Inside a European push to outlaw creepy ads

European Union lawmakers are mobilizing support for a ban on tracking-based advertising to be added to a new set of Internet rules for the bloc — which were proposed at the back end of last year but are now entering the last stretch of negotiations ahead of becoming pan-EU law.

If they succeed it could have wide-ranging implications for adtech giants like Facebook and Google. And for the holistic health of Internet users’ eyeballs more generally.

The move follows a smorgasbord of concerns raised in recent years over how such creepy ads, which use personal data to decide who sees which marketing message, can negatively impact individuals, businesses and society — from the risk of discrimination and predatory targeting of vulnerable people and groups; to the amplification of online disinformation and the threat that poses to democratic processes; to the vast underbelly of ad fraud embedded in the current system.

Gathering so much data about Internet users is not only terrible for people’s privacy (and wasteful from an environmental perspective, given all the extra data-processing it bakes in), they contend, but tracking opens up a huge attack vector for hackers — supporting a pipeline of data breaches and security risks, which in turn contravenes key principles of existing EU law (like data minimization).

So arguments in favor of a regional ban are plentiful.

On the flip side, adtech giants Facebook and Google make bank by mining people’s digital activity and using this surreptitiously sucked up information as a targeting tool to grab attention, darting eyeballs with what they euphemize as “relevant” advertising — meaning ads that use people’s own information to try to manipulate their behavior for profit.

The powerful pair can easily afford to spend millions lobbying against anything that threatens their tracking-based business models. And they have been doing just that in Europe in recent years, as lawmakers have been working on redrawing the parameters of digital regulations — along with the tacit (if not very publicly valuable) support of an opaque adtech middleman layer.

These are largely faceless (to consumers) entities that benefit from dynamics like the lack of traceability around current ad spending (oh-hi ad fraud!) and arbitrage of quality publishers’ audiences to sell ads against cheap filler content (bye-bye quality journalism!). But that’s hardly good news for consumers, society or for fair and honest competition, critics say.

While the arguments for banning microtargeting have been getting louder and stronger (with each passing scandal) for years, it’s fair to say that this remains something of a David vs Goliath battle — with individual rights, civil society, quality publishers and pro-privacy innovators on one side vs big adtech and the sprawling ecosystem of opaque data-traders and Internet content bottom-feeders that the current Facebook-Google duopoly gives succour to punching down hard on the other.

Simultaneously, high level competition concerns over Facebook and Google’s power over online advertising is driving increasing scrutiny and enforcement from antitrust watchdogs in Europe.

But the risk there is regulators could just end up cementing harmful microtargeting — such as by enforcing increased sharing of people’s data for ad targeting — instead of seeking to reboot the market in a way that’s both healthy for consumers and for healthy digital competition.

So, the next few weeks, really looks like crunch time for anyone rooting for a full reboot of surveillance-based business models.

MEPs in the European Parliament are set to vote on a number of committee reports that contain amendments to the Commission’s legislative proposals seeking to outlaw or restrict the practice — with a final plenary vote expected in December (although there is a chance that vote could be delayed).

Their target is the Digital Services Act (DSA) and the Digital Markets Act (DMA): Incoming EU regulations that contain a range of measures intended to level the playing field between offline and online commerce — by dialling up accountability on digital businesses and platforms; standardizing elements of governance; and seeking to enforce fairness of business dealing; in the latter case by applying a set of fixed rules to intermediating platform giants like Google and Facebook that play a gatekeeping role over Internet content and/or commerce.

The planned legislation contains a swathe of new rules for how Internet businesses will be able to operate in the EU. But the European Commission, which drafted the proposals, did not include an outright ban on surveillance-based ad business models.

That’s what a number of MEPs are trying to change now.

The Commission sidestepped including a ban in the draft legislation despite pressure from the parliament and other EU institutions to take a tougher line on microtargeting.

There have also been mounting complaints against tracking-based ads under existing EU privacy law (the General Data Protection Regulation; GDPR) — and a concerning a lack of GDPR enforcement against adtech.

International backing for a ban on surveillance-based ads has also been growing.

The Commission itself has been actively grappling with related issues — like how to reduce online disinformation and protect EU elections from interference — and recently made an appeal to the adtech sector to do more to address problematic economic incentives driving the amplification of harmful nonsense.

