0. WHO WE ARE

Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK. We have worked on GDPR and other issues such as data retention, and were a party in the Watson case at the CJEU. Our current focus includes the free expression impacts of content moderation and ‘online harms’ regulatory proposals, alongside surveillance and encryption policy, the use of personal data in the COVID-19 pandemic, data protection enforcement, online advertising and the use of personal data by political parties. We are a member of European Digital Rights (EDRi).

1. ABOUT THIS SUBMISSION

ORG recognises the role of advertising in today’s fruition of internet services; however, we also believe there are significant issues concerning how a specific sector of the online advertising industry works (i.d. the Real-Time-Bidding system, which underlies what the Competition and Markets Authority refers to as open display market). For this reason, we welcome the opportunity to answer to the consultation promoted by the Department for Digital, Culture, Media and Sport, concerning the regulation of online advertising.

Our submission will answer to question 1 of the consultation, where we challenge some of the views of the CMA and of the Centre for Data Ethics and Innovation: namely, we believe that the issue runs deeper than in the terms presented by both, and call for a radical reform of a system (Real-Time-Bidding) which is failing every party involved, except for a group of large technology companies.

To this end, we discuss how systemic consumers’ exploitation, unfairness, and market concentration are inherent traits of an adtech system shaped in its current form, and we later show how these findings relate to some findings we have read in the CMA and CDEI reviews, concerning:

• the extent of the utility of targeted advertising offers to consumers;
• the argument that large technologies companies would have consolidated their position due to the regulatory framework introduced by the GDPR.

Finally, we will move to question 9: by building on the gaps we have highlighted before, we discuss how the proposals presented by the CMA may still be valid, but are in need of a more radical and decisive approach in order to achieve their prospected results. With this regard, we argue that strict and effective enforcement of data protection rules is the missing and most needed step to ensure that a competitive and thriving adtech sector can arise from the ashes of its current failed state of affairs.

ORG are happy to be contacted for any further follow-up by the DCMS, either in person or by email.

2. ANSWERING TO QUESTION 1

Is there any evidence that you would like to provide on the overall benefits, and/or challenges, associated with online advertising to individuals, businesses and/or society, which you believe is not being considered as part of the CMA Market Study into Online Advertising and Digital Platforms, the CDEI reviews into online targeting and bias in algorithmic decision-making, or any other recent reviews that are relevant?

Although we agree with many of the contents and conclusions of the Competition Market Authority (CMA) interim report and the Centre for Digital Ethics and Innovation (CDEI) review, we believe there are some instances where they have both fallen short of properly emphasising the core issue surrounding personalised advertising in the adtech sector.

The system which currently dominate this sector of the market, known as Real-Time-Bidding, has been described by the CMA as complex and opaque¹, as well as suffering significant issues concerning consumers’ trust², or transparency for publishers and other actors in the market³. However, the CMA concludes by framing the issue in terms of small advertising companies being stifled by Google’s dominant position in the market.

In our view, this position underestimates the total market failure of the RTB system in its current configuration, and its irreconcilability with the objectives to promote a competitive and fair online advertising business. Furthermore, we believe that a system dominated by intermediaries is inherently not concerned about consumers’ exploitation and advertising standards, as far as these practices are instrumental to fuel distribution and consolidate their own market power. Within this context, effectively enforcing data protection has the potential to

• reduce harms to consumers, by driving the adoption of ethical and privacy-preserving practices in the field of online advertisement; and
• reduce incentive to produce attention-catching and low-quality contents, thus re-balancing the advertising market in favour of publishers and contents creators, whose interest is to cultivate meaningful relationships with consumers

Below we discuss the two main shortcomings of this system (systematic consumer exploitation and inherent unfairness of the system), and how these create the harms we have identified.

