It’s been a busy couple of months for digital advertising industry regulators, with new regulations taking effect around the US and new legislation popping up around the globe. What’s the latest, and how will it impact advertising and marketing professionals? Let’s dig in and find out:
While the United States has taken its time determining how to handle Big Tech regulation, the European Union has embraced its reputation as the world’s fiercest tech regulator.
Unrestrained by free speech rules like America’s First Amendment, the EU has taken the lead on matters like consumer privacy (with GDPR), walled gardens like Apple’s App Store and the Google Play Store (with the Digital Markets Act), and now its latest target: misinformation and hyper-personal ad targeting on social media.
The legislation, called the Digital Services Act, will compel social platforms like Facebook, Instagram, and YouTube to dedicate more resources to stomping out misinformation and hate speech on their platforms, and ban any targeted online ads that are based on an individual’s ethnicity, religion, or sexual orientation. Google and Meta would also be subject to annual audits to uncover “systemic risks” related to their social assets, and even Amazon would have to comply with new rules aimed at curbing the sale of illegal products.
These new European regulations will no doubt have an enormous impact on how social media companies combat hate speech and misinformation, how Google suppresses misleading search results, the criteria advertisers can use to target consumers, and how Amazon tracks down and removes banned items from its marketplace. While the Digital Markets Act (and its rules that govern so-called “gatekeeper platforms”) has already come into force, the wider-reaching Digital Services Act won’t go into effect across the EU until 2024, giving Big Tech companies—and the advertisers who use them—a bit more time to adjust their strategic plans and ensure proper enforcement.
In the meantime, social media platforms still face strict regulation in the EU—and serious consequences when they breach the bloc's privacy laws. Meta learned this the hard way, incurring a nearly $1.3 billion penalty for transferring user data between the United States and countries in the EU and the European Economic Area. It’s the biggest penalty an EU regulator has levied on a tech company since 2021 and a clear signal that privacy compliance is non-negotiable. (That said, the new EU-US Data Privacy Framework should hopefully help prevent similar data flow-related fines and confusion going forward.)
Back stateside, industry regulation is a bit more decentralized. While federal-level legislation has mostly lingered in congressional purgatory (more on that in a bit), a whopping five new state-level data privacy acts will take effect in 2023, with new regulations coming to Virginia, Colorado, Connecticut, Utah, and California.
The broadest and most impactful of those: the California Privacy Rights Act, aka CPRA. Building off the foundation of 2018’s California Consumer Privacy Act (CCPA), the new act creates a California Privacy Protection Agency that’s dedicated to (and responsible for) enforcing the law—indicative of increased enforcement—while also reducing ambiguity around how to interpret some of the data-related aspects of the law. The CPRA now requires companies to give consumers the opportunity to not only opt out of the sale of their personal information, but also of giving or sharing that data with someone else, including a third party that might use it for cross-context behavioral advertising.
As Basis Technologies General Counsel Derek Zolner put it: “Essentially, the CCPA, CPRA, and the other data privacy acts that are popping up around the US are establishing legal enforcement mechanisms around personal control of one’s personal data and codifying many of the core principals of our industry—namely, transparency, notice, and the right to opt out. Only now, instead of the industry self-regulating these matters, state governments are intervening to take control of that enforcement.”
Meanwhile, at the federal level, Congress is considering legislation that could fundamentally alter the entire digital advertising landscape and, if passed, would potentially end the Big Four era of Big Tech.
A bipartisan group of lawmakers led by Utah Senator Mike Lee introduced a bill that would prohibit companies that take in $20 billion or more in digital ad revenue—think Google, Meta, and Amazon—from owning all of the tech and marketplaces involved in both the buying and selling of those ads. The legislation, titled the Competition and Transparency in Digital Advertising Act, would also bring new levels of transparency to the industry, requiring companies with more than $5 billion in digital advertising revenue to “act in customers’ best interests and provide greater transparency on data collection, the terms of winning bids and the fees they charge.”
In essence, the law would force ad behemoths like Google to sell or spin off parts of its $210 billion global ad business while delivering new levels of programmatic advertising transparency for advertisers and publishers alike.
