Give users genuine control over ad targeting, MEPs urged

Over 30 civil society organizations, pro-privacy tech businesses and European startups are making a last-ditch pitch to try to convince EU lawmakers to put stricter limits on surveillance advertising as a major vote looms on an update to the bloc’s digital rules.

The European Parliament will vote shortly to confirm its negotiating position on the Digital Services Act (DSA) — and the 30 signatories to the joint statement on “surveillance-based advertising” are urging MEPs to back amendments to the DSA to tighten the rules on how people’s data can be used for targeting ads.

In a nutshell they argue that inferred personal data (aka what a platform can learn/guess about you by snooping on your digital activity) should be out of bounds for ad targeting — and that advertisers should only be able to use information that has been consciously provided to them for targeting their marketing by the individuals in question.

An example of how that could work might be a platform periodically asking a user to select a few categories of goods/interests for which they’re happy to receive marketing offers — such as, say, beauty products, hiking/outdoors gear, holidays or culture/art.

They would then only be able to use such signals for ad targeting, making it contextual, rather than creepy.

This is not so very radical a suggestion.

Regulators in the region have in fact been warning that tracking-based ads are on borrowed time for years, given systemic breaches of EU privacy laws. Though actual regulator enforcement against adtech has been harder to spot.

Most recently the outgoing U.K. data protection commissioner urged the industry to reform — and move away from the current paradigm of tracking and profiling — saying the future must be about providing internet users with a genuine choice over how they are targeted with marketing messages.

The signatories to the statement calling for parliamentarians to get behind this kind of ad targeting reform argue it would have major benefits — preventing problems associated with the covert surveillance of web users which can lead to abusive ads that manipulate and exploit.

The theories of harm around microtargeted ads have been much discussed in recent years — with risks of behavioral targeting being linked to discrimination, exploitation of vulnerable people/groups and democracy-denting election interference, to name a few.

Surveillance advertising’s problem is that it can’t be publicly accountable because it lacks genuine transparency.

Yet there are other ways to target ads that don’t require creepy snooping and behavioral profiling.

“We are convinced that targeted digital ads can be delivered effectively and with respect for users’ choice and privacy (i.e. without covert surveillance practices), provided that exclusively data specifically provided by users for that purpose is processed, in a transparent and accountable manner,” the signatories write.

The statement dubs the use of “inferred data, which reveals users’ vulnerabilities and, by definition, is collected or generated without their awareness and control” as “a particularly problematic practice in digital advertising”, arguing: “It is time to end this practice as it causes significant harm on an individual and societal level, as evidenced by extensive academic research and recent revelations including the Facebook Files and the whistleblower Frances Haugen’s testimony or Mozilla’s YouTube Regrets study.”

“It is in the best interest of companies engaging in digital advertising to respect users’ choice, autonomy, and expressed (not inferred) preferences,” they go on, pointing to survey results which found that 75% of social media users in France and Germany are not comfortable when their behavioural data is used to target them with advertising.

“While small and medium-sized businesses legitimately use online advertising to reach their clients, they do not need to rely on intrusive surveillance as a means to that end,” they further argue.

The statement suggests that the main beneficiaries of current adtech’s “surveillance free-for-all” — and the pervasive, covert massive tracking of internet users — are likely to be U.S. tech giants.

While progressive European startups — which have been trying for years to scale alternative, privacy respecting approaches for ad targeting — are being competitively disadvantaged by the rights-violating data abuses of U.S. giants.

“The only actors who benefit from exploitation of users’ vulnerabilities and cross-site tracking are U.S.-based large online platforms, with an interest to preserve their dominant position in the digital advertising market,” the statement argues, calling for “regulatory incentives” so that “progressive” privacy-focused startups can scale their rights-respecting services and make them more accessible for small brands.

“Putting an end to the most invasive practices will strengthen small European brands and GDPR [General Data Protection Regulation] compliant digital services, as well as local media as it would promote fair competition in digital advertising and reinstate the power of quality.”

It’s an argument that should — in theory — play well with Europeans elected representatives in the parliament.

However in recent years U.S. tech giants — led by Google and Facebook — have been pouring millions into lobbying efforts in Brussels in a bid to steer lawmakers away from policies that could damage their surveillance-based business models. So this is in no way a fair fight.

Key among the tech giant lobbying claims has been the suggestion that tougher rules on targeting will hit Europe’s small businesses. Indeed, Facebook (now Meta) has gone so far as to claim that banning surveillance ads would decimate the bloc’s economy.

