In a world where data is ‘the new oil', competition authorities are having to tackle fresh issues as data and antitrust converge. The first edition of the GCR Data & Antitrust Guide – edited by Miranda Cole and Lara White – offers a wide-ranging view of how key jurisdictions around the world are addressing new regulatory and enforcement questions and provides practical and timely guidance for those trying to navigate this fast-moving environment. The Guide draws on the wisdom and expertise of distinguished practitioners to deliver unparalleled proficiency in the field.
How the interplay between competition and privacy law is affecting online advertising
INTRODUCTION
Online advertising today relies on the collection, matching and use (including sharing) of vast amounts of personal data. In some cases, this information is shared among a web of hundreds of advertising intermediaries of varying sizes. In others, the information collected remains primarily within the closed environment of a single entity (or group of entities).
The amount of personal data involved and the way it is collected, used and shared has attracted (and continues to attract) a lot of attention from privacy and competition regulators, the courts and, ultimately, consumers, including in relation to the interplay between privacy and competition laws – which are not always aligned.
In this chapter, we:
- provide a brief, high-level overview of how online advertising works;
- look at the privacy challenges relating to the online advertising ecosystem;
- look at the competition law challenges relating to online advertising; and
- explore the direct and indirect interplay between privacy and competition law in the context of online advertising.
OVERVIEW OF ONLINE ADVERTISING
The online advertising ecosystem is complex. At its core, it involves a transaction between advertisers wanting to present their advertising content to an online target audience (including users of websites, apps and social media) (the buy side) and publishers and digital platforms who have advertising space (or inventory) that they want to sell (the sell side).
At its simplest, online adverting can be split into two main channels: search advertising and display advertising.
SEARCH ADVERTISING
A search ad is displayed in search results following the use of a search engine (i.e., on the search engine results page (SERP)). Advertisers bid on keywords so that their advertisement appears when the search performed uses the keyword or term. In addition, information about the user (e.g., their location, search history and other information available to the search engine) will influence the search ads they are presented with, to ensure their relevance. These ads appear at the top of the SERP (although they are also intermingled in the search results in certain contexts, including those in respect of certain vertical searches), and are marked as ‘Ad' or ‘Sponsored', depending on the search engine, with information about why an advertisement is being made available to the user.2
DISPLAY ADVERTISING
Display ads are proactively displayed to users (i.e., visitors to a social media platform, website or app) because they fall into a category of individuals whom the advertiser wishes to target. They often take the form of banner ads, side bar ads or pop-up ads. This type of advertising is often referred to as ‘outbound' or ‘push' advertising because it is instigated, at least indirectly, by the advertiser, unlike search ads, which are an ‘in-bound' or ‘pull' form of advertising (where advertisements are displayed in response to user-initiated searches).
Display advertising falls into two broad categories:
- Opendisplayadvertising: Publishers sell their inventory to a wide range of advertisers through an auction process referred to as real-time This relies on a complex ad tech chain, including ad exchanges, ad servers, ad networks and data management platforms. These vendors match up the buy side and sell side and provide a range of different services, from helping publishers to generate the most revenue from their advertising space, to helping advertisers enrich the data they hold or to measure the success of campaigns.
- The‘walledgarden' model: Large players – such as Facebook, Instagram and Google – sell their own inventory through their own ad tech stack, meaning that they own the relationships with both advertisers and the They collect information about users while those users interact with their services and visit other online services or websites (using embedded tracking technology).
Display advertising relies on the collection and sharing of large amounts of data about users to try to ensure that the ads reach the most relevant audience and that individuals are presented with ads that are likely to be of most interest to them. Generally, this collection and sharing of information about a particular user occurs via third-party cookies3 and other tracking technology4 that is placed in a user's browser when they visit a website or app, or look at something on social media, stores information about their use of the internet (e.g., websites visited) and identifes visitors between different websites. This includes technology used by social media platforms to leverage a user's off-platform activity to advertise to them when they are on the social media platform.5
PRIVACY REGULATORY CHALLENGES
In many jurisdictions, the information collected via the tracking technology used in online advertising is personal data or personal information, even though a named individual cannot be identifed from the relevant identifer alone. Accordingly, it must be handled in accordance with applicable privacy laws. Owing to the complexity of the online ad ecosystem, full compliance with these laws is often challenging
Various jurisdictions have introduced rules specifcally addressing the use of cookies and other tracking technologies. In Europe, for example, the ePrivacy Directive6 (and the national laws implementing it into Member State law) requires organisations that store information on, or gain access to information from, a user's terminal equipment (which includes the use of cookies and other tracking technology referred to above) to provide users with information about the use of cookies and to collect opt-in consent from users in advance of setting them up on their browser. Providing true transparency about the use of this technology, and the collection of consent, by the large number of adtech vendors involved in the ecosystem (including about what is collected and shared and whose data is shared) has always been challenging. This was brought into sharper focus after the General Data Protection Regulation7 (GDPR) came into effect because of its more prescriptive requirements around transparency and very specifc requirements for the collection of valid consent. Most signifcantly, valid consent must be informed, granular and freely given and must name the party relying on it. In the context of a complex web of data sharing, this is very challenging.
