On 10 February 2021, the European Data Protection Supervisor (EDPS) published two opinions on the Commission’s proposals for the Digital Services Act and Digital Markets Act.
Among a number of recommendations regarding the already extensive use of personal data by digital services providers, the EDPS considered that changes to transparency rules contained in the Digital Services Act would be particularly important in respect of online advertising. The EDPS recommended that the Digital Services Act be clearer on the information that advertisers need to provide to individuals regarding on whose behalf the advert has been placed and how it has been selected.
However, the EDPS was also of the view that the privacy risks associated with online advertising could not be solved by increasing transparency alone. This is perhaps demonstrated by an article published by the BBC today regarding the endemic use of “spy” pixels in emails. Such pixels are included in emails sent by many brands and can be used to log information such as if, where and when an email was opened. This information can then be used to inform a company of how successful a particular email campaign was and, maybe more surprisingly, fed into more detailed customer profiles and linked to cookies allowing a user’s online activity to be traced across multiple devices. Although the use of pixels is widespread, consumer understanding of how they work is low and they can be difficult to turn off. Current data protection legislation requires pixel users to provide information on their use, and possibly to obtain consent. However, it is debatable whether the current level of information provided is sufficient to allow consumers to understand how their data will be used and the consequences of that use. Even the ICO’s own notice is light on detail concerning pixels. It is further questionable whether these consequences can be adequately explained in such a way that the average consumer would be able to truly understand them whilst enabling brands to meet other transparency requirements of keeping the information digestible and accessible.
In recognition of these difficulties, the EDPS recommends the EU to consider additional rules going beyond transparency and strongly supports parliamentary legislation to regulate targeted advertising much more strictly in order to reduce forms of advertising it considers intrusive. Ultimately, this leads the EDPS to urge the legislature to consider “a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking”. It makes further recommendations around legislation to restrict less invasive targeted advertising, such as limiting the categories of data that can be used both as the basis for targeting, and the process of targeting itself. It is therefore possible that even if an outright ban on invasive targeted advertising is avoided, significant restrictions will be placed on the industry such that it would be forced to transform or disappear entirely.
Whilst the Digital Services Act will not be implemented in the UK, it will affect any businesses operating in the EU. It is also worth noting that authorities in the UK, including both the ICO and CMA, have been conducting their own investigations into digital advertising so it may well be the case that the UK will implement its own additional legislation, which could end up being more extensive and restrictive than current EU proposals.