But although it has said it will be beefing up efforts in those areas it continues to prefer what amounts to a process of adtech industry engagement vs laying down strict legal limits to prohibit such intrusive targeting altogether. So it’s been left to Europeans’ elected representatives to take a stand against microtargeting.

The next few weeks will be crucial to determining whether the bloc ends up taking the bold but — many now argue — necessary step of outlawing surveillance-based advertising.

Alternative forms of Internet advertising are both available and profitable, supporters of a ban say.

It’s also worth noting that even EU regulators only gave Google the green light to acquire Fitbit at the end of last year after gaining a concession from the tech giant that it would not use Fitbit’s health data for ad targeting — for a full ten years.

So if the EU’s own regulators decided they needed to bake in such extensive precautions before allowing another data-grabbing acquisition by big (ad)tech, it does suggest the fundamental problem here is adtech’s unfettered use of people’s data.

If the bloc outlaws microtargeting it would — conversely — provide clear impetus for the publishing industry to switch to less intrusive forms of advertising, while simultaneously creating an incentive for increased innovation around pro-privacy business models — a space where European startups are already among the world leaders.

So there’s a chance for the region to lead in both digital regulations and tech development.

Growing support for tracking-free ads

In recent months a coalition of MEPs, civil society organisations and companies from across the EU has been campaigning to end the pervasive tracking advertising industry that dominates the Internet — organizing under the banner of the Tracking-free Ads Coalition, and most recently writing to 100 of Europe’s largest advertisers urging them to reconsider their participation in surveillance-based advertising.

The Coalition is also calling on interested parties to join the push to defend fundamental EU rights and counter tracking-based harms.

Although time is now short — with the window of opportunity for slotting a ban into draft legislation set to close in a few weeks’ (or even days’) time as the European Parliament has its say on the final shape of the regulations.

The Coalition argues that harms associated with surveillance-based advertising are simply too vast to ignore — whether it’s the core erosion of the fundamental right EU citizens have to privacy, or the impact on publishers whose audiences are being arbitraged by big tech and opaque adtech middlemen which in turn undermines quality journalism and supercharges ad fraud.

Media plurality is at threat, they warn.

The group also points out that viable alternatives already exist for funding online content, such as contextual advertising — used by the likes of pro-privacy search engine DuckDuckGo, which has been profitable for over a decade for example.

DuckDuckGo is one of 14 pro-privacy businesses that have intervened to lobby MEPs on the issue in recent weeks — along with Vivaldi, Fastmail, Conva, Proton, Tutao, Disconnect, Mojeek, Ecosia, Startpage & StartMail, Nextcloud, Kobler, Strossle International and Mailfence — who have written to the Committee on Internal Market and Consumer Protection (IMCO) to express their backing for banning tracking ads.

“In addition to the clear privacy issues caused by surveillance-based advertising, it is also detrimental to the business landscape,” they wrote in their letter to the IMCO committee which makes the case for pro-privacy alternatives to tracking.

“These practices seriously undermine competition and take revenue away from content creators. Anticompetitive behaviour and effects serve to entrench dominant actors’ positions while complex supply chains and ineffective technologies lead to lost revenues for advertisers and publishers,” they also argued, adding: “Although we recognize that advertising is an important source of revenue for content creators and publishers online, this does not justify the massive commercial surveillance systems set up in attempts to ‘show the right ad to the right people’.

“Other forms of advertising technologies exist, which do not depend on spying on consumers, and alternative models can be implemented without significantly affecting revenue. On the contrary — and that we can attest to — businesses can thrive without privacy-invasive practices.”

MEPs backing the Coalition’s calls for a ban on tracking ads are hoping to convince enough of their fellow parliamentarians to step in over the broad array of harms being associated with surveillance-based business models, including by debunking the economic claims that adtech makes in defence of tracking-ads.

The Coalition is shooting for an outright ban on microtargeting in the DSA, which will apply broadly to all digital services; and also wants to get restrictions on how data can be combined by gatekeeping giants for ad purposes added to the DMA — which is likely to apply to both Facebook and Google (among other tech giants).

In October last year MEPs backed a call for tighter regulations on microtargeting in favor of less intrusive forms of advertising (like contextual ads) — urging Commission lawmakers to assess further regulatory options, including looking at a phase-out leading to a full ban.

But the Coalition believes the debate has moved on enough that the parliament could vote to back an outright ban.