This is not just a European issue. In the United States, for example, where there are many state privacy laws, the use of tracking technology (and user control of its use) is also starting to be regulated.
Leaving aside cookie-specific laws, general privacy laws also apply to the use of cookie data and other forms of personal data; for example, what logged-in users view when they access a social media platform.
Under the GDPR, any personal data collected in the context of online advertising must be processed (i.e., handled) on a valid lawful basis. Large organisations have sought to rely on lawful bases other than consent to justify the use of certain personal data for advertising purposes (e.g., that the processing for advertising purposes is necessary for the performance of the contract the user has entered into with the social media company); however, regulators and courts across Europe are tightening their view of when a lawful basis other than consent can be used for online advertising purposes. This came into focus in the Court of Justice of the European Union (CJEU) judgment in Case C-252/21 (Meta Platforms and Others (General terms of use of a social network)), involving Meta Platforms Ireland Limited, the operator of Facebook in the European Union (see further, below). Even consent is not without challenge, however, as questions as to whether consent has been freely given in the context of the use of large online platforms are frequently raised. The CJEU found that an alternative to consenting to the processing of data (other than not using the services) must be offered but accepted that this could be offered for an appropriate fee. Meta has since introduced a subscription option for an ad-free service for users in the European Union, European Economic Area (EEA) and Switzerland, which has already prompted calls for the European Data Protection Board to issue a binding opinion on the lawfulness of this model.
Attempts to deal with some of these privacy compliance challenges (such as the transparency and consent framework of IAB (Interactive Advertising Bureau) Europe8 and Google's deprecation of third-party cookies) have faced criticism, and there have been calls for data protection authorities to investigate the compliance of the online advertising industry with privacy laws. Accordingly, we have seen investigations by data protection authorities, including the United Kingdom's Information Commissioner's Ofce (ICO), specifcally focused on real-time bidding,9 the French regulator (the National Commission for Information Technology and Liberty (CNIL)), which focused on valid cookie consent and issued some very high-profle adtech-related privacy fnes,10 and the Irish Data Protection Commission, which is responsible for regulating the EU activities of many of the world's largest technology companies.11
To view the full article click here.
Footnotes
1. Miranda Cole, Christoph Ritzer and Lara White are partners at Norton Rose Fulbright
2. Some laws, such as the EU Digital Services Act, set out minimum mandatory information with which users must be presented.
3. Third-party cookies are set by parties other than the owner of the website being visited by the user. Examples include the cookies set by domains such as doubleclick.net for products such as Google Ad Manager.
4. Other forms of tracking technology are also used alongside cookies for advertising purposes, including pixels and device fingerprinting.
5. For example, the Facebook pixel, which is very commonly used technology incorporated into websites to help optimise ads, builds custom audiences on the Meta platforms and remarkets to people.
6. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.7.2002, pp. 37–47.
7. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
8. Interactive Advertising Bureau (IAB) Europe's Transparency and Consent Framework (TCF) aims to contribute to the compliance by organisations relying on the OpenRTB Protocol (the OpenRTB Protocol is one of the most widely used protocols for real-time bidding). Since 2019, the Belgian Data Protection Authority (DPA) has received a number of complaints about conformity of the TCF. In February 2022, the Belgian DPA found that IAB Europe was a data controller, such that it could be liable for the breaches of the General Data Protection Regulation (GDPR) identified by the Belgian DPA (e.g., no legal basis for the processing, lack of transparency on the nature and scope of processing, no organisational or technical measures to ensure data protection by design and by default, no data protection officer, no data protection impact assessment). The Belgian DPA imposed a fine of €250,000 on IAB Europe, reflecting the seriousness of the infringements, and ordered corrective measures to bring the TCF into conformity with the GDPR. On appeal, the Brussels Market Court issued an interim ruling in September 2022 referring questions to the Court of Justice of the European Union (CJEU) about the concept of data controller (in light of IAB Europe's position as a standard-setting sectoral organisation) and on whether a ‘TC String' (i.e., a digital signal containing user preferences) is ‘personal data' under the GDPR. The CJEU answered these questions in IAB Europe v. Gegevensbeschermingsautoriteit (reference ECLI:EU:C:2024:214), confirming that the ‘TC String' was personal data and that IAB Europe acted as joint controller.
9. Information Commissioner's Office (ICO), ‘Our work on adtech' (- https://ico.org.uk/about-the-ico/what-we-do/our-work-on-adtech/).
10. These include fines for Meta, Google, Apple, TikTok and Microsoft.
11. The Irish Data Protection Commissioner's Office adopted two decisions on 31 December 2022, in which it concluded that Meta Platforms Ireland Limited was not entitled to rely on ‘contract' as the legal basis for its behavioural advertising and imposed fines of €210 million on Facebook and €180 million on More recently, it published a decision imposing a ban on Meta Platforms Ireland Limited for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.