The Impact of the Digital Services Act on the World of Advertising Technology

This piece is part of a series of published to mark the first 100 days since the full implementation of Europe's Digital Services Act on February 17, 2024. You can read more items in the series here.

Google’s cookie deprecation, or the process of phasing out third-party cookies, has threatened the advertising industry, specifically the advertising technology or AdTech world, since 2020. While it has allowed the industry to prepare to be privacy compliant under various regulations, Google has allowed for a phasing out of the cookies over five years, which will fully come into effect in 2025. Although the industry has made strides to implement a privacy-compliant cookie-less world, AdTech in the European Union has been preparing for the last two years for a more extensive regulation that has come into effect: the Digital Services Act (DSA). The DSA came into effect in 2022 and has been applicable to all digital services since February 2024. Although the crux of the regulation lies in its requirements around content moderation and the mitigation of disinformation, there are specific guidelines around advertising transparency that have impacted AdTech.

Implications of the DSA for the AdTech industry

Critically, the DSA places consumers at the forefront of consent, control, and access to their own data. Article 26 of the DSA has specific guidelines for online platforms that carry advertising. This includes requiring platforms to provide real-time information to consumers explicitly calling an ad an ad; revealing the source of the advertiser, including the entity that paid for it; and stipulating the targeting parameters utilized. In addition to this, Article 39 highlights the compliance needs around advertising algorithmic transparency for Very Large Online Platforms (VLOP) and Very Large Online Search Engines (VLOSEs). Prior to the application of the DSA in 2024, the commission designated Google and Bing as VLOSEs and a list of companies that had over 45 million users under the VLOP criteria.

The European Commission established certain online consumer brands as very large platforms, including the fast fashion and retail brands Shein and Temu, in addition to the apparent list of VLOPs: Meta, TikTok, Amazon, and X, among others. Most online retailers have been sent notices of non-compliance with the DSA on multiple articles, including deception in product design, the lack of consumer protection on health and safety, as well as transparency failures on algorithms, consumer profiling, and advertising. Many VLOPs and VLOSEs are either undergoing formal proceedings or are subject to requests for additional information under DSA enforcement since April 2024. The enforcement committee has reached out to Meta, X, and TikTok on protection to minors, risk assessment, and content moderation, including on election integrity and disinformation. Furthermore, advertising transparency requests regarding public ad repositories, have impacted most of the VLOPs and VLOSEs.

Soon after the DSA went into effect, Amazon challenged their assignment to a VLOP claiming that their rights to freedom of conducting a business was questioned due to DSA’s requirement of a transparent ad library. The plea was rejected, with Amazon having to work towards a DSA compliant ecommerce large platform that also functions as an AdTech platform. Other platforms, including AliExpress, TikTok, and Shein, were specifically called out for transparency on profiling for targeted advertising as well as compliance with the DSA to provide a public repository for all advertisements. Around the same time, LinkedIn was sent a request for information related to DSA compliance on targeted advertising using sensitive data or profiling. Meta, however, has been under greater scrutiny on DSA compliance. At the end of April 2024, the Commission opened formal proceedings against both Facebook and Instagram on deceptive advertising, political content, and harm to minors.

An earlier request for information was sent to Meta requesting details on “Subscription for no Ads options” for both its social networks, Facebook and Instagram. While there are no updates on this request yet, Meta pursue a similar strategy that X, formerly known as Twitter, has implemented – a subscription model it launched in 2023 that has different tiers to choose from and that enables reduced ads or no advertising. However, such a subscription model is not entirely in compliance with the DSA, as it apparently has neither curbed the spread of disinformation with content moderation nor has it allowed for greater transparency. Even the “Premium+” model makes no promises about the utilization of consumer data but alludes to a “no advertising” platform. With Meta under heavy scrutiny in recent years, it will have to examine its business model to determine if it is compliant.

Of course, the DSA has been criticized for its broad approach, but that has allowed for some accountability from data brokers as well. For example, one of the largest data brokers, The Trade Desk (TTD), has implemented the DSA properties placing the onus on marketers to provide all the correct information for advertising transparency. However, since they do not have the 45 million subscribers from consumers, the regulatory obligations for these large data broker platforms on algorithmic transparency are unclear.