At the same time, supporters also warn over the frenzied lobbying going on in the background as adtech giants try to derail a threat to what is — for them — a very lucrative business model.

Big adtech’s EU lobbying frenzy

A report published this summer by Corporate Europe Observatory and LobbyControl listed US adtech giants Google and Facebook at the top of a list of big spenders lobbying to influence EU lawmakers — with the pair splurging €5.8M and €5.5M respectively to push their pro-tracking agenda in the region.

However that’s likely just the tip of the iceberg as Facebook and Google provide funding to an array of third party lobby groups, such as think tanks and industry associations, which can often been heard amplifying their talking points — without making their links with big tech funders amply clear.

One source close to the parliament negotiations around the DSA and DMA highlighted Facebook’s “enormous” lobbying budget — saying there’s a belief among some MEPs that it’s “the largest lobbying operation in world history in Europe”.

With the counter push to amend EU legislation now entering the final stages, our source on the negotiations suggested there is political momentum to get a ban on microtargeting into EU law — following the Wall Street Journal‘s recent exposé of internal Facebook documents.

The whistleblower, Frances Haugen, who revealed herself as the source of the document dump, called directly for lawmakers to act — suggesting changes are needed to Facebook’s algorithms to prevent a range of virality-generated harms.

Preventing ads from being targeted against personal data would fall into that category — removing the economic incentives that prop up some types of harmful disinformation and misinformation.

But Paul Tang, of the Progressive Alliance of Socialists and Democrats in the European Parliament — who is one of the MEPs involved in the push for a ban on microtargeting — argues there are now scores of reasons to ban tracking ads.

“There are tons of reasons but the two main concerns we have are as follows: Firstly, we need to stop the massive privacy breaches and monetization of attention. New examples of misuse of data and the harms of polarisation algorithms are being published almost every single week,” he told TechCrunch.

“Secondly, Google and Facebook have built an opaque advertising ecosystem, allowing ad fraud and giving them a duopoly on the digital advertising market to the detriment of SMEs and traditional publishers, who their income erode. This undermines our public media and by that our democratic institutions.”

Another MEP who’s part of the Coalition, Alexandra Geese, a member of the Greens/European Free Alliance political group, told us her personal concern is how much personal data is being allowed to accumulate in the hands of just two private companies — with a range of associated risks and concerns.

“While data protection against public authorities works quite well in Europe, we’re only starting to understand the risks and harms that arise because private companies control so much personal data,” she argued. “If it were in the hands of a government like in China, there would be a public outcry. Some of the harms are already clearly visible. Disinformation, hateful speech and the polarization of societies as well as electoral manipulation are so widespread because groups of users can be specifically targeted — be it for commercial reasons (keeping eyeballs to show ads to with strong emotional content), be it for manipulation by malicious actors.

“I also have strong economic concerns. In the current advertising ecosystem, no other company can compete and it’s also very difficult to make a different choice. This is already choking publishers. In the long run, this will damage European AI companies. While we can leverage industrial data in Europe, the possibility to predict people’s behaviour as well as being able to train algorithms with such a wealth of data will always be an enormous competitive advantage.”

A report by the Irish Council for Civil Liberties (ICCL) which was prepared at MEPs’ request — and shared with TechCrunch ahead of publication — summarises a range of key harms it argues stem from microtargeted ads, underscoring both threats to Europeans’ fundamental rights (like privacy) and the negative impact on media pluralism of adtech giants’ surveillance-based business models enabling an opaque layer of adtech that profits off a shadowy trade in people’s information and arbitrage of quality publishers’ audience.

Estimates for the cost of what the ICCL report bills as the “opaque fees charged on every tracking-based ad” range between 35%-70% — which it cites as a key threat to media pluralism.

In the report the ICCL also writes that Google has “diverted data and revenue from publishers to itself” — citing a stat that in 2004 half (51%) of the tech giant’s ad revenue came from displaying ads on publishers’ properties vs “nearly all” (85%) now being derived from displaying ads on its own websites and apps — which the ICCL says Google does “with the benefit of data taken from publishers’ properties”.

So the narrative here is of theft of individuals’ privacy and publishers’ revenue. 

The report also summarises examples of revenue uplift experienced by a number of European publishers after they switched from microtargeting (tracking) to contextual (non-tracking) ads. Such as the 149% boost seen by Dutch publisher NPO Group — or the 210% higher average price reported by TV2, a Norwegian news website for ads sold through Kobler’s contextual targeting vs tracking-based ad targeting.

