Online Advertising and Big Tech – The Privacy Battleground

Kaveh Cope-Lahooti

Big Tech and Online Advertising

For a long period of time, the big tech companies (principally Facebook, Amazon, Apple and Google) have dominated the online advertising sphere, through selling access to or carrying out targeted advertisements on their platforms. Nevertheless, this business model caused privacy concerns, not least for the individuals whose behaviour and – behaviour which served the basis for them to be subject to ‘micro-targeting’ with marketing, including the political advertisements made infamous in the case of Cambridge Analytica.

However, the GDPR, and other privacy legislation following suit in the US, is beginning to threaten their business models. With respect to online advertising, the GDPR introduces a new standard of consent into the ePrivacy Directive (often referred to as ‘the cookie directive’) namely, a “clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”(as per Article 2(f) of the ePrivacy Directive). This stance has been interpreted in guidance and caselaw, such as the Court of the Justice of the European Union’s 2019 Planet 49 decision, to require active consent to a variety of online tracking technologies, including cookies, mobile advertising IDs, and location-based monitoring. As a result, since the GDPR, consent is specifically required for each type of cookie through a banner or consent management tool, with information about the purposes of cookies, third parties and cookie duration to be provided to the user prior to their consent.

In particular, this new standard affects the entire online advertising ecosystem that relies on user consent for the deployment of cookies and other tracking technologies that are regulated by the ePrivacy regulation, and led to a decrease in engagement and success rates of tracking individuals online. Most notably, the reason why online advertising has been singularly so highly affect is due to the cross-platform, ‘third party’ nature of many advertising cookies, which users interact with across multiple websites and thus require a chain of consent mechanisms (or ‘signals’) to be collected and exchanged between the relevant parties. On top of this parties engaging in online advertising remain liable to ensure consent was validly collected further up the chain. If regulators were to enforce this strict interpretation regularly, it would most probably make collecting cookie-based consent for advertising unworkable.

Response of the big tech players

However, rather than stemming the business models of large technology corporations, the GDPR has caused them to develop their own proprietary methods of collecting user data. This week, Apple is releasing an update to its iOS on all its devices which will require user consent to before application data linked to users’ iOS device IDs (‘IDFAs’) is shared with third party app developers. Apple itself will still be able to keep this data by default on iOS devices, thus giving the technology company an edge over its rivals. Apple’s move on the one hand allows it to claim to be defending user privacy, whilst on the other hand will deprive app developers (including Facebook, Twitter and many smaller companies) of user data to improve and market their software products, whilst strengthening Apple’s hand. It will also force many app providers to pursue an alternative (non-advertising based) business model and charge customers for the use of their products, which will in turn drive more revenue from Apple.

To replace the lacuna that IDFA advertising filled, Apple has offered app developers its SKADNetwork, which aims to provide statistical information on impressions and conversion data without revealing any user or device-level information. Whilst this aggregated information can be useful for improving products, it lacks the user-specific behavioural information needed to create segmented profiles and provide individuals with targeted advertising.

Google, itself previously subject to large fines for failing to collect adequate user consent and transparency for when monitoring users online [citation needed], has decided to phase out its third parties cookies before 2022. However, cognisant of the fact that advertising during the pandemic has drive its parent company Alphabet to its highest ever quarter profit [citation needed], Google is not done yet. Mirroring the approach of Apple, it has recently announced testing of it’s own privacy preserving mechanism for interest based ad selection and the news are shaking up the adtech ecosystem, and that Google itself will control. Google calls this it’s Federated Learning of Cohorts (FLoC), which will operate within the Chrome environment and forms part of Google’s Privacy Sandbox.

The FLoC project aims to move online behavioural advertising’s focus on individual users to instead being ‘interest’ or ‘context’ based. Advertising will be targeted at ‘cohorts’ – groups of users with similar interests. rather than allow individual identification and profiling. Whilst the FLoC mechanism will still capture data on individual users, members of the FLoC will only see information about a user at a cohort level. Additionally, website users will also be able to opt out to participating or forming part of a FLoC cohort within Chrome.

Conclusion

Whilst Google’s FLoC and Apple’s SKADNetwork may appear to be more privacy-friendly solutions to the cookie or mobile-ID based third-party tracking technologies we have become used to, they will still involve tracking information on users within certain environments (e.g. Chrome or iOS apps) – just this information won’t be shared with all of the advertising ecosystem. Additionally, such technologies run the risk of strengthening the data that singular players, such as Google and Apple, can have access to about individuals. At the same time, they entrench the dominant position in the software and advertising marketplace that these tech companies have, at the expense of their rivals. It is likely that this is only the beginning of the big tech companies’ battle over privacy.