Now, whether or not the Lee-drafted legislation ever makes it to the President’s desk is far from certain. However, the fact that it has finally reached the Senate floor after months of rumor—and that it even has bipartisan cosponsorship in what is a very fractured Washington—shows just how real the desire is among many Americans for a digital advertising industry that’s less of a black box and more of a sunlit building with lots of South-facing windows.
As if pending legislative action wasn’t enough, Google and Meta are also facing both consumer scrutiny and federal lawsuits around alleged anticompetitive practices, ad auction manipulation, and monopolistic market shares in the US. Google, in particular, has caught the eye of the Justice Department and several states and is now staring down the barrel of a new suit accusing the company of “monopolizing digital advertising technology” in violation of the Sherman Antitrust Act. If successful, the lawsuit would not just bar Google from engaging in anticompetitive practices, but force it to divest of some (or all) of its ad business, such as its ad server, ad exchange, ad networks, or DSP.
Together, Google, Meta, and Amazon account for nearly two-thirds of the $278 billion US digital ad market. Between those antitrust concerns and accusations of political meddling against big tech from both side of the aisle, the possibility of major regulatory changes in the digital advertising industry is all too real.
This antitrust regulatory action isn’t limited to the US. Across the pond, Google faces similar antitrust charges for its digital advertising practices, with the European Commission citing Google’s heavy involvement at “almost all levels of the so-called adtech supply chain” and noting concerns that the world’s fourth-most valuable company “may have used its market position to favor its own intermediation services.” This marks the fourth time Google has run afoul of EU antitrust regulations in the last few years, and with the bloc’s history of action against US-based tech giants, the case is unlikely to go away anytime soon.
Since its public release in 2022, generative AI has garnered a lot of hype—and for good reason. From AI chatbots like ChatGPT and Bard, to AI image and art generators like DALL-E 2 and Midjourney, to Microsoft and Google both embracing new AI-powered search capabilities, this emerging tech is making some serious waves in the marketing and advertising world (and beyond). But for all the excitement around generative AI, its boom has also been accompanied by fierce warnings and concerns from experts across the globe.
Amidst these mixed emotions, it’s no surprise that AI regulation has become a hot topic. After briefly banning ChatGPT in March 2023, Italy’s data protection authority has since further solidified its plans to closely scrutinize and evaluate generative AI tools their compliance with data protection and privacy laws. And in early June 2023, the EU came out with the world’s first comprehensive AI law: The EU AI Act. In it, they outline the many potential benefits of AI, as well as “establish obligations for providers and users depending on the level of risk from artificial intelligence.”
The US, meanwhile, has yet to take action quite as deliberate as the EU’s, but that doesn’t mean Washington has been ignoring AI’s emergence. A bipartisan collection of congresspeople recently introduced a new House bill for an AI-focused oversight commission, and preliminary action from the White House emphasizes that it’s a priority. And in May, OpenAI CEO Sam Altman appeared before Congress and directly encouraged lawmakers to regulate artificial intelligence. That said, tech leaders are largely divided on how AI should be regulated—with some even questioning if it should be regulated at all. As this disruptive technology continues to evolve, so too will governments’ regulatory approaches, and we are likely to see more concrete activity on this front in the months ahead.
Last but not least, while much of the focus of recent regulation has had an eye toward American-based companies, there is one notable exception to the trend: TikTok.
Many no doubt remember the TikTok regulation sagas of 2020, when then-President Trump attempted to remove the app from Apple and Google app stores over data privacy and national security concerns and even worked to force the company to sell its US operations to an American firm such as Oracle or Microsoft.
While these more immediate federal-level threats seemed to taper off following the election of President Joe Biden, the lull proved to be short-lived. In March 2023, the Biden administration demanded that TikTok be sold or risk facing a nationwide ban. Lawmakers in Washington have indicated there may be rare bipartisan support for regulatory of the app, pointing to ongoing concerns around TikTok’s data practices and its ties to Chinese-owned parent company ByteDance. But after a high stakes congressional hearing in March, where the House Energy and Commerce Committee spent five hours grilling TikTok CEO Shou Zi Chew on the platform’s data security and privacy practices, regulatory action seems to have reached a standstill (though, like the threat of a ban, that too may prove to be but a lull).
