London
83 Baker St, London, W1U 6AG, England
Austin
14425, Falcon Head Blvd BUILDING E, Austin, TX 78738
The Irish Data Protection Commissioner’s decisions on Instagram and Facebook´s illegal processing of user data have finally been published – I will assume that you are already familiar with the basic context (Natasha Lomas put together a good summary on Techcrunch, if you need one).
Where do we stand? Meta won’t be able to rely on the contractual legal basis to process personal data for targeted advertising purposes. The same goes for legitimate interest (and we have witnessed TikTok’s failed attempt at doing just that). Instead, consent will be the only acceptable legal basis in the eyes of the European Data Protection Board (EDPB).
It seems like behavioral, programmatic advertising faces three clear challenges when it comes to finding an alternative shelter in the GDPR:
1. Pure privacy risks
Behavioral ads can become highly intrusive in the absence of certain safeguards. For illustrative purposes, and beyond the Netflix docudramas, a recent research study showed the real possibility of “nanotargeting” on Facebook, demonstrating that a mere collection of interests can very well result in the identification of a data subject or, worse, the processing of special categories of data (we discussed this on Masters of Privacy with Angel Cuevas, one of the researchers conducting said study).
As always, the threat is not in the present capabilities or intentions of a given platform, but rather in the absolute loss of control over the manner in which such data points will end up affecting every individual’s future choices.
Reinforcing this concern, the new EU Digital Services Act (which definitely applies to Instagram and Facebook) forbids programmatic behavioral advertising when it comes to children or special categories of data.
2. Fear of automation
Digital advertising involves automated (“black box”) decisions, and this will be the case for the foreseeable future, as AI is allowing the largest platforms to replace deterministic targeting with probabilistic models and, even better, local data processing.
3. An unconvincing bundle
Advertising can hardly be considered an essential part of the social media service currently being delivered – despite the fact that it could not otherwise be provided free of charge.
It could of course be argued that, should advertising be allowed, it is only through programmatic ads that a given platform can maintain the basic premise of the social media service to ascertain the most engaging or relevant piece of content (promotional or not) at a given point in time. In this sense, mass media advertising would run contra naturam, just like personalized advertising never really works that well for “unidirectional”/web 1.0 news publishers (whose content remains the same across all browsers, and who must rely on a patchy chain of intermediaries to determine relevance or interests).
But it all points to the same conclusion at this point: Ad-driven or not, nobody joined Facebook or Instagram for their ads.
Let’s now look at things from a Digital Marketer’s point of view.
For starters, digital advertising and Marketing Technology professionals are mostly stuck in the first-party/ third-party data dichotomy. Under such light:
In other words, first-party data is now as useless as third-party data, for consent rates will determine audience sample sizes and, in turn, the effectiveness of ads. As it happens with brokered consent in the open media ecosystem (its obtention falling on news publishers), it all boils down to walking the thin line that separates persuasive UX design from deceptive dark patterns.
In the absence of major surprises, the foreseeable consequence is a triumph for top-of-funnel, large advertisers with the muscle to “spray and pray”, and a loss for small retailers hoping to either target a very specific niche of customers or simply state their goal in terms of conversions or app installs. TV advertising all over again: P&G, Unilever, automakers .. pricing out the little Direct To Consumer newcomers that some people had become accustomed to discover on Instagram.
With this perspective in mind, let’s now go back to the legal analysis. Is there a way to save the world from consent pop-up hell and repetitive ads from the biggest polluters on Earth?
Revisiting the three issues identified at the outset:
1. The interest graph as personal data
Can we not provide sufficient safeguards to avoid identifying specific individuals by reverse-engineering their interest graph? How about blocking all campaigns that do not guarantee a minimum target audience threshold? This will penalize new social media apps or nascent advertising platforms in favor of the incumbents (Facebook never had to provide such guarantees as it slowly conquered the world).
2. Automated decisions in the context of advertising
The more we avoid centralized personal data processing (and “deduplication”), the more we need to rely on advanced statistics and AI.
This means that large platforms are caught between a rock and a hard place: deterministic targeting (either automated towards conversion/reach goals, or on the basis of advertiser-defined filters) can lead to the identification of specific individuals and poses a greater privacy challenge, but employing AI to leverage aggregate, anonymous data (or even local data processing and federated learning) will also trigger “algorithmic transparency” provisions in both the Digital Services Act and the upcoming AI Regulation – it may not be as easy to show causality between certain user preferences and the particular ad being served when a rules-based system is replaced by ML-powered logic.
3. Advertising as a core part of the service
What if Instagram was not about discovering and sharing experiences, places, etc., but rather about finding and buying things you need or like?
The platform could easily be portrayed as a “private shopper”**, or a curator of sorts, in which friends and family are forced to compete for relevance in what is effectively a product discovery environment – turning the product on its head.
A few decisions taken during the pandemic got Instagram surprisingly close to this value proposition – its deal with Shopify resulted in a Shopping button directly placed on the app’s main navigation bar, and buyers could even (still can) checkout their shopping cart within the app itself in certain markets. Paradoxically enough, Meta decided to dump the Shopping tab in favor of its TikTok copycat a few days ago, showing that a competition for attention, rather than a pivot to first-party data nirvana, is the utmost priority for the company. In other words, playing defense against TikTok trumped playing offense against Amazon and, in a single strike, aligning its business model with the legal basis it had adopted.
(I am leaving Facebook aside, as I consider it a much more hopeless case for reasons that your patience won’t allow me to cover.)
The end result? A platform that either:
Lastly, we cannot leave competition concerns aside. Is there a scenario in sight in which local, EU-based entrants have a real shot at capturing relevant market share in their own markets – whether in retail, media, social channels or advertising? Can the European Commission’s stated dreams of “digital sovereignty” somehow become a reality as a result of the new regulatory framework?
Not really, I would say:
So, what can we hope for?
As usual, hope lies in the consumer “revolution”. It is people who must decide who to trust, what to buy, where to spend their time. By the looks of current Instagram or TikTok users, buyers at the larger retail chains and CPG or luxury brand sales, we would probably be fooling ourselves if we expected things to change any time soon.
In the meantime, let’s brace ourselves for a pop-up infested European internet experience, in a world forever dominated by US firms to such a comical extent that the vast majority of GDPR and EU ePrivacy-related consent banners are provided and hosted by Atlanta-based OneTrust.
________
(Photo by Dima Pechurin on Unsplash)
*Marketers will keep referring to “explicit” consent, but this qualifier is kept for higher risk scenarios in the GDPR (special categories of data, automated decisions, international data transfers), as a sort of “super opt-in”.
**I speak from experience: Some of us tried to do just this, based on the contractual legal basis, in order to pay for content and creators with the money stemming from advertisers and retailers joining a “Private Shopping Cloud” that helps people find things that conform to their stated interests or needs. Our post-mortem has been in the works for some time.