The EU is in the process of adopting the Digital Markets Act and the Digital Services Act.  Both acts include rules applying to online-targeted advertising, commonly understood as the conveyance of messages over the Internet directed at a particular group of people who are perceived to be interested in the message in order to advance commercial or other interests.  This blog post provides an overview of the existing and soon to be adopted EU data related rules applying to online-targeted advertising.  It does not cover rules relating to ranking systems.

Existing Data Related Rules

Currently, online targeted advertising must abide by certain data related rules of the following laws:

  • the ePrivacy Directive (Directive 2002/58/ED, as amended);
  • the GDPR (Regulation (EU) 2016/679, as amended);
  • the eCommerce Directive (Directive 2000/31/EC);
  • the Unfair Commercial Practices Directive (Directive 2005/29/EC, as amended);
  • the Directive on Misleading and Comparative Advertising (Directive 2006/114/EC, as amended);
  • the Audiovisual Media Services Directive (Directive (EU) 2018/1808); and
  • the Consumer Rights Directive (Directive 2011/83/EU, as amended).

Below we summarize these rules:

  • The ePrivacy Directive applies to the extent that online targeted advertising requires deploying cookies and similar technologies that store information on or gain access to information already stored in a user’s terminal equipment (e.g., laptop and phone).  Online targeted advertising often relies on these tools to function. 
    • Unless the online targeted advertising is a service (or part of a service) that a user specifically requested, consent is needed for deploying the cookies and similar technologies.  This consent must meet the standard of the GDPR, which essentially means that it must be freely given, specific, informed and unambiguous indication of the user’s wishes.
    • The directive applies regardless of whether the user’s information is classified as personal data or not under the GDPR.  It essentially applies to gaining access to any information (personal or not) stored on the device, or storage of such information on a device.
    • The EU has been working since 2017 on a regulation that is meant to replace the ePrivacy Directive.  However, negotiations have been stalled since the end of 2021.  The regulation is unlikely to change the general rule that consent is required for dropping cookies or similar technologies for online targeted advertising unless such advertising is part of the requested service.
  • The GDPR applies to the extent the online targeted advertising involves the processing of personal data, which is broadly defined as any information relating to an identified or identifiable individual.  The GDPR includes several obligations for entities processing personal data.  Two important obligations are that of (i) providing notice and (ii) having a legal basis.
    • The GDPR requires informing individuals that their personal data is used for online targeted advertising, how long it is retained, with whom it is shared, and other particulars. (see Articles 13 and 14 GDPR)
    • The processing of personal data for online targeted advertising must be based on one of the legal basis set out in Article 6 GDPR.  If the personal data includes sensitive data (such as data revealing someone’s religion, health status or sexual status), the processing must also be based on one of the exceptions in Article 9(2) GDPR.
  • The e-Commerce Directive applies to commercial communications, which includes online targeted advertising.
    • The directive requires that the online targeted advertising be clearly identifiable as such and that it identifies the natural or legal person on whose behalf the advertising is shown.
    • The directive also requires that promotional offers, such as rebates, and promotional competitions or games, be clearly identifiable, and that the associated conditions be easily accessible and presented clearly and unambiguously.  It also includes specific rules on online targeted advertising by regulated professions (such as healthcare professionals and legal professionals).
  • The Unfair Commercial Practices Directive applies to business-to-consumer commercial practices, which includes online targeted advertising.  It prohibits “unfair” advertising, including advertising that is misleading or aggressive. 
    • Online targeted advertising is unfair if it is (i) contrary to the requirements of professional diligence or (ii) it materially distorts or is likely to materially distort the economic behavior of the average consumer, or of the average member of the group when a commercial practice is directed to a particular group of consumers, with regard to the product.
    • Annex I of the directive includes examples of commercial practices that are unfair.  For example, it mentions that “exhorting” children to buy advertised products or to persuade their parents or other adults to buy advertised products for them is unfair.
  • The Directive on Misleading and Comparative Advertising applies to online targeted adverting.  Its rules aim primarily to protect advertisers from each other.
    • The directive prohibits misleading advertising and sets out conditions for comparative advertising.
  • The Consumer Rights Directive applies to the conclusion of sales and service contracts with consumers.
    • The directive requires providing consumers with a minimum set of information before they are bound by a contract.  Among other things, it requires indicating whether a price was personalized on the basis of automated decision-making. 
  • The Audiovisual Media Services Directive applies to video-sharing platforms, including advertising shown on these platforms.
    • The directive sets out standards for commercial communications by the platforms themselves and by users.  For example, it prohibits the use of surreptitious or subliminal techniques of advertising if they are not readily recognizable as such.

Upcoming Rules

The draft Digital Markets Act and the draft Digital Services Act will include rules on online targeted advertising.  Below we provide a summary of these new rules.

  • The Digital Markets Act (“DMA”) applies to specific organizations designated as “gatekeepers”, which include companies providing platforms showing advertising and companies offering online advertising services (e.g., advertising networks, advertising exchanges and any other advertising intermediation services).
    • The DMA restricts the processing of personal data for providing online advertising.  For example, gatekeepers are not allowed to use for online advertising purposes the personal data of end users that use a gatekeeper’s platform to access and use third party services.  
    • Gatekeepers must also provide advertisers and publishers upon their request with access to the performance measuring tools of the gatekeeper and the data necessary for advertisers and publishers to carry out their own independent verification of the advertising inventory.
  • The Digital Services Act (“DSA”) applies to providers of intermediary services, including Internet service providers, cloud providers, search engines, social networks, online marketplaces, and other online platforms.
    • The DSA prohibits presenting advertising based on profiling using: (i) personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor; or (ii) special categories of personal data (as defined under the GDPR).
    • The DSA requires identifying online targeted advertising as such.  It also requires providing the following information: (i) the identity of the natural or legal person on whose behalf the advertisement is presented; (ii) the identity of the natural or legal person that paid for the advertising (if different from the person under (i)); and meaningful information about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, information on how to change these parameters.
    • The DSA requires very large online platforms to:
      • adapt their advertising system and adopt measures that limit or adjust the presentation of advertisements in association with the services they provide, where applicable; and
      • compile and make publicly available in a specific section of their online interface information about the online advertising shown on their platforms.
    • The DSA requires the European Commission to encourage the development of:
      • voluntary codes of conduct for online advertising and ensure that these codes pursue an effective transmission of information in compliance with competition law and data protection laws; and
      • voluntary standards by relevant European and international standardization bodies in the area of online advertising.

*                      *                      *

The Covington Team will keep monitoring the developments on the aforementioned legislation, and is happy to assist with any potential inquiry on the topic of online-targeted advertising.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.