transparency demands on public ad repositories influenced most VLOPs and VLOSEs.

Shortly after the DSA went into effect, Amazon challenged their assignment to the VLOP, arguing that their rights to freedom to conduct business were challenged due to the DSA’s requirements for a transparent ad library. The claim was rejected because Amazon had to work on a large DSA-compliant e-commerce platform that would also function as an AdTech platform. Other platforms, including AliExpress, TikTok and Shein, have been specifically urged to ensure transparency around profiling for targeted advertising, as well as DSA compliance to ensure a public repository of all advertising. At approximately the same time, LinkedIn was sent a request for information regarding DSA compliance regarding targeted advertising using sensitive data or profiling. However, the meta was subject to greater scrutiny for DSA compliance. At the end of April 2024, the Commission opened formal proceedings against Facebook and Instagram for misleading advertising, political content and harm to minors.

An earlier request for information was sent to Meta asking for details about “ad-free subscription options” on both social networks, Facebook and Instagram. While there are no updates on this request yet, Meta is pursuing a similar strategy that was implemented by Company X, formerly known as Twitter – a subscription model introduced in 2023 that has various tiers to choose from and allows for limited or no ads. However, this subscription model is not entirely compatible with DSA, as it has apparently neither limited the spread of disinformation through content moderation nor allowed for greater transparency. Even the “Premium+” model does not promise the use of consumer data, but alludes to an “ad-free” platform. As Meta has come under intense scrutiny in recent years, it will need to examine its business model to determine whether it complies with the regulations.

Of course, DSA was criticized for its broad approach, but it also allowed for some accountability on the part of data brokers. For example, one of the largest data brokers, The Trade Desk (TTD), has implemented DSA properties, requiring marketers to provide all correct information to ensure advertising transparency. However, since they do not have 45 million consumer subscribers, the regulatory obligations of these large data broker platforms regarding algorithmic transparency are unclear.

Indeed, this type of notifications are nothing new for companies. They began with the advent of Europe’s General Data Protection Regulation (GDPR), which suffered from a lack of enforcement. A core part of the DSA provides oversight of advertising transparency and targeting platforms and the largely uncontrolled data broker industry. As a result, employment opportunities have increased for both EU enforcement officers and industry experts (e.g. this job at Amazon) who deal with DSA compliance. One of the most important misconceptions about DSA is that it only affects VLOP and VLOSE, which is not entirely true as it affects small, medium and large platforms. These platforms are expected to review the guidelines to identify qualifying factors and submit their information accordingly.

All this has not proven effective for companies that have to bear additional compliance costs because non-compliance has a very high price, up to 6% of a company’s global turnover. These costs can ultimately be passed on to the consumer, especially in the form of the costs of goods and services sold by companies like Shein and Temu, which thrive in the low-cost goods category. However, some companies are taking steps to be transparent about their DSA compliance efforts, such as LinkedIn, which has made its DSA transparency information publicly available. While the Meta ad library does not focus directly on DSA, it has also been made publicly available “to increase ad transparency,” as has the Google Ad Transparency Center. AdTech industry organizations such as the Interactive Advertising Bureau (IAB) have made progress in providing guidance to the industry on implementing DSA transparency.

Will APRA be a springboard in the US?

While DSA enforcement in the EU is in full swing and its effects can be seen around the world, the question arises about its implications for U.S. regulation. A previous article I wrote for Tech Policy Press showed the potential impact of DSA on targeted political advertising in America. But when it comes to comprehensive federal policy, there is much more to discover. The relatively unregulated industry of data platforms and brokers, combined with the lack of a comprehensive federal privacy law, suggests that the United States has a difficult road ahead if it wants to help these industries – but not impossible.

In April 2024, a bipartisan draft of the proposed federal regulation, the American Privacy Rights Act (APRA), was released to the world. Taking into account the previously enacted US Data Protection and Privacy Act (ADPPA), existing EU regulations including GDPR and DSA, as well as certain US state regulations such as the California Consumer Privacy Rights Act (CCPRA), APRA complies with proposals around data minimization, data transparency and giving the consumer agency to manage their data. While the United States may not yet have a regulation, it does address DSA at the official and policy levels. Senator Ted Cruz (R-TX) has reportedly sent a scathing letter to the Federal Trade Commission (FTC) questioning “coordination” between the DSA’s enforcement branches and the FTC. It was previously reported that the FTC sent Americans to the EU to help enforce the DSA law, which left many, mostly Republicans, unhappy to claim that the DSA was implemented against American companies. (FTC Commissioner Rebecca Slaughter questioned this characterization of the Commission’s cooperation with EU regulators.) While it is unlikely that a law like DSA will appear in the United States in the near future, its consequences could be felt there.

Given that most VLOPs and VLOSEs are U.S. companies, there will likely be a cross-border effect that will automatically result in some U.S. companies operating effectively under DSA regulations, particularly in the AdTech industry. This so-called “Brussels effect” was visible after the implementation of GDPR, which is now a standard in the AdTech industry. As DSA regulations cross borders, effects are yet to be seen around the world. However, in the US, despite relatively weak enforcement and other areas for improvement, APRA provides an excellent starting point for comprehensive consumer data privacy regulations. It allows for stringent regulation of brokers and data platforms while still focusing on consumers, which can work very well for responsible marketers in the long run.

Application

The impact of cookie deprecation has forced privacy-based choices on platforms, data brokers and advertisers, including increased use of contextual advertising and therefore decreased use of behavioral data. This could prove beneficial to VLOPs and VLOSEs that want to maintain DSA compliance by ensuring transparency in online advertising. As DSA turns to enforcement this year, important questions remain, such as the definition of transparency and clarity in consumer data control. Although companies have begun to take steps in implementing the DSA regulations, the overarching impact of the new regulations has not yet been resolved from an economic perspective. Compliance requirements for data brokers are still missing with respect to the DSA’s data minimization and algorithmic transparency provisions. Furthermore, the impact of this change on consumers has not yet been quantified. Noting that these regulations are intended to be consumer-centric, the AdTech industry has been asked to not only comply but also adopt the DSA as it helps establish a long-lost relationship of trust and loyalty between brands and their consumers. As such, the advertising and AdTech industries are certainly bending over backwards to ensure better privacy protections and a highly regulated digital future under DSA, and the results will be revealed over time.