83 Baker St, London, W1U 6AG, England

The Hurt Hub @Davidson College, 210 Delburg St, 28036

Photo by Dima Pechurin on Unsplash

An Instagram that relies on the contractual legal basis is the best thing that we could hope for

The Irish Data Protection Commissioner’s decisions on Instagram and Facebook´s illegal processing of user data have finally been published – I will assume that you are already familiar with the basic context (Natasha Lomas put together a good summary on Techcrunch, if you need one).

Where do we stand? Meta won’t be able to rely on the contractual legal basis to process personal data for targeted advertising purposes. The same goes for legitimate interest (and we have witnessed TikTok’s failed attempt at doing just that). Instead, consent will be the only acceptable legal basis in the eyes of the European Data Protection Board (EDPB).

It seems like behavioral, programmatic advertising faces three clear challenges when it comes to finding an alternative shelter in the GDPR:

1. Pure privacy risks

Behavioral ads can become highly intrusive in the absence of certain safeguards. For illustrative purposes, and beyond the Netflix docudramas, a recent research study showed the real possibility of “nanotargeting” on Facebook, demonstrating that a mere collection of interests can very well result in the identification of a data subject or, worse, the processing of special categories of data (we discussed this on Masters of Privacy with Angel Cuevas, one of the researchers conducting said study). 

As always, the threat is not in the present capabilities or intentions of a given platform, but rather in the absolute loss of control over the manner in which such data points will end up affecting every individual’s future choices. 

Reinforcing this concern, the new EU Digital Services Act (which definitely applies to Instagram and Facebook) forbids programmatic behavioral advertising when it comes to children or special categories of data.

2. Fear of automation

Digital advertising involves automated (“black box”) decisions, and this will be the case for the foreseeable future, as AI is allowing the largest platforms to replace deterministic targeting with probabilistic models and, even better, local data processing. 

3. An unconvincing bundle

Advertising can hardly be considered an essential part of the social media service currently being delivered – despite the fact that it could not otherwise be provided free of charge. 

It could of course be argued that, should advertising be allowed, it is only through programmatic ads that a given platform can maintain the basic premise of the social media service to ascertain the most engaging or relevant piece of content (promotional or not) at a given point in time. In this sense, mass media advertising would run contra naturam, just like personalized advertising never really works that well for “unidirectional”/web 1.0 news publishers (whose content remains the same across all browsers, and who must rely on a patchy chain of intermediaries to determine relevance or interests).

But it all points to the same conclusion at this point: Ad-driven or not, nobody joined Facebook or Instagram for their ads.

Let’s now look at things from a Digital Marketer’s point of view.

For starters, digital advertising and Marketing Technology professionals are mostly stuck in the first-party/ third-party data dichotomy.  Under such light: 

  1. Third-party data was already considered a problem, since the obtention of valid consent (compulsory in a cookie-based world, as per the EU ePrivacy Directive) relied on intermediaries. Luckily for the larger platforms, people “live” within their walls under a registered, immutable identity.
  2. Apple had further penalized third-party data flows by imposing an express* consent requirement on mobile apps hoping to share identifiers with Meta (all of it while considering the entire App Store ecosystem its own first-party data playing field – and receiving a CNIL fine for attaching a unique advertising ID to French iPhone users without prior consent in the process). 
  3. The EDPB decision (effectively forced upon the DPC) is now calling the privileged status of first-party data into question, for even when some thought they could happily go about their business in the comfort of a “trusted” (contractual) relationship, they still need to gather consent.

In other words, first-party data is now as useless as third-party data, for consent rates will determine audience sample sizes and, in turn, the effectiveness of ads. As it happens with brokered consent in the open media ecosystem (its obtention falling on news publishers), it all boils down to walking the thin line that separates persuasive UX design from deceptive dark patterns. 

In the absence of major surprises, the foreseeable consequence is a triumph for top-of-funnel, large advertisers with the muscle to “spray and pray”, and a loss for small retailers hoping to either target a very specific niche of customers or simply state their goal in terms of conversions or app installs. TV advertising all over again: P&G, Unilever, automakers .. pricing out the little Direct To Consumer newcomers that some people had become accustomed to discover on Instagram. 

With this perspective in mind, let’s now go back to the legal analysis. Is there a way to save the world from consent pop-up hell and repetitive ads from the biggest polluters on Earth?

Revisiting the three issues identified at the outset:

1. The interest graph as personal data

Can we not provide sufficient safeguards to avoid identifying specific individuals by reverse-engineering their interest graph? How about blocking all campaigns that do not guarantee a minimum target audience threshold? This will penalize new social media apps or nascent advertising platforms in favor of the incumbents (Facebook never had to provide such guarantees as it slowly conquered the world).

2. Automated decisions in the context of advertising

The more we avoid centralized personal data processing (and “deduplication”), the more we need to rely on advanced statistics and AI. 

