1 Introduction
Tracking technologies such as cookies and digital fingerprinting enable firms to collect and exchange extensive data about consumers (“users”). These data are often used to improve the performance of online advertising, which publishers—here defined as websites or apps that provide space to display ads—rely on to finance the “free” content to which their users have become accustomed. Until recently, such data collection was massive in scope, and often occurred without users’ permission, which led to a loss of user privacy. In response, policymakers in Europe and elsewhere have put forward initiatives to protect user privacy. One of the most prominent regulations is Europe’s General Data Protection Regulation (GDPR), which went into effect in 2018; this regulation is at the focus of the current book. The GDPR will be complemented by the ePrivacy Regulation (ePR). Outside Europe, large-scale initiatives to protect user privacy include the California Consumer Privacy Act (CCPA), India’s Personal Data Protection Law (PDPB), Thailand’s Personal Data Protection Act (PDPA), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) and China’s Personal Information Protection Law (PIPL). These laws prevent firms from processing personal data, where the term “processing” encompasses a wide range of operations, including collecting, combining and storing personal data.
The main purpose of these laws is to protect users’ “privacy.” In fact, comprehensive reviews of privacy literature emphasize that there is no widely agreed-upon definition of privacy (Bleier, Goldfarb, and Tucker (2020), Martin and Murphy (2017), Norberg, Horne, and Horne (2007) and Wieringa et al. 2021). Westin (1967) defined privacy as “the ability of the individual to control the terms under which personal information is acquired and used.” The GDPR effectively relies on this conceptualization of privacy, as its main provisions focus on users’ control over their personal data. Herein, we adopt a similar perspective of the construct of privacy—with some extensions. For example, in line with a common approach in the popular media, we assume that a more extensive collection of data from consumers implies less privacy.
In restricting the processing of personal data, privacy laws affect online advertising and, thus, the different actors operating in the online advertising market. Though several studies have begun to explore these effects (e.g., Peukert et al. 2022; Schmitt, Miller, and Skiera 2021), researchers and policymakers have yet to obtain a comprehensive and precise understanding of the implications of privacy laws for the online advertising market. This lack of clarity is unfortunate because as regulations continue to be formulated or updated, it is crucial for regulators and societies at large to understand the trade-off between user privacy and the economic value that the online advertising industry derives from processing personal data through potentially privacy-infringing technologies. Likewise, firms in the online advertising industry need to understand the implications of stricter privacy requirements for their performance, so as to adjust to these requirements effectively. Finally, users also deserve to understand what happens with their data, and the consequences of such data usage, or restrictions thereof.
One important reason for the lack of clarity on the implications of privacy laws for advertising is that the online advertising market is difficult to understand. It is a high-tech industry that comprises several extensive networks with many actors, as we will illustrate in these pages (see, in particular, our illustration of the complexity of the industry in Section 2 and our empirical study in Section 8). From a technological perspective, these actors accomplish extraordinary feats, such as conducting billions of auctions with many participants each day to sell single ad impressions in less than 100 milliseconds, or displaying personalized ads to millions of users.
Because of the complex technologies used in online advertising, effective decision-making in this market requires combining a technological perspective (e.g., finding the best technology to track users) with a marketing perspective (e.g., finding the best users to target). With the launch of far-reaching privacy laws such as the GDPR, it is becoming increasingly important for actors in this industry to consider the legal perspective as well. The need to combine these three perspectives implies that professionals in the advertising field must possess some level of expertise in multiple domains. For example, lawyers in the advertising industry need to understand what “cookies” and “consent strings” are, and marketing managers and IT experts need to understand the meanings of legal terms such as “legitimate interest” or “identifiable individual.”
Our vision for this book is, thus, to provide an accessible yet comprehensive synthesis of what is currently known about how privacy laws—particularly the GDPR—affect the online advertising market. To this end, we highlight the requirements stipulated in the GDPR that are most relevant to the advertising industry, and we further clarify the implications of these requirements for the key actors in this industry, as well as for users. In doing so, we aim to provide actors in this market (in particular advertisers, publishers and users), as well as regulators and society at large, with better tools to (i) assess the trade-off between the benefits and the costs of more privacy, (ii) understand problems in implementing the requirements of GDPR, and (iii) draw conclusions on how to deal with the stricter privacy requirements that come with privacy laws such as the GDPR.
The remainder of this book is organized as follows. Section 2 outlines how the online advertising industry operates. Section 3 provides a basic overview of tracking technologies, the ways in which publishers, advertisers, and other firms use them, and the implications of tracking for users. Section 4 elaborates on the contents of the GDPR, focusing on the obligations relevant to firms in the advertising industry. In Section 5, we discuss the GDPR requirement that affects the advertising industry most profoundly: the need to secure a legal basis for data processing, which, in practice, entails obtaining user permission for data processing for specific purposes—e.g., via consent management tools, discussed in Section 6. Section 7 provides a step-by-step description of the procedure that firms must undertake to obtain user permission for data processing, and it presents a framework developed by IAB Europe, Europe’s industry association for digital marketing and advertising, to assist firms in accomplishing this process (the Transparency and Consent Framework; TCF). Section 8 provides an empirical assessment of the complexity that firms face in obtaining permission, as well as the complexity that users face in handling permission requests. Section 9 provides an outlook on future developments in the advertising industry and in the regulatory landscape with regard to the processing of users’ personal data. Finally, Section 10 provides conclusions.