2.0.1 Systematic Consumer Exploitation

Real-Time-Bidding involves the processing of a disproportionate amount of personal data, traded without consumers knowledge or understanding of the logic involved, to a huge and undetermined amount of intermediaries, in the overall absence of any appreciable security measure to protect consumers against potential exploitations⁴. To fully appreciate the measure of this phenomena, it is worth mentioning the established practice of data brokers to take part in the bidding process without any intention to advertise, but to covertly collect personal information contained in the bid requests

and resell them⁵. In our view, all these traits show the inherent incompatibility of the current configuration of this system with consumer protection, and we find validation to our thesis in the overwhelming distrust which consumers are bearing against the sector⁶.

We further discuss about consumers’ adversity and lack of trust toward this system in §2.1, by relating it with the CDEI view about online targeting.

2.0.2 Inherent Unfairness of the System

On top of these issues, this advertising model has failed publishers and advertisers to the same degree it has failed consumers. The CMA rightly identifies both

• publishers’ fragility against large technological companies dominance of the market⁷;
• the inherent opaqueness of the RTB system in its current shape, the challenges associated with measuring the impact of advertising campaigns⁸, and the value of the service which is being paid for.

It is, then, unsurprising to find that publishers and advertisers are being poorly served, with intermediaries holding too much power and retaining up to 80% of the profits⁹.

We further discuss about the inherent unfairness of this system in §2.2, which discusses the CMA’s views about the role of data protection legislation.

2.0.3 Lack of Privacy Leads to Bad Advertising

Finally, we believe that creating the conditions for businesses to compete with privacy-enhancing technologies would inherently increase advertising standards. At present, this system incentivises sheer engagement and selling consumers’ attention to advertisers¹⁰. Under these terms, competitive advantage is gained by collecting huge amounts of personal data, in order to develop algorithms which can efficiently infer individuals’ preferences. This also creates incentives to

• create sensationalistic contents and click-baits in order to inflate users’ engagement¹¹, and
• avoid individuals’ choice or scrutiny over data acquisition and usages, in order to maximise their collection.

Therefore, strong enforcement of data protection rules would not only curb market dominance in the advertising sector. It would also undermine one of the main incentives to produce and distribute low standard and potentially harmful contents.

We discuss the conditions needed to promote healthier and safer online advertising sector in §3, by relating it with the merit of CMA proposed regulatory responses.

2.1 SUPPLEMENT TO THE CENTRE FOR DATA ETHICS AND INNOVATION REVIEW

We welcome the Centre for Data Ethics and Innovation call to strengthen the regulatory oversight of online targeting systems, with the overall objective of increasing transparency, accountability, and user empowerment.

However, we also find the CDEI evaluation of online targeting — which would allow users to navigate “an online world that otherwise contains an overwhelming volume of information¹²” — to be potentially misleading in the context of online advertisement: notwithstanding the potential benefits to be targeted with commercial offers of one own’s interest, it is clear that consumers’ strong refusal to receive such advertising excludes such utility. Having this in mind, we must emphasise how:

• consumers, once informed about the functioning of the RTB system, find it to be unacceptable¹³, in contrast with a generally positive attitude about receiving advertising which is tailored to their interest¹⁴;
• consumers are actively boycotting and opting out of the system, for instance by using an ad-blocker, changing bowers settings, or stopping visiting the website¹⁵;
• software companies are capitalising on consumers’ repulsion against adtech, for instance by equipping web browsers with tools which automatically exclude them from receiving adverts¹⁶.

These findings lead to a broader consideration: personalised adertising which is blocked by consumers is not useful for them (who will not receive commercial offers which they may like), nor for advertisers, who will not manage to reach their intended audience.

2.2 SUPPLEMENT TO THE COMPETITION AND MARKETS AUTHORITY INTERIM REPORT

We welcome the Competition and Markets Authority acknowledgement of the issues surrounding privacy and consumers’ control over their own personal data, within the current reality of the advertising industry.

However, in its findings concerning consumers’ control over data, the CMA also highlights “concerns that aspects of data protection regulation risk creating competition concerns by unduly favouring the business model of large technological companies¹⁷”. Then, it links this claim to two distinct arguments: that GDPR is being leveraged to force publishers into unfair terms, and that the current GDPR consent framework would favour bigger, vertically-integrated platforms over smaller, non-vertically-integrated publishers¹⁸.