Indeed, these kinds of notices are not entirely new for companies. They started with the advent of Europe’s General Data Protection Regulation (GDPR), which has suffered from a lack of enforcement. An essential section of the DSA provides for oversight of the platforms and the largely ungoverned data broker industry on advertising and targeting transparency. Thus, there has been an increase in job opportunities for both enforcement officers within the EU as well as experts in the industry (such as this job at Amazon) to tackle compliance with DSA. One of the most crucial misconceptions with the DSA is that it only impacts VLOPs and VLOSEs, which is not entirely true, as it impacts small, medium, and large platforms. These platforms are expected to review the guidelines to identify the qualifying factors and submit their information accordingly.

All this has not proven to be efficient for businesses that need to account for additional compliance costs, since non-compliance comes at a very hefty price of up to 6% of a company’s global turnover. These costs could ultimately trickle down to the consumer, especially in the costs of goods and services sold by companies like Shein and Temu who thrive in the low-cost goods category. However, some companies are taking steps to be transparent about their efforts at DSA compliance, such as LinkedIn, which made its DSA transparency disclosures publicly available. While not explicitly DSA focused, Meta’s ad library has also been made publicly available “towards an effort to increase transparency in advertising,”, as has Google’s Ads Transparency Center. AdTech industry organizations such as the Interactive Advertising Bureau (IAB) have taken strides in providing DSA transparency implementation guidelines for the industry.

Will APRA be a stepping stone in the US?

While DSA compliance enforcement is in full swing in the EU and the law’s effects may be witnessed around the world, it begs the question around its implications in American regulation. A previous article I wrote for Tech Policy Press showcased the potential impact of the DSA on targeted political advertising in America. However, much more needs to be unraveled when it comes to a federal comprehensive policy. A relatively unregulated industry of platforms and data brokers, coupled with a lack of a comprehensive federal privacy law, suggests the US has a tough road ahead if it wishes to bring these industries to heel – but not an impossible one.

In April 2024, a bipartisan draft of the proposed federal regulation, the American Privacy Rights Act (APRA), was revealed to the world. Taking notes from the previously introduced American Data Privacy and Protection Act (ADPPA), existing EU regulations including the GDPR and DSA, as well as some of the US state regulations such as the California Consumer Privacy Rights Act (CCPRA), the APRA fulfills propositions around data minimization, data transparency, and providing agency to the consumer on managing their data. While the US may not have a regulation yet, it relates to the DSA at an official and political level. Sen. Ted Cruz (R-TX) reportedly sent a scathing letter to the Federal Trade Commission (FTC) questioning the “coordination” between DSA enforcemers and the FTC. It was previously reported that the FTC sent Americans to the EU to help enforce DSA, which made many, mainly Republicans, unhappy as they claim the DSA was implemented to target American firms. (FTC Commissioner Rebecca Slaughter contested this characterization of the Commission’s cooperation with EU regulators). While the US is unlikely to see a law like the DSA in the near future its repercussions may well be felt there.

Considering that most VLOPs and VLOSEs are American businesses, there is likely to be a spillover across boundaries that will automatically see some firms effectively operate under DSA compliance in the US, particularly in the AdTech industry. This so-called “Brussels effect” was apparent following the implementation of the GDPR, which is now a standard compliance across the AdTech industry. With DSA regulations crossing borders, the outcomes are yet to be seen around the world. However, in the US, despite its relatively weak enforcement methods and other areas of improvement, APRA is an excellent starting point for comprehensive regulation on tackling consumer data privacy. It allows for stringent regulation of data brokers and platforms while being consumer centric, which may very well work in favor of responsible marketers in the long run.

Conclusion

The impact of cookie deprecation has driven privacy-led choices for platforms, data brokers, and advertisers, including the increased use of contextual advertising, and thus the decreased use of behavioral data. This can prove to be beneficial to VLOPs and VLOSEs seeking to be compliant with the DSA by delivering transparency on online ads. As the DSA takes charge with enforcement this year, essential questions remain, such as the definition of transparency and clarity on consumer control of data. Although businesses have begun to take strides in implementing DSA regulations, the overarching impact of the new regulations are yet to be unraveled from an economic lens. The compliance requirements for data brokers also remain to be seen with regards to the DSA’s regulations around data minimization and algorithmic transparency. Furthermore, the impact on consumers is yet to be quantified. Noting that these regulations are intended to be consumer-centric, the AdTech industry has been asked not only to comply but embrace the DSA as it helps establish the long-lost trust-loyalty relationship between brands and their consumers. Thus, the advertising and the AdTech industry is certainly buckling down for a privacy forward, heavily regulated digital future under the DSA, with outcomes to be unveiled in time.