2023 was marked by the adoption of key EU legislation in the field of data privacy, such as the Digital Services Act (“DSA”) and Digital Markets Act (“DMA”). Both introduce limitations and obligations on online platforms that process personal data for digital advertising. Ahead of the DSA and DMA’s implementation deadlines in February and March 2024 respectively, we will discuss below the key requirements they introduce specifically in relation to online targeted advertising. This blog post complements our previous blog post on the EU’s targeted advertising rules.

DMA Rules on Targeted Advertising

Scope. The DMA applies to designated gatekeepers, which are providers of core platform services – such as online intermediation, social networks, video sharing, operating systems, cloud computing, and advertising- that meet certain size, revenue, and user criteria.  For more information about the DMA, please see our previous blog posts here and here.

Legal Basis. The DMA limits the GDPR legal bases that gatekeepers may rely on to process personal data of end-users for the purpose of providing online advertising services.  For example, gatekeepers must obtain consent for processing personal data in certain cases, such as online advertising purposes or combining personal from different online services.  Yet, the DMA offers the possibility to rely on other GDPR legal bases, including (i) a legal obligation; (ii) the protection of vital interests of individuals; and (iii) the performance of a task carried out in the public interest or in the exercise of official authority, where applicable.

The end-user’s consent must meet the conditions of the GDPR, i.e., it must be “freely given, specific, informed and unambiguous.” Additionally, the DMA has specific rules prohibiting nudging techniques.  It prohibits making the choice between consent and not consenting “unduly difficult,” and requires providing both choices to end-users in a “neutral manner.” For more information on dark patterns, see our previous blog posts here and here.

The gatekeeper will be required to inform end-users of the consequences of not providing consent, namely that not giving consent can lead to a less personalized offer, but that otherwise the core platform service will remain unchanged and that no functionalities will be suppressed.

Rules on Publishers and Advertisers. Gatekeepers are required to provide to publishers and advertisers:

  • information, free of charge and on a daily basis, on (i) the costs associated with a relevant ad (including through disclosure of the remuneration or average amount of remuneration received by the publisher – or the average remuneration), (ii) the remuneration or average amount of remuneration received by the publisher or advertiser (including any deductions and surcharges), and (iii) the criterion used to calculate the pricing model and remuneration (e.g. price for impression, per view, etc.); and
  • access to the performance measuring tools of the gatekeeper and the data necessary for advertisers and publishers to carry out their own independent verification of the advertisements inventory, including aggregated and non-aggregated data, free of charge. Such data shall be provided in a manner that enables advertisers and publishers to run their own verification and measurement tools to assess the performance of the core platform services provided for by the gatekeepers.

DSA Rules on Targeted Advertising

Scope. The DSA applies to a broader set of entities, including intermediary services providers (e.g., social media platforms, internet service providers, cloud providers, search engines, online marketplaces, among others).  For more information about the DSA, please see our previous blog posts here and here.

Rules Applicable to Online Platforms. The DSA provides specific rules in relation to targeted advertising.  Online platforms are required to comply with the following provisions:

  • Protection of Minors. The DSA prohibits online platforms that are “aware with reasonable certainty” that their users include minors from showing targeted advertising, particularly when based on profiling, that was generated based on the minors’ personal data.  In any event, online platforms need to ensure that their platforms or services offer a high level of privacy, security and safety to minors;
  • Transparency. Online platforms need to provide clear and comprehensible information on (i) the fact that the information displayed is an advertisement (e.g., use of prominent markings); (ii) the identity of the natural or legal person on whose behalf the advertisement is presented; (iii) the identity of the natural or legal person that paid for the advertisement (if not corresponding to the one mentioned above); (iv) the main parameters used to determine the recipients to whom the advertisement is presented (e.g., depending on whether the advertisement is contextual or another type); and (v) where applicable, the procedure to change such parameters; and
  • Ad Repositories. Online platforms need to maintain ad repositories for company oversight in relation to the content of targeted advertisements.

The European Data Protection Board’s (“EDPB”) 2023-2024 Work Program mentions that the EDPB is working on guidance on children’s data which will analyze the scope of Article 8 of the GDPR in combination with Article 24 of the DSA.  Additionally, under the DSA, the European Commission may publish guidelines for providers of online platforms by the European Commission (in consultation with the Board) to guide and support them in complying with rules on children’s protection, as per Article 28(4) of the DSA.

Rules Applicable to VLOPs & VLOSEs. In addition to the aforementioned obligation, very large online platforms (“VLOPs”) and search engines (“VLOSEs”) will need to comply with the following obligations:

  • Additional Transparency.  VLOPs and VLOSEs must maintain a repository containing clear and comprehensible information on: (i) the content of the advertisement; (ii) the identity of the natural or legal person on whose behalf the advertisement is presented; (iii) the identity of the natural or legal person that paid for the advertisement (if not corresponding to the one mentioned above); and (iv) the period during which the advertisement is presented; and
  • Risk Assessment.   VLOPs and VLOSEs will need to assess whether the systems for selecting and presenting advertisements have any effect on potential systemic risks of the service.

Commission’s Role. The EU Commission is expected to encourage the development of voluntary standards and code of conducts for online advertising.

***

The Covington team will keep monitoring developments on online targeted advertising and the implementation and enforcement of the DMA and DSA, and continue to report on them on our blog Inside Privacy. We are happy to assist with any inquiries on the topic.

(This blog post was drafted with the contribution of Diane Valat.)

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.