This means that large platforms are caught between a rock and a hard place: deterministic targeting (either automated towards conversion/reach goals, or on the basis of advertiser-defined filters) can lead to the identification of specific individuals and poses a greater privacy challenge, but employing AI to leverage aggregate, anonymous data (or even local data processing and federated learning) will also trigger “algorithmic transparency” provisions in both the Digital Services Act and the upcoming AI Regulation – it may not be as easy to show causality between certain user preferences and the particular ad being served when a rules-based system is replaced by ML-powered logic.

3. Advertising as a core part of the service

What if Instagram was not about discovering and sharing experiences, places, etc., but rather about finding and buying things you need or like?

The platform could easily be portrayed as a “private shopper”**, or a curator of sorts, in which friends and family are forced to compete for relevance in what is effectively a product discovery environment – turning the product on its head. 

A few decisions taken during the pandemic got Instagram surprisingly close to this value proposition – its deal with Shopify resulted in a Shopping button directly placed on the app’s main navigation bar, and buyers could even (still can) checkout their shopping cart within the app itself in certain markets. Paradoxically enough, Meta decided to dump the Shopping tab in favor of its TikTok copycat a few days ago, showing that a competition for attention, rather than a pivot to first-party data nirvana, is the utmost priority for the company. In other words, playing defense against TikTok trumped playing offense against Amazon and, in a single strike, aligning its business model with the legal basis it had adopted.

(I am leaving Facebook aside, as I consider it a much more hopeless case for reasons that your patience won’t allow me to cover.)

The end result? A platform that either:

  1. Relies on a contractual relationship to find things on our behalf, under our control, while allowing merchants to index their offerings. Said platform being a private enterprise will do away with the dream of having an open ecosystem in which nobody gets a cut out of the entire stream of commerce.
  2. Provides a paid alternative, along the lines of French publishers (after a decision of the Council of State forced the CNIL to allow “cookie walls”) deeming a “payment with data” a valid transaction or, worse, interpreting such choice (“accept cookies or pay”) as valid consent on the basis that an “alternative” has been provided – in which case I believe we are one step closer to hell. 
  3. Abandons the EU (closing money-losing, un-monetizable WhatsApp in the process) and has some fun watching EU users jumping over themselves to install VPNs and dump their stated principles in order to access a now forbidden Instagram account. Or migrating to TikTok, which is pretty much the same thing. 
  4. Deploys pop-ups everywhere and is either at risk of a new fine for the use of dark patterns (which would ensure sufficient consent rates to keep the engine running) or capitulates at the gates of larger advertisers and their media agencies. A proper 80s party.

Lastly, we cannot leave competition concerns aside. Is there a scenario in sight in which local, EU-based entrants have a real shot at capturing relevant market share in their own markets – whether in retail, media, social channels or advertising? Can the European Commission’s stated dreams of “digital sovereignty” somehow become a reality as a result of the new regulatory framework? 

Not really, I would say:

  • Few will have the computing or data muscle to catch up with Meta or Google in terms of privacy-first AI-driven ads, so all potential entrants will either be much less efficient (scaring advertisers away) or take greater privacy risks (scaring users away). The recent announcement by European telecom operators to create a cookieless advertising network on the basis of a pseudonymous cross-network ID is a good example of the latter.
  • A “contextual” advertising fever will push both small players (Direct to Consumer) and performance-driven retailers towards Amazon (leveraging the mother of all contexts), which will become an unavoidable toll, taking an even greater slice of their revenues.
  • New retailers (eg., environmentally conscious, local producers) will find it harder than ever to bite into the market share of either large distributors or Consumer Packaged Goods brands, who have just recovered their leverage in terms of media buying power, bringing along their once-almighty media agencies. 

So, what can we hope for?

As usual, hope lies in the consumer “revolution”.  It is people who must decide who to trust, what to buy, where to spend their time. By the looks of current Instagram or TikTok users, buyers at the larger retail chains and CPG or luxury brand sales, we would probably be fooling ourselves if we expected things to change any time soon.

In the meantime, let’s brace ourselves for a pop-up infested European internet experience, in a world forever dominated by US firms to such a comical extent that the vast majority of GDPR and EU ePrivacy-related consent banners are provided and hosted by Atlanta-based OneTrust.


(Photo by Dima Pechurin on Unsplash)

*Marketers will keep referring to “explicit” consent, but this qualifier is kept for higher risk scenarios in the GDPR (special categories of data, automated decisions, international data transfers), as a sort of “super opt-in”. 

**I speak from experience: Some of us tried to do just this, based on the contractual legal basis, in order to pay for content and creators with the money stemming from advertisers and retailers joining a “Private Shopping Cloud” that helps people find things that conform to their stated interests or needs. Our post-mortem has been in the works for some time.

Sergio Maldonado
Sergio Maldonado

Dual-admitted lawyer. LLM (IT & Internet law), CIPP/E. Lecturer on ePrivacy and GDPR (IE Business School). Author. Founder: PrivacyCloud, Sweetspot, Divisadero/Merkle.

Articles: 6