Advertising marketing campaign. Product promotion using outdoor, internet ads, direct marketing. Photo video ad in social networks, spam, billboard. Vector illustration in 3d design. Isometric banner

Ad Tech in Europe: What Does the Future Hold?

Ad Tech in Europe: What Does the Future Hold?

December 4, 2023

Ad Tech in Europe: What Does the Future Hold?

By: Nicole Kardell

If you are subject to the EU’s General Data Protection Regulation and you engage in behavioral advertising, you may want to rethink your business model. A recent decision from the European Data Protection Board (which oversees application and enforcement of the GDPR across the EU) and related statements from regulators from several European member states have cast a shadow over the future of personalized ads in Europe. Earlier this year, Meta—the parent company to Facebook and Instagram—was fined a whopping 390 million euros by the Irish Data Protection Commission (which is charged with enforcing the GDPR in Ireland) for processing people’s personal data without a proper legal basis.

By way of background, to legally process individuals’ personal data in Europe, an entity must have a legal basis for doing so. That legal basis must fall under one of six listed in the GDPR (see GDPR Article 6): this includes (1) processing based upon the consent of the individual and (2) processing pursuant to a contract with the individual.

Meta had been serving personalized ads in Europe based upon the theory that it could legally do so pursuant to a contract between the platform and each user – i.e. in order to carry out its contracted services to users, it needed to collect and process their personal data for behavioral advertising. The Irish DPC and the EDPB disagreed and issued a decision that Meta’s basis was invalid: “The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioral advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users.” Personalized advertising was “not a core element of the services.” In other words, a proper legal basis for processing personal data cannot be pretextual, and funding the service is not enough to take it out of being pretextual.

Meta thought it found another work around and recently launched (October 30) an ad-free subscription service for users in Europe and publicly stated that the “option for people to purchase a subscription for no ads balances the requirements of European regulators while giving users choice and allowing Meta to continue serving all people in the EU, EEA and Switzerland.” Users have the option to pay a subscription fee of 10-13 euros per month for ad-free service or to consent to having their data processed for personalized ads – as many describe it, a “pay or okay” framework. Will the framework keep Meta out of hot water in Europe? It is unlikely.

Since the October 30 launch, there has been a fair amount of hubbub over whether Meta’s approach will pass muster with European regulators. Consumer watchdogs are putting the issue before regulators.  The EU consumer privacy advocacy group NYOB headed by Max Schrems has already filed its first (it promises more) complaint against Meta.  In a press statement, NYOB argues that the pay-or-okay framework is just an attempt to circumvent EU privacy laws and that users cannot truly “freely give” their consent as they feel forced to consent to avoid cumulative (and potentially costly) subscription fees across app services.

The BEUC, an umbrella group for a number of European-based consumer organizations, also filed a complaint recently with consumer protection authorities. The BEUC complaint alleges that Meta is engaging in unfair commercial practices with its choose to lose framework (as the BEUC describes it).

The overarching issues that platforms should consider when following Meta’s legal battles are the concepts of meaningful choice and transparency. The GDPR requires both. Articles 4 and 7 of the GDPR provide that consent must be freely given. The consumer watchdogs argue that users cannot freely give their consent when they are faced with a choice of cost-prohibitive privacy or relinquishing their personal data. A 10 or 13 euro / month subscription may not seem exorbitant. But watchdogs point out that, with the growing number of apps on which users rely, should more platforms adopt the pay-or-okay framework, users will be forced to consent or lose out on services that are baked into their lives and livelihoods.

Platforms must also be transparent about their data practices and not assume that a blanket consent will support various data collection and use practices. The EDPB and the DPC, in their earlier decision against Meta this year, noted that the company “presented its services to users in a misleading manner.” Even if the pay-or-okay framework passes regulatory scrutiny from a general standpoint, platforms would need to ensure they are clear and specific about each data processing activity, and not attempt to obtain batch consents from users.

What the future holds for ad tech in Europe is a hot topic that is coming to a head. Platforms should be aware of the issues Meta is facing and consider revenue models that afford some flexibility, or that rely less on atomized ads.

Nicole Kardell

Nicole Kardell

Nicole is a certified privacy professional with expertise in European privacy law (CIPP/E), in particular GDPR. She helps companies navigate the changing face of privacy regulations and keep their business practices and partnerships in compliance with the law both domestically and abroad.

Related Practice(s)
Other Posts
Schrems II Screams: CJEU Decision Puts Companies in Tailspin Over EU-US Data Transfers
Jul 17, 2020

Schrems II Screams: CJEU Decision Puts Companies in Tailspin Over EU-US Data Transfers

By: Nicole Kardell
Failure to Certify: Companies That Falsely Claim They Are Privacy Shield Certified or Let Their Certification Lapse Face Enforcement Action.
Apr 8, 2020

Failure to Certify: Companies That Falsely Claim They Are Privacy Shield Certified or Let Their Certification Lapse Face Enforcement Action.

By: Nicole Kardell
Privacy Pointers for Employees of the Teleworking World
Mar 26, 2020

Privacy Pointers for Employees of the Teleworking World

By: Nicole Kardell
Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices
Mar 25, 2020

Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices

By: Nicole Kardell

Subscribe to Ifrah Law’s Insights