“Practical evidence from European publishers now shows that publishers’ ad revenue can increase when tracking-based advertising is switched off,” the ICCL argues, predicting that: “A switch off across the entire market will amplify this effect, protecting fundamental rights and publisher sustainability. We urge lawmakers to play their part.”

Asked about momentum in the Parliament for a microtargeting ban, Tang suggests there is a lot of appetite among MEPs to change what he dubs as “this opaque and even fraudulent advertising system”.

But few people TechCrunch spoke to about this issue were willing to predict exactly which way MEPs will jump. So it really looks like it will go down to the wire.

“We are currently still in hectic negotiations with all political groups but there is for sure a momentum,” Tang added.

He also gave short shrift to big adtech’s claims that surveillance-based ads are essential for small businesses.

“Facebook promotes itself disingenuously as the champion of small and medium enterprises. The high intermediary costs of Facebook and Google, the prevalence of ad fraud and the limited effectiveness of tracking-ads should all be red flags for every SME out there,” he suggested.

Also discussing momentum for the campaign, Geese said three groups in the parliament (S&D, Greens and Left) are currently supporting a ban and a shift to contextual advertising for the whole ecosystem.

“Some MEPs of other groups support stronger transparency and better consent regulation as well as a ban of dark patterns,” she also told us, adding: “What is interesting is the fact that public awareness is rising and campaigns are picking up speed.

“People are sick of being tricked into consent and when asked with a simple Yes/No question, refuse consent in high numbers (ca. 80% globally e.g. for iPhone users). The advertising system is evolving and shutting out third party cookies will also mobilize publishers if they don’t want to depend entirely on Google and Facebook,” she continued, before sticking her neck out with a prediction of victory, saying: “I’m confident that we will have a majority by the time DSA/DMA go to plenary.”

Nonetheless, Geese acknowledged that Facebook and Google continue to have “huge influence” over views on this issue.

“Their lobbying is pervasive and targets the EU commission as well as my fellow lawmakers and national governments,” she said, noting that she hears colleagues from other parties repeating Google and Facebook claims “without really understanding the issue”.

“Also all relevant Brussels-based think tanks as well as many academic researcher depend in some way on funding by big tech — so they all send out the same kind of message.”

“The current main claim is that ‘targeted advertising is good for SMEs’ as well as pretending that a ban of surveillance advertising would mean a ban of any kind of advertising — which is incorrect since we do support contextual advertising,” Geese went on. “Many lawmakers are not familiar with the advertising industry and don’t know that surveillance advertising is a rather new form of advertising that has been taking revenue away from European companies and publishers in the last 15 years. Most are also unaware that this market is controlled by a duopoly that faces charges for price-fixing in the US. How can this be good for SMEs or European companies?

“Furthermore there is no evidence whatsoever that SMEs benefit more from targeted advertising than from contextual. With our proposal, SMEs would still be able to target clients on websites based on their interests or even on their location. Contextual advertising has a huge growth potential and can serve SMEs far better than the current system, not to speak of publishers who have thrived with contextual in the past.”

We contacted Google and Facebook for comment on the Coalition’s campaign.

At the time of writing neither had responded to the request. But we also pinged the IAB Europe — which was happy to defend surveillance-based advertising on the tech giants’ behalf.

In a statement attributed to Greg Mroczkowski, the IAB Europe’s director of public policy, the online ad industry association argued that creepy ads are “indispensable” for both small and big business, and — it claimed — for “Europe’s news publishers” and for “content creators of all kinds”.

Which, as an argument, does seem to gloss over some basic market dynamics — like, for instance, if you flood the market with “content” of any quality that might make it more difficult for news publishers to produce high quality journalism (which is more expensive to produce than any old clickbait) since all this stuff is competing for people’s eyeballs (and attention is finite).

Similarly, if big business is allowed to use intrusively powerful ad targeting tools, doesn’t that undermine the ability of small businesses to compete against those brand giants using the same tools — given they don’t have the same level of resource to spend on digital marketing and data gathering? So wouldn’t it be a more level playing field if people’s data was off-limits and competition could be centred on the relative merits of the products?

