What does the DSA mean for online advertising and adtech?

Pieter Wolters & Frederik Zuiderveen Borgesius
iHub, Radboud University

What does the Digital Services Act (DSA) mean for online advertising and adtech (advertising technology)? This blogpost, based on a new research paper, explores that question. The most controversial insight is that ad networks and some other adtech companies must — based on an analysis of the DSA’s definitions — be considered ‘platforms’ in the sense of the DSA. Hence, they must comply with the DSA’s general rules for platforms.        

---

This blog post is based on a paper we recently published, open access: ‘The EU Digital Services Act: what does it mean for online advertising and adtech?’.

Online advertising is among the main income streams for some of the largest companies in the world, such as Facebook (Meta) and Google (Alphabet). These companies collect  vast amounts of information about hundreds of millions of people in order to personalise ads based on users’ interests. Many people see this as a form of privacy interference. Moreover, advertising may contain fraud, misinformation and other illegal or harmful content.

Online advertising is often offered through online platforms that connect their users to advertisements supplied by third parties.

What does the Digital Services Act (DSA) mean for online advertising?

The first question is: who must comply with the DSA? Many rules in the DSA apply to online platforms, many of which offer integrated advertising services (think Meta Ads, TikTok Ads, or LinkedIn Ads). We call the advertising ‘integrated’ because the company enables advertisers to advertise on the platform directly (without going through an intermediary).

For some other types of adtech companies, it is less obvious how they should be qualified under the DSA.

For example, ad networks are companies that connect advertisers to publishers of apps and websites. Roughly summarised, an ad network has contracts with thousands of websites. An advertiser can contract with the ad network to show its ad on those websites. An ad network typically uses tracking cookies or similar technology to recognise individual internet users when they visit websites within the company’s network and to build profiles on them. This allows the ad network to present personalised advertisements to the users, for which it can receive a higher remuneration than for non-personalised ads.

In short, platforms in the DSA sense (i) are ‘hosts’ and (ii) disseminate information to a potentially unlimited number of parties (Article 3(i) DSA). We apply those criteria to a typical ad network.

(i) ad networks provide hosting services by storing the advertisements on behalf of the advertisers (the recipients). This was confirmed in 2010, when the Court of Justice of the European Union ruled that one of Google’s advertising services (‘AdWords’) concerned ‘hosting’ because Google AdWords stored ads for advertisers. That judgment is from more than a decade ago, but it is still relevant because it dealt with a definition of ‘host’ that closely resembles the one in the DSA.

(ii) ad networks also disseminate the stored advertisements to the public, and do so without the direct active involvement of the recipient (the advertiser). Although the recipient may set certain parameters for the dissemination of the advertisement, the ad networks are ultimately responsible for serving the advertisement to specific viewers.

Accordingly, we argue that ad networks fall into the category of platforms.

Some ad networks may even qualify as very large online platforms (VLOPs), since the advertisements can be seen by millions of people through the ad banners on third party websites and apps. In our view, the DSA’s definition of ‘online interface’ also encompasses such banners , which means that the viewers of the advertisements count as recipients (see the ‘Ad networks’ section of the paper). However, the European Commission has not designated any ad networks as VLOPs.

Other types of adtech companies do not fall under the DSA’s definition of a platform. For instance, a company that specialises in analysing the number of people that ads reach may not host any information for others. If a company does not host information for others, it does not provide hosting or platform services. (For more details, see the section in the paper ‘The applicability of the DSA to online advertisements’).

What does it mean if an adtech company is a platform that must comply with the DSA? The general DSA rules on platforms apply. Advertisements are a form of information, and thus subject to the general rules of the DSA. For example, it should be possible for normal users to notify the platform if an advertisement contains illegal content. If a notifier or advertiser does not agree with the platform’s content moderation decision, the notifier and advertiser must have access to internal complaint mechanisms and out-of-court dispute settlement, says the DSA.

Furthermore, platforms must offer transparency about the recommender systems for advertisements and offer a version of this recommender system that is not based on profiling). Hence, if an ad network company is so large that it counts as a VLOP, it should also comply with Article 38 DSA and offer a profiling-free version of its recommender system.