Today, any attempt to bar the wildly-popular app from either iPhones or Androids on a nationwide level would undoubtedly be met with swift and severe backlash—particularly among Gen Z—and not to mention inevitable legal challenges. In the meantime, TikTok has pointed to ongoing its plans to further isolate and secure US user data, including an agreement where TikTok would store all such data on American-based Oracle servers (as opposed to its own servers in both Virginia and Singapore) in an effort known as “Project Texas”.
If anything, the app has faced its harshest scrutiny at the state level. In May, Montana became the first state to ban TikTok, with the ban slated to take effect on January 1, 2024. Additionally, TikTok has been banned from government devices in more than half of all US states, numerous universities have blocked the platform from campus Wi-Fi networks, and a group of 15 state attorneys general have called on Apple and Google to change TikTok’s app store age ratings.
As TikTok continues to soar in popularity, gobble up market share, influence global culture, and embrace advertising opportunities, it will no doubt attract increased legislative and regulatory scrutiny from governments around the globe. So while it has thus far escaped initial regulatory attempts relatively unscathed, the clock is ti(c)king...
On to the big question: what does this all mean for digital advertisers?
For one thing, the Digital Services Act will potentially lead to safer advertising environments—particularly on social media—helping both brands and users enjoy a more hospitable digital ecosystem. With brand safety an increasingly-meaningful aspect of the brand-customer relationship, an internet with less misinformation and more trust would be more than welcome across the globe, let alone in Europe. The EU legislation will also mean some aspects of targeted digital advertisements in the region are slightly less personalized, at least on the basis of ethnicity, religion or sexual orientation.
When it comes to TikTok, the app's booming growth and rising ad revenues do not appear at risk with any new agreements surrounding US user data—if anything, it could provide digital advertisers and TikTokers alike with more confidence in the platform's safety.
As for Google, the biggest threats to its digital ad dominance (other than an AI-fueled search revolution) are the 2023 antitrust suits. The US-based suit—an “ambitious swing” from the Justice Department—nevertheless has a very real potential to succeed. Google, for its part, has said the US suit “ignored the enormous competition in the online advertising industry” and that the EU charges “focus on a narrow aspect of our advertising business.” Regardless, the suits could cloud Alphabet’s forecasts and bring further uncertainty to a company that just this year conducting its largest-ever round of layoffs while facing new search competition from an AI-powered Bing.
State-based US legislation such as the CPRA should lead to increased transparency and control over personal data for consumers—or, at least, for consumers from those states that have enacted new privacy laws. And as for the larger US bill, Google, Meta, and Amazon—not to mention their lobbyists—will no doubt have plenty to say about its contents. Google's immediate reaction was to say that the bill will "hurt publishers and advertisers, lower ad quality, and create new privacy risks" and point to "low-quality data brokers" as the true problem. And in the months since it was first introduced, the bill’s progress has (like so many others) predictably stalled. But whatever the outcome, it’s clear that Washington is hearing the rising calls for digital advertising transparency from brands, publishers, and consumers alike.
As much as people want a unified, omnichannel consumer experience, they’ve also made it clear that they want more control over who can—and who cannot—access their personal data as part of the advertising process. Private companies like Apple (with iPhone’s App Tracking Transparency and lack of third-party cookies on its Safari browser) and even Google (which is famously deprecating third-party cookies in Chrome by 2024) have shown a willingness to slowly but surely give consumers more control over their data, but the rest of the advertising industry has at times seemed reticent to accept the realities of a cookieless future.
If this regulatory news out of the EU and the US tells us anything, it’s this: one way or another, the digital advertising industry is going to have to prioritize privacy. Third-party cookie deprecation is happening, even if there’s no single, perfect “replacement” solution quite yet. And if Big Tech—and the advertising industry—don’t want to make the difficult choices involved in regulating themselves when it comes to consumer privacy, then world governments will likely be all too happy to do it for them.
Having an identity crisis of your own? Check out our guide: Beyond Third-Party Cookies: Your Guide to Privacy-Friendly Advertising.
Post updated July 11, 2023