But, well, here’s the IAB’s statement in full:

“Personalised advertising is an indispensable marketing channel for small businesses and household brands alike. It is also a vital revenue generator for Europe’s news publishers as well as other content creators of all kinds.

“The EU’s already extensive legal framework for privacy and data protection applies directly to data-driven ads, and we support enforcement of that law. We also welcome measures to further boost trust and transparency in the online advertising ecosystem, but uncosted, untested prohibitions of valuable technological solutions are not the way forward.”

The claim by the IAB that it supports enforcement of the GDPR is also worth an addendum, given that its own Transparency and Consent Framework — a widely used tool for gathering Internet users’ ‘consents’ to ad targeting — is itself the subject of a data protection complaint.

A division of Belgium’s data protection agency found in a preliminary report last year that the tool failed to comply with key GDPR principles of transparency, fairness and accountability, and the lawfulness of processing. But that regulatory procedure appears to be ongoing.

Adtech enforcement gap

Another important strand to this story is the (much chronicled) lack of enforcement of the GDPR around adtech.

Yet there seems to be a lack of awareness inside parts of the European Commission about this very notable enforcement gap where EU data protection law intersects with tracking-based business models.

One Commission official we spoke to — in the context of flagging eye-watering research that demonstrates Facebook’s platform can be used to target ads at a single person; in order to ask whether such a problematic use-case might fall under a proposed prohibition in draft AI regulations (which will forbid subliminal techniques that influence people ‘beyond their consciousness’ and aim to materially distorting a person’s behaviour in a manner that causes or is likely to cause them or another person physical or psychological harm) — pointed to the GDPR by way of recourse, saying the law already establishes rules on users’ consent and/or their right to object to targeted digital marketing.

However this official seemed entirely unaware that Facebook does not offer an option to use its service without being tracked. Which means EU users simply can’t obtain their GDPR rights when/if using Facebook.

So if the Commission is imagining that the GDPR provides protection enough against abuse of personal data by adtech it hasn’t being paying enough attention to the rampant attention-mining going down, consent-free, on the modern web.

It’s true that Google has been fined in France under GDPR for failing to be transparent enough about its tracking practices. But privacy experts continue to decry its use of disingenuous dark patterns — such as labyrinthine settings menus that make it hard for consumers to figure out how to stop it tracking them for ad targeting as they browse the Internet.

While a complaint against Facebook’s “forced consent” has been stalled in Ireland — which has suggested there’s no legal problem with the tech giant claiming users are actually in a contract with it to receive targeted ads (meaning there’s no need for it to ask for their consent).

Like Facebook, Google is now regulated on data protection matters by Ireland’s Data Protection Commission — which has faced years of criticism for failing to act on cross-border GDPR complaints, including a large number concerning adtech.

So, again, if the Commission takes the view that the GDPR alone can stop unwanted microtargeting it’s essential to underscore that that certainly has not happened yet — more than three years after the law came into application.

So the salient question then is, should EU citizens really have to wait years more for Europe’s top court to enforce the letter of the law? A growing number of MEPs don’t think so. Which is why they think it’s vital to put a ban on the face of EU legislation.

If these parliamentarians fail to get a ban on microtargeting into the DSA (and/or adtech data restrictions in the DMA) there is perhaps another looming chance for them to amend legislation to outlaw at least a subset of surveillance ads.

Indeed, the Commission official we spoke to suggested that a prohibition already included in another draft piece of EU legislation — the AI regulation, which will set rules around high risk uses of artificial intelligence — could potentially apply to microtargeting of people, if it fulfils all the conditions under article 5(1)a) of the proposed Act.

The problem is that the current Commission proposal sets a very high bar for a ban — requiring that such an ad is not only targeted at a person without their knowledge but must also “materially distort” their behaviour in such a way that it “causes or is likely to cause that person or another person physical or psychological harm”.

Safe to say, the adtech giants would deny any such impact is possible from targeted advertising — even as they rake billions more into their coffers by selling people’s attention via an industrial data-gathering apparatus which has been baked into the web to spy on what Internet users do and profile people for profit.

If a microtargeting ban fails to make it in the votes now looming in the European Parliament, the AI Regulation could be the next — and perhaps final — battleground for EU lawmakers to overrule the surveillance giants.

This report was updated with a correction: We originally stated the plenary vote is expected in early November; the current timetable is actually for a plenary vote in December, although it’s possible that final vote will be delayed