Some ad networks sometimes enable internet users to stop personalised ads. For example, Google enables advertisers to advertise on websites through Google’s ad network. Google enables a visitor to a non-Google website (eg cnn.com) to click on a small logo, for instance a small ‘triangle’, in an ad that is served by Google. After clicking that logo, the website visitor sees a Google web page where the visitor can choose to ‘Turn off Personalize [sic] ads on this site.’ Criteo, another ad network company, offers a similar option. But the fact that Google and Criteo offer this possibility does not necessarily mean that the companies see their ad networks as VLOPs. Online marketing companies have offered some possibilities to opt out of certain forms of profiling-based advertising for years—long before the application of the DSA.

Transparency requirements

The DSA imposes several transparency obligations in relation to advertisements. For example, platforms should be transparent about the functioning of their recommender systems. Platforms should also provide various information about the nature and origin of the presented advertisements. In addition, very large online platforms (VLOPs) should develop a publicly available repository with information about the ads they presented.

Below, we mention some of the main DSA requirements for platforms regarding online advertising.

A ban on profiling-based advertising using sensitive data

During the negotiations about the draft DSA, some members of the European Parliament wanted to ban all profiling-based advertising (behavioural advertising). Such a ban did not make it to the final text of the DSA. But the DSA does include two bans: on profiling-based advertising based on “sensitive data,” and on profiling-based advertising targeted at children.

We start with the ban on profiling-based advertising using ‘special categories of personal data’, often called sensitive data in practice. Article 26(3) DSA says:

Providers of online platforms shall not present advertisements to recipients of the service based on profiling as defined in Article 4, point (4), of [the GDPR] using special categories of personal data referred to in Article 9(1) of [the GDPR].

The ban only applies to advertising ‘based on profiling’. Targeted advertising that is not based on profiling is thus still allowed. The definition of ‘profiling’ in the sense of Article 4(4) of the GDPR requires that personal data are processed in an automated way ‘to evaluate certain personal aspects relating to a natural person’.

For example, if somebody declares that he or she is gay, and a marketing company uses that information to target ads to that person, the company has arguably not ‘evaluated’ aspects of the person. Therefore, the company has not engaged in profiling, and the restrictions on profiling do not apply.

Existing law (the GDPR and the ePrivacy Directive) already requires prior explicit consent for profiling-based advertising using special categories of data. The DSA’s ban on profiling-based advertising and sensitive data is stricter than the existing rules, because the DSA does not enable people to override the ban with consent.

A ban on profiling-based advertising targeted at minors

The DSA bans profiling-based advertising (behavioural advertising) if it targets children. Like the ban on profiling based on sensitive data, Article 28(2) DSA only applies to platforms. The provision reads as follows.

Providers of online platforms shall not present advertisements on their interface based on profiling as defined in Article 4, point (4), of [the GDPR] using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor.

The DSA’s ban on targeting minors with advertising applies to advertising ‘based on profiling’ as defined in in the GDPR. Hence, a platform is probably still allowed to target ads to minors if the platform learns about the interests of a minor through other means than profiling.

The ban applies when the platform knows ‘with reasonable certainty that the recipient of the service is a minor’.  Platform providers are not required to collect extra data or use extra profiling to find out which users are minors (Article 28(3) DSA). Indeed, such extra data collection would be hard to square with the GDPR’s data minimisation principle.

As noted, existing law already requires the internet user’s consent for profiling-based advertising. For minors, the situation is more complicated. Roughly summarised, under the GDPR, minors cannot give valid consent; the parent should give consent instead. EU member states have set different minimum consent ages, ranging from 13 to 16 years. The company must make ‘reasonable efforts’ to verify that consent is given by the parent. In sum, the DSA’s ban of profiling-based advertising targeted at children is stricter than prior law because the ban cannot be overridden by parental consent.

Concluding thoughts

We showed that the more general rules of the DSA also apply to advertisements and ad networks. Advertisements are a form of information, and thus subject to the general rules of the DSA. For example, platforms (including ad networks) must offer transparency about the recommender systems for advertisements and offer a version of this recommender system that is not based on profiling.

Moreover, we conclude that the DSA applies to some types of ad tech companies, such as ad networks. The qualification of ad networks as platforms leads to the application of the more general obligations in the DSA, such as obligations to work with trusted flaggers and, in the case of Very Large Online Platforms, to address systemic risks. The relevance of these general obligations for advertising networks has been underexplored and deserves further research.

We encourage the European Commission or regulators to clarify the concepts of ‘online platform’ and ‘recipients’ in the context of ad networks and other adtech companies. The scope of the two above-mentioned bans on profiling-based advertising could also use clarification. One thing is clear already. The DSA can have far-reaching effects for online advertising and adtech.