We find these arguments to be technically unsound and not supported by appreciable evidence, as further substantiated below.

2.2.1 Our rebuttal of CMA’s statement that: “large platforms may use privacy regulation such as GDPR to force publishers into unfair terms”

The CMA here builds on the assumption that large firms may impose unduly strict compliance terms in order to reinforce their dominance in the process¹⁹. Then, it support such thesis by mentioning two publishers’ submissions, expressing the view that Google would be forcing unfair terms through the new consent regime²⁰.

While we do not contest the fact that anti-competitive behaviours may have been adopted by Google or other large players in the online advertising industry, we find more reason to believe that such practices are the natural attempt of a largely dominant player to strengthen its own position, regardless of any regulatory regime which may come into play. Indeed, we note that

• the position expressed by the Daily Mail and News Media Association concerns Google’s decision “to impose a regime that would effectively make them [independent] data controllers²¹”, in the attempt to transfer liability for consent to the publisher. However, the GDPR states that “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers²² [emphasis added]”: thus, effective regulatory enforcement would prevent rather than allow the imposition of such contractual terms, which are in contravention of the GDPR;
• a study by the Irish Data Protection Commission has found that a large majority of websites are breaching GDPR rules for consent²³. This shows how Google has leveraged on its contractual power without forcing GDPR standards for consent, which indeed was not met by the industry.

On the other hand, the CMA notes how Google may hold up to 90% of marketshare in the adtech sector²⁴, which in our view provides a much better explanation for their abusive behaviours.

2.2.2 Our rebuttal of CMA’s statement that: “the current GDPR framework would favour bigger, vertically-integrated platforms over smaller, non-vertically-integrated publishers”

The CMA supports this argument by pointing out that “a vertically integrated firm […] can much more easily secure consent from the consumer of personal data for multiple purposes through a single process which is then applied across its businesses²⁵”. Furthermore, it is also pointed out that Google has access to very rich first-part data²⁶: in other words, that its vast array of consumer-facing or analytics services gives them exclusive access to personal data originating from different services (such as Google Analytics, or YouTube).

With this regard, it worths noticing that the CMA misses the point of the current RTB system incentivising the acquisition of large data assets. This makes this business inherently prone to market concentration, as extensive research in the field of market competition has thoroughly documented²⁷, and empirical findings validated²⁸. On top of that, we also notice that:

• vertical integration is a process which Google initiated in 2001 with the acquisition of Applied semantics²⁹, and continued with a series of acquisitions in 2007, 2009, 2010, 2011, and 2014³⁰. This shows a long-lasting tendency of this industry toward vertical integration, which started long before the entry into force of the GDPR. Thus, it is reasonable to assume that the GDPR framework is not a driving force toward vertical integration;
• Google obtains its first party data in breach of GDPR provisions, as the record-high fine of the French Data Protection Authority has already determined³¹. Furthermore, merging data from different sources (e.g. by reusing analytics data for online advertising) is in contravention of the GDPR principle of purpose limitation³²: such limit, if effectively enforced, would neutralise the anti-competitive edge which vertical integration provides in this field³³.

3. ANSWERING TO QUESTION 9

Considering the benefits and challenges you have identified above, what additional actions / measures / initiatives could be proposed that would help ensure that the online advertising sector can continue to innovate and grow?

We have discussed before how the current system creates perverse incentives in terms of market dynamics (see §2.2), and how these relate to advertising standards (see §2.0.3). In broader terms, these practices are the measurement of a clear market failure, which is ultimately incompatible with the policy objective of having a healthy and innovative advertising sector.

Having this in mind, we support a number of proposals being advanced by the Competition and Markets Authority, in particular concerning:

• giving consumers a meaningful choice over personalised advertising, in line with GDPR and PECR requirements;
• facilitating the adoption of privacy enhancing technologies in the field of digital advertising.

