The EU’s war on behavioral advertising

Meta recently conceded that in-app behavioral advertising in the EU can no longer be opt-in by default, marking the end of an era. The regulators won, at least for now.

Published in

UX Collective

12 min readAug 25, 2023

Every few decades, major shifts happen that change how an industry fundamentally operates, and who the new winners and losers are. We are in the midst of one such shift in the digital advertising industry. This has been driven by three critical changes in the ecosystem, all privacy-related:

Apple announced the App Tracking