But of course they would say that, wouldn’t they…

The 17 civil society organizations signing the joint statement are: the Panoptykon Foundation, Access Now, Alliance4Europe, Amnesty International, Article 19, Bits of Freedom, Civil Liberties Union for Europe (Liberties), Defend Democracy, Fair Vote, Global Witness, Irish Council for Civil Liberties, #jesuisla, The Norwegian Consumer Council, Ranking Digital Rights (RDR), The Signals Network, SumOfUs and Uplift.

While the 14 business representatives backing the call for a ban on use of inferred data for ad targeting are:

Disconnect, Casey Oppenheim, co-founder and CEO
DuckDuckGo, Gabriel Weinberg, CEO and Founder
Ecosia, Christian Kroll, CEO
Fastmail, Bron Gondwana, CEO and Nicola Nye, chief of staff
Kobler, Erik Bugge, CEO
Mailfence, Patrick De Schutter, co-Founder and MD
Mojeek, Colin Hayhurst, CEO
Opt Out Advertising, Tom van Bentheim, CEO
Piwik PRO, Maciej Zawadzinski, CEO
Quodari, Paul Pennarts, CEO
Startmail, Robert Beens, CEO
Startpage, Robert Beens, CEO
Strossle, Ha kon Tillier, CEO
Tutanota, Matthias Pfau, CEO

An earlier push by a number of MEPs towards the end of last year to get an outright ban on surveillance-based ad targeting included in the DSA did not prevail.

Although a parliamentary committee did back tightening restrictions on tracking-based advertising in another draft package of EU legislation that will apply to the most powerful internet gatekeepers (so plenty of U.S. giants), aka the Digital Markets Act (DMA) — by beefing up consent requirements for ad targeting and adding a complete prohibition on behavioral targeting of minors.

But the 31 signatories to today’s statement argue that the IMCO tweaks do not go far enough against the data industrial surveillance complex, writing: “We urge Members of the European Parliament to support plenary amendments to Article 24 of the DSA which go beyond the existing IMCO compromise and rule out surveillance practices in digital advertising — such as the use of inferred data — while supporting users’ genuine choice.”

Karolina Iwańska, a lawyer and policy analyst for the Panoptykon Foundation, also told us: “Unfortunately the compromise around ads in the IMCO committee is very weak and largely maintaining status quo” — adding that: “Big tech’s ‘SME’ lobbying was very successful.”

“We believe that a true compromise between a full ban on the use of personal data (unrealistic at this point) and status quo (everything allowed if consent is collected) is possible — but has sadly been ignored in the parliament,” she added, saying the anti-surveillance campaigners are now hoping to convince MEPs to back reform of personalized ads by limiting targeting to expressed preferences — which they believe will give Internet users “genuine control”.

The effort will need to work fast if it’s to achieve its aim.

Per Iwańska, the campaigners have drafted an amendment — but have yet to get backing from MEPs to submit it so that the parliament as a whole would be able to vote on it at the plenary. Clearly it’ll be crunch time for this push over the next few days.

Under the EU’s co-legislative process the Commission proposes legislation and that’s then followed by a process of wider negotiations between Member States and the European Parliament on the policy detail — with the chance for upcoming EU rules to be reworked and reshaped before they’re finally adopted.

Both the DSA and the DMA were proposed at the end of 2020 by the European Commission, with the DSA aimed at updating the bloc’s e-commerce rules and dialling up accountability on digital businesses by widening requirements to define areas of additional responsibility around content.

While the DMA targets the competition- and consumer-crushing market power of internet giants, with a set of ex ante rules aimed at preventing abusive practices.

Trilogue negotiations on the DSA are due to start soon — once the parliament confirms its position in next week’s plenary vote. And — ultimately — there will need to be another plenary vote in the parliament on the final text. So campaigners against surveillance advertising may have other points in the process to try to push strategic amendments.

One thing is clear: The lobbying will continue throughout this year.

Any restrictions on ad targeting in the EU will still also have to wait for the legislation to be adopted and come into force — with EU lawmakers set to apply a grace period for digital businesses to come into compliance. So any rule changes won’t bite for many months more at least.

While the DMA — which appears to be moving pretty speedily through the co-legislative process — could get up and running relatively quickly, perhaps in 2023, the DSA looks likely to take longer before it comes into force; perhaps not until 2024.

In the meanwhile, the tracking and targeting continues…