Following trials last year in Germany, European telcos are moving forward with a plan to establish a joint venture to provide opt-in “personalized” ad targeting of regional mobile network consumers. However, it is yet unclear whether European Union officials will approve of their proposal.
Germany’s Deutsche Telekom, France’s Orange, Spain’s Telefonica, and the UK’s Vodafone set out the proposed concentration to create a jointly controlled and equally owned joint venture — to offer “a privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers” as they describe the proposed “first party” joint venture — in a filing made to the European Commission’s competition division (previously spotted by Politico).
To decide whether to approve the joint venture (JV) and, consequently, whether or not to let the carriers to proceed with a commercial launch, the Commission has until February 10.
According to a Vodafone representative, the operators are unable to comment on the proposed JV at this time while the Commission decides whether to approve the project. And refused to speculate on a prospective launch date. They said that, assuming Brussels gives the telcos the go-ahead to collaborate on the infrastructure for mobile ad targeting, public messaging on the project will occur after approval.
During first testing in Germany last summer, information regarding the carriers’ plan to go into tailored ad-targeting became available. At the time, Vodafone indicated they would be depending on user agreement to the data processing and that the technology was a “cross-operator infrastructure for digital advertising and digital marketing.” The initial name of the project was “TrustPid” (but if it flies expect that clunky label to be replaced with some slicker marketing).
Given the extensive data protection and privacy laws in the European Union and the fact that existing microtargeting adtech (which also relies on a claim of user consent) was found in violation of the General Data Protection Regulation in February of last year, privacy watchers quickly raised concerns about the legal basis for processing mobile users’ data for ads.
Data protection authorities in Germany and Spain also gave the idea some early attention. According to reports, the telecoms’ plans to seek consent were modified to make the process more explicit as a result of their interactions with regulators.
The filing submission from the telcos wanting to form a JV, dated January 6, 2023, states that “explicit user consent” (obtained through an opt-in) is the proposed legal foundation for the targeting.
Subject to explicit user consent provided to a brand or publisher (on an opt-in basis only), the JV will generate a secure, pseudonymized token derived from a hashed/encrypted pseudonymous internal identity linked to a user’s network subscription which will be provided by participating network operators. This token will allow the brand/publisher concerned to recognize a user without revealing any directly identifiable personal data and thereby enable them to optimize the delivery of online display advertising and perform site/app optimization. Users will have access to a user-friendly privacy portal. They can review which brands and publishers they have given consent to, and withdraw their consent.
A spokesperson for one of the involved carriers (Vodafone) explained their strategy and acknowledged that the plan is to rely on pop-ups to obtain consumers’ agreement. Therefore, it appears premature for anyone to have hoped that the end of third-party cookie tracking would eliminate consent spam.
With ongoing guidance (and enforcement) by EU data protection regulators, such as the massive fine this month for Meta for trying to claim contractual necessity for processing user data for ads, or the warnings TikTok attracted last year when it sought to switch from using tracking cookies to a first party data-based alternative, it is also necessary to have a legal basis to process people’s data for marketing.
However, using consent as the legal justification for “tailored ads” is no walk in the park: Last year, the GDPR concluded that the IAB’s Transparency and Consent Framework (TCF), which is based on a claim of consent to third-party ad monitoring, was in violation (as was the IAB Europe itself). Additionally, the Belgian DPA gave the adtech sector a strict reform directive. Although, until a formal judicial judgment, the tracking-ads status quo stomps along like a zombie.
First, it is based on first party data, which is different from current-gen (legally clouded) adtech targeting, according to the four telcos behind the proposed JV (the TrustPid project’s claim is that no syncing and/or enriching of the individual-linked targeting tokens is allowed and/or possible between participating advertisers). Therefore, the type of background “superprofiling” of users that has current-gen adtech in such legal (and reputational) hot water is not consentless by design. Each brand or advertiser must obtain upfront consent from their own users for the proposed tracking to take place, and they are only able to target based on the data they collect. (Additionally, we are informed that user-linked tokens will be cycled frequently; the prior plan called for them to be reset every 90 days.)
Second, the telcos are proposing to impose contractual restrictions on participants, such as prohibiting the attachment of special category data (such as health information or political affiliation) to a user-linked token by an advertiser as a targetable interest. Additionally, they want the JV to have ultimate say over the wording and layout of consent pop-ups (which they say will offer users a top-level refusal, rather than burying that option as routinely happens with cookie consent pop-ups). Additionally, they promise to regularly inspect all participating websites.
A third check is available: a portal where mobile users may check (and cancel) any permissions they’ve given to certain brands or publishers to utilize their first-party data for adverts. We’re told that this portal will also feature an option for consumers to completely ban the system (so a hard opt-out). Although it’s our understanding that consumers who apply such a block are not now shielded from pop-ups requesting their assent to ad targeting (in the trial), consent spam and fatigue are destined to persist. (And, well, may perhaps multiple when permission gets unbundled, i.e. if the system takes off with a lot of companies and marketers.) At least until they can come up with a suitable legal foundation that does not call for persistently bothering consumers who have already declined consent with pop-ups.
If the Commission approves the telcos’ JV, project scrutiny will undoubtedly increase. Paying great attention to technical (and contractual) matters may well raise new issues. Therefore, it’s too early to say whether the strategy will/would win over regulators and privacy experts.
Users of mobile networks themselves may also become frustrated if they find themselves suddenly confronted with a new, obtrusive layer of consent spam while using a service that they have paid telcos to supply them with—browsing the mobile web. Thus, there may not be much room for additional consent spam.
Additionally, persuading mobile users to really opt in to advertisements offers a significant hurdle to acceptance, presuming they are indeed given a genuinely free (and fair/non-manipulative) choice to decline tracking, as opposed to being pushed or duped into it as has been the dark pattern rule for years. If questioned directly about tracking, a lot of people will object (for example, consider how Apple’s App Tracking Transparency requirement affects the ability of third-party iOS apps to follow users).
Therefore, there is no guarantee that mobile consumers on their networks will agree to cooperate even if the telcos are allowed to develop their joint venture for ad targeting.
However, if this is successful, there may be a possibility for marketers to attract web users with a novel strategy. The ability to do things differently versus the creepy status quo that can’t clearly explain how people’s data got sucked up, where it may have ended up, or what’s really been done with it offers an opportunity to be transparent about wanting to process people’s personal data for ads and, potentially, also be able to offer incentives for users to agree.
Therefore, a direct approach could offer a way for smarter brands to improve their ties with devoted customers by making plain requests rather than using covert surveillance.