Understanding and adapting to the impact of changing EU Privacy Laws
The last 5 years have seen accelerated change in digital privacy law, with social, political and legal mandates impacting the technological landscape.
The most recent of these are the EU Digital Markets Act (DMA) and the Digital Services Act (DSA), both of which have had surprisingly little surrounding discourse, despite the impending Q1 2024 application. Ultimately, the goal of this regulation is to make sure Europe ready for the digital age beyond just regulation, but to also improve skills, security and sustainable digital infrastructure. The ideal outcome is looking to create a fairer & more level playing field, as well as encouraging digital innovation and providing the opportunity for digital businesses to grow and compete globally. Something that is currently dominated by existing tech giants, primarily US based.
This is especially important in the digital advertising industry which has been so fast moving, but historically poorly regulated when it comes to privacy, with the largest strides only occurring in recent years.
What changes have occurred already?
General Data Protection Regulation enforcement began in 2018, applying to any organisation that handles personal data within the EU, or offers goods and services to individuals in the EU. Discussion around privacy in the digital space has been a more common subject since this came into force, and overall has had a significant impact on digital marketing in some of the following ways:
- Consent and transparency in collecting user data
- Secure data handling and storage, with the user able to access, rectify, erase or object to this data.
- Stricter restrictions on personalised targeting.
While the above is by no means exhaustive, it did set in motion larger scale changes to cookie policies and the upcoming Digital Markets Act and Digital Services Act.
What is the Digital Markets Act (DMA)?
The DMA addresses the digital sphere by introducing new rules and obligations for entities identified and labelled as a ‘Gatekeeper’ by the EU commission. Gatekeepers must comply with 2 tiers of obligations that ultimately enforce the goal of levelling the online playing field and encouraging fair market practice.
Tier 1 includes obligations that do not require further details from the Commission. This includes impacts to cross platform data sharing, price transparencies & further data use permissions.
Tier 2 includes obligations that are more nuanced, meaning the Commission can be contacted for clarity around implementation proposals. This includes Business data access, subscription restrictions, Search engine transparencies, self-preferencing, third party tool & software access.
As of Sept 2023, the EU commission has labelled 6 companies as such; Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta and Microsoft.
Based on the official EU timelines, we’re working towards an obligation application of March 2024 & onwards.
Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_4328
What is the Digital Services Act (DSA)?
The main goal of the Digital Services Act is to prevent harmful and illegal online activities and reduce the spread of disinformation. This aims to be applied across a variety of platforms, including marketplaces, social networks and app stores.
The obligations of enterprises in the online space has been categorised in the following way:
Very large online platforms and search engines pose particular risks in the dissemination of illegal content and societal harms. Specific rules are foreseen for platforms reaching more than 10% of 450 million consumers in Europe. The list of designated platforms is available on DSA: Very large online platforms and search engines.
Online platforms bring together sellers and consumers such as online marketplaces, app stores, collaborative economy platforms and social media platforms.
Hosting services such as cloud and web hosting services (also including online platforms).
Intermediary services offering network infrastructure: Internet access providers and domain name registrars (also including hosting services).
The above categorisations will be subject to different tiers of rules, some will still impact all of these while the majority will just impact large and very large online platforms.
Documentation states that there are more than 10,000 platforms in the EU, of which over 90% are small or medium sized enterprises. These then have to deal with 27 different sets of national rules, yet only the largest companies are able to deal with the accompanying levels of compliance to operate across all countries. A single set of rules is expected to allow cross-border digital services to prosper, supported by standardised guidelines while still being held accountable.
DSA rules are expected to apply from 27th February 2024 to all platforms, though the companies designated as Very Large Online Platforms have been subject to these since August 2023. Introduction of ad transparency tools is a direct result of these changes, as evidenced now by TikTok and Google, while Facebook Ads has always been ahead of the game here with their own ad library tool.
An example of detail available from TikTok’s ad library.
There are no clearly defined impacts on advertisers, but we can infer the following:
- There is expected to be reductions in targeting capabilities for advertisers without explicit consent from the user.
- Increased transparency of ads being run and for a user, why they have received it. For advertisers, this level of transparency is not all bad as it can provide additional competitor insights.
- Further focus on user consent from app stores
- Bans on targeted ads to children and special characteristics, such as race, gender and religion, notably for social media companies.
- Smaller retargeting lists as a result of fewer opted in users.
Strategies may need to be re-thought, with an approach to target category level users rather than hyper specific. This has been the direction the industry has already been heading in recent years, but will continue to have a growing emphasis.
This also means looking at a bigger picture beyond a single ad channel, considering measurement methods that allow user consent to be protected while also understanding the business impact of digital advertising across all channels.
Inferring how this will impact companies:
- Easier cookie consent is required, with a user either able to accept or reject cookies on a landing page, without having to dig into multiple different menus to turn off cookies.
- Tech companies will be banned from ranking their own services more favourably than others: ‘Consumers will be able to see which are the best options available and not just those that the gatekeepers want them to see’.
- There are complications with companies such as Shopify, who work with a large number of small businesses. If they are designated as a gatekeeper, it is unclear what this means for small businesses first party data and how this is used or accessed?
There are larger requirements beyond just an advertising perspective, such as following code of conduct, data sharing with authorities and researchers and ‘risk management obligations and crisis response’.
What happens next?
This is a wide and ever evolving subject, with the ultimate impact of these specific directives being to increase available jobs in this industry by having a level playing field and expand economic growth.
While the focus of this is in the EU specifically, advertisers targeting here will still need to abide by this legislation. As well as this, there are similar privacy laws coming into play in the United States but this is only on a state by state basis. California was the first state to introduce their equivalent of GDPR, the CCPA, and this is slowly being implemented in other states. This begs the question, would a platform release two products to cater for individual markets, or will there be a wider rollout of one single product that meets required obligations. A recent example of this coming into practice is EU legislation requiring iPhones to use USB-C. It will be more cost effective to update products globally than have two different products being manufactured.
There are also further changes occurring across individual platforms, such as Apple iOS17 and Link Tracking Protection (LTP). This removes tracking ID’s (such as a Google GCLID) and prevent cross domain tracking. At present, this is only impacting those using private browsing or those clicking links from Mail or Message apps, but it would not be a surprise to see this rolled out to standard browsing in the future.
Advertisers should continue adopting privacy safe measurement wherever possible, such as consent mode and enhanced conversions on Google Ads, to be prepared as these changes continue rolling out into the future. Businesses should focus on resolving their measurement setup to ensure that rich data is collected prior to upcoming changes. Having a robust marketing setup, with a deep customer understanding, now will help alleviate any upcoming volatility driven by data collection or data application.
If you would like to learn more, please get in touch with us here.