However, we also believe that these measures would not be effective, if they are not reinforced by a more decisive reform of the adtech sector. Indeed, the CMA has gathered extensive evidence to the fact that building consumers’ relationships is impossible at present. Consumers do not engage with privacy policies, and are thus unaware of what they are consenting to³⁴. Also, consumers are forced into a take it or leave it approach³⁵, or by using dark patterns to deceive users³⁶. Finally, the ICO has rightly pointed out how the industry is in the overall incapacity of even describing to the end user what happens to their data, and thus what they are asking them to sing to³⁷: this denotes a business model which is deceitful and coercive by design — in contrast not only with the GDPR, but with any reasonable industry standard.

Therefore, we recommend building on the merit of these proposals to deliver a more decisive and transformative approach, where strong and effective enforcement of data protection allows privacy enhancing technologies to compete in the market, and reshape its functioning and inner incentives.

3.0.1 Giving consumers a meaningful choice over personalised advertising

We strongly support the CMA proposal to giving consumers a choice over personalised advertising on all platforms, while allowing platforms to provide contextual advertising to fund their online services for those users who do not opt-in to personalised advertising³⁸. We also want to reinforce that:

• contextual advertising should, in line with the privacy by default principle, be the primary setting for the use of online services, while personalised advertising should be strictly opt-in;
• in order to be truly empowering toward the end user, strong regulatory enforcement of GDPR standard of consent should be ensured, in particular against dark patterns or other deceitful design strategies which may compel or trick users into “consenting” to personalised advertising.

3.0.2 Putting a stop to illegal practices, and allow privacy enhancing technologies to compete in the market

We also share the CMA interest toward promoting privacy-enhancing approaches to online advertisement³⁹. At the same time, we must emphasise how a transition to privacy-preserving practices is not a nice-to-have feature, but a fundamental step to overcome the limitations and distortions which characterise the current functioning of the adtech industry. With this regard, we note that:

• the advertising industry shows to be lucrative and attractive for new players: indeed, a number of alternative models for online advertisement have emerged over the years, such as
  • the Brave proposal to remove personal data from bid requests⁴⁰,
  • ITEGA cross-site authentication and standardized formats for exchanging privacy-by-design user attributes⁴¹
  • TrustX data marketplace⁴²
• these, as well as other potential alternatives to the status quo face the unfair competition of the adtech industry, as we have extensively outlined before. This state of affairs stifles competition and innovation, and constitutes the biggest and most obvious entry barrier to the market of digital advertising.

Therefore, it is clear that the government should not be overly concerned about stifling investments and innovation in the sector, which seems a highly unlikely scenario. On the other hand, the sector is in dire need of bold and decisive enforcement of regulatory standards, in order to allow all parties to compete on merit.

4. CONCLUSIONS

Online advertisement plays a fundamental role for the development and fruition of many of our online services. At the same time, unchecked and unregulated growth of the adtech sector has allowed the consolidation of detrimental or outright illegal practices. The same perverse incentives led the industry toward anti-competitive behaviours and, ultimately, to a race to the bottom in online advertising standards.

We believe the case for strong and effective enforcement of data protection rules, as a way to reframe the incentives which led the adtech sector to its current state, is clear. Indeed, the GDPR has provided regulatory authorities with strong and effective powers; however, enforcement has been slow, and consumers’ trust over the market has dropped to the point where nearly half of internet users have started to actively boycott online advertising. This indicates a situation which is not beneficial to citizens, business, and society as a whole.

