As regulators worldwide are introducing new laws to protect users’ privacy, this book has sought to fill crucial gaps in our understanding of how these laws affect the online advertising industry—where publishers and advertisers rely on user data to sustain many aspects of their operations. We focused our discussion on one of the first and most all-encompassing privacy laws, the European General Data Protection Regulation (GDPR), whose scope extends to any firm that is based in the EU or that serves EU or non-EU citizens.
Our major insights include the following:
The operations of the online advertising industry are grounded in agreements—some implicit—between three main actors: the publisher, the user, and the advertiser. The publisher provides the user with content—in many cases free of (monetary) charge—in exchange for the opportunity to track and profile the user (i.e., the user’s personal data). The publisher gains revenue by providing information on the user to advertisers, which use it for targeting, thereby improving ad performance.
An increase in privacy protection endangers the implicit agreements between the parties because it reduces advertisers’ ability to behaviorally target users, thereby reducing their willingness to pay to serve ads on publishers’ websites. The resulting loss in revenue could force publishers to seek cost-saving measures—e.g., reducing the quality or quantity of their content—or to activate other revenue sources, e.g., via paywalls for their content. These measures may diminish the user’s experience.
The GDPR was one of the first strict privacy laws to be introduced; others have since emerged and continue to emerge worldwide. Thus, the GDPR “paved the way” for other countries to follow. Notably, and perhaps most concerningly for firms, the GDPR enables non-compliant firms to be penalized with very high fines (the greater of up to 4% of a firm’s global annual turnover or €20 million). These penalties substantially exceed those imposed by other privacy laws, except those of China’s privacy law (PIPL).
The GDPR is remarkable because it applies not only to the data processing activities of European firms but also to those of any firm worldwide that deals with European users.
The GDPR introduced new obligations—and thus new costs—for firms operating in the advertising industry. Notably, firms’ compliance with these obligations entails costs for the user as well.
One of the key obligations introduced by the GDPR is the need for firms to supply a legal basis in order to implement tracking technologies for personal data processing, including personal data collection. The relevant legal bases for online advertising are users’ explicit consent or legitimate interest. These two legal bases differ in that users’ consent represents an opt-in approach, whereas legitimate interest is an opt-out approach. Courts tend to favor users’ consent over legitimate interest.
Obtaining user permission for personal data processing is technically challenging, and consent management platforms (CMPs) have emerged as a new actor in the online advertising industry to assist firms in coping with the challenges they face.
Obtaining user permission for personal data processing is particularly challenging for firms that do not serve as publishers (e.g., firms identified as “vendors” in the TCF) and thus do not have direct contact with users. These firms need to rely on a publisher to obtain user permission on their behalf.
Firms, especially vendors, have an obligation to delete the collected personal data when users withdraw consent or want to delete their personal data. So far, this obligation has always been neglected to regulate.
The GDPR defines two categories of firms with regard to their obligations in processing personal data: data controllers and data processors. Data controllers (often publishers) have more obligations than do data processors (often vendors). In particular, data controllers are responsible for the legal compliance of all cooperating data processors. Thus, data controllers need to carefully select the data processors with whom they collaborate.
Firms in the online advertising industry are highly interconnected, with each publisher collaborating on average with 278 vendors. This interconnectivity makes coordination among actors challenging and requires sophisticated technologies.
Processing personal data becomes easier if data controllers and data processors use a “common language” to define the purposes for which they seek permission for personal data processing, as well as standardized procedures for the transfer of information. The TCF is a framework that aims to provide such standards, thereby facilitating the free flow of personal data.
The vision of the GDPR to put users in control of their personal data also requires users to make decisions regarding the permissions they provide. If users wanted to make an explicit decision for each request to process personal data, it would take up 61% of their time visiting websites.
Firms have various tools to facilitate compliance with the GDPR, including CMPs and the TCF. Yet, hardly any tools support users’ decision processes and permission management costs.
There is virtually no doubt that the GDPR represents a milestone in enabling users to achieve higher control over their (relatively broadly defined) personal data. However, the introduction of the GDPR has also stimulated a wide range of discussions among data protection authorities, firms, industry initiatives and consumer advocates on the implications of complying with the GDPR and how best to achieve such compliance—as well as more fundamental questions regarding what the true value of user privacy is, and how best to provide users with the optimal level of privacy.
Indeed, as always, there is no free lunch, and protection of user privacy comes at a cost to firms in the advertising industry, and even to users and to society at large. In this book, we have attempted to provide a nuanced yet comprehensive understanding of some of these costs. Academic studies have begun to provide empirical evidence of the toll that the GDPR may be taking: For example, one study suggests that the GDPR has reduced firms’ innovation activities (Janssen et al. 2021), and others show that less tracking leads to lower advertising revenue for publishers (Johnson, Shriver, and Du 2020, Laub, Miller, and Skiera 2022). The resulting loss in revenues could force publishers to seek out cost-saving measures that hamper the user’s experience, such as reduction in the quality of content, or to activate other revenue sources, e.g., via paywalls for their content. Given that policymakers also seek to nurture innovation and consumer wellbeing, these early insights suggest that it would be worthwhile for policymakers to evaluate whether the benefits of the GDPR are outweighed by its adverse effects on the industry. It is unclear to what extent regulators are taking this trade-off into account as they continue to expand privacy protections, by pushing transparency about targeted advertising (via the Digital Services Act), developing specific rules for electronic communication (via the ePrivacy Regulation) and limiting the power of large firms on the Internet, among them important publishers such as Google and Facebook (via the Digital Markets Act).
Our empirical study outlined that the online advertising industry is very complex. For example, on average, each publisher collaborates with 278 vendors. A justified question might be whether such a large number of collaborations is necessary. Yet, even cutting them down by 50% would leave each publisher with many vendors. As researchers in business and economics, we prefer efficient markets. Auctions, such as those used to sell online ads, represent a mechanism that is likely to make markets relatively efficient. Keeping those auctions certainly requires collaborating with a relatively large number of other firms.
As a result, we conclude that online advertising is and will remain a complex market. Accordingly, establishing a standardized set of procedures for GDPR compliance is likely to be in the interest of all market participants, including users. For example, standardized permissions for certain processing activities concerning personal data are likely to facilitate and improve users’ decisions. The involvement of regulators in such standardization processes seems desirable. It would give users a strong voice and reduce firms’ uncertainty concerning compliance with the GDPR and other legal requirements, such as the upcoming ePrivacy regulation.
Finding a good solution for privacy-preserving online advertising is a societal problem. If online advertising were to stop completely, the biggest losers would be publishers, not advertisers. Advertisers would suffer but spend their advertising budget elsewhere, e.g., on TV advertising. Publishers, however, would no longer be able to gain any income from selling online advertising slots. Consequently, publishers would either be forced to go out of business, reduce their content, or charge for content. Charging for content requires introducing paywalls, from which users with low income would likely suffer the most. As low income often correlates with lower education, these users might be lured by websites with low-quality content, in an extreme case, even fake news websites.
Though the scenario of a “slippery slope” from privacy protection to the failure of the digital publishing industry and the spread of fake news is admittedly somewhat extreme, it nevertheless serves to illustrate the key premise of this book: the idea that initiatives to protect user privacy should also consider other consequences, such as the economic and societal costs outlined above. We hope that our book enhances readers’ understanding of the online advertising industry and the effects of privacy laws on this industry—and that, as a result, it contributes to a fruitful and open-minded discussion of how best to implement online consumer privacy.