1See CMA market study interim report on online platforms and digital advertising, paragraph 5.41, p. 161

2Ibid, paragraph 4.48, p. 121

3Ibid, paragraph 5.235, p. 214

4See ICO update report into adtech and real-time bidding, chapter 3, pp. 15 to 23

5For instance, James Hercher, CEO of a cross-device company “the DSP itself has a very low profit margin […] sales have healthier margins, and can be more sustainable without the ad revenue.” Source: https://www.adexchanger.com/data-exchanges/tapad-ceo-on-cross-device-graphs-and-where-its-data-comes-from-hint-not-telenor/

6Europe-wide, only 37% of users are confortable about online marketplaces using their personal data to tailor advertisement. Source: https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Survey/getSurveyDetail/search/online/surveyKy/2126

7See CMA interim report, paragraph 4.145, p. 146

8Ibid, paragraph 5.189, p. 201

9For instance, see Ross Benes, Why Tech Firms Obtain Most of the Money in Programmatic Ad Buys. Source: https://www.emarketer.com/content/why-tech-firms-obtain-most-of-the-money-in-programmatic-purchases

10How do the biggest tech companies make money? Source: https://internethealthreport.org/2019/how-the-biggest-internet-companies-make-money/

11Your Attention is the Hottest Currency on the Internet. Source: https://blog.mozilla.org/internetcitizen/2018/07/26/katharina-nocun-social-media-networks/

12See CDEI review of online targeting, paragraph 102, p. 36

1343% of respondents find it unacceptable, against a 36% who find it acceptable. Source: ICO, Ofcom Adtech Market Research Report

1454% of respondents agree, 20% disagree. Source: ICO, Ofcom Adtech Market Research Report

1541% of respondents have tried to stop websites to display adverts. Source: ICO, Ofcom Adtech Market Research Report

16See, for instance, Apple’s Intelligent Tracking Prevention. Source: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

17See CMA interim report, paragraph 4.142, p. 145

18Ibid, paragraph 4.143, p. 145

19Jason Furman, Unlocking digital competition, paragraph 4.42 p. 124

20See CMA interim report, paragraph 4.145, p. 146

21New Media Association Press statement. Source: http://www.newsmediauk.org/News/gdpr-google-accused-of-putting-a-gun-against-publishers-heads

22Article 26(1), Regulation (EU) 2016/679

23Irish Data Protection Commission report on the use of cookies and other tracking technologies. Source: https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Data%20Protection%20Commission%20cookies%20sweep%20REVISED%2015%20April%202020%20v.01.pdf

24See CMA interim report, paragraph 53, p. 18

25Ibid, paragraph 4.149, pg. 147

26Ibid, paragraph 5.208, pg. 205

27For instance, see Autorité de la concurrence, Bundeskartellamt, Competition Law and Data, pp. 11 to 14. Source: https://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf?__blob=publicationFile&v=2

28Jason Furman, Unlocking digital competition, paragraph 1.61 p. 31

29DMG Media reponse to CMA interim report, paragraph 20.a, p.10 Source: https://assets.publishing.service.gov.uk/media/5d922706e5274a2fad5bd938/190729_DMG_Media_observations_on_CMA_Statement_of_Scope_-_non-confidential_version_Redacted_WEB.pdf

30See CMA interim report box 5.1, pg. 200

31See The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC. Source: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

32Article 5(1)b, Regulation (EU) 2016/679. See also Article 29 WP, Opinion on purpose limitation. Source: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

33See, for instance, BRAVE response to CMA interim report. Source: https://assets.publishing.service.gov.uk/media/5e8c62aee90e07077e361586/200212_Brave_Interim_Report_Response-.pdf

34See CMA interim report, paragraphs 4.76 to 4.89, pp. 128 to 130

35Ibid, paragraph 4.106, p. 134

36See also CNIL, from dark patterns to data protection: the influence of ux/ui design on user empowerment. Source: https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf

37See ICO update report into adtech and real-time bidding, p. 19

38See CMA interim report, paragraphs 6.94-6.96, p. 253

39Ibid, paragraphs 6.149-6.150, p. 265

40Major publisher group DCN tells regulators “the sky won’t fall” if RTB switches to safe, non-personal data. Source: https://brave.com/dcn-letter-rtb/

41Source: https://infotrust.org/mission/

42Source: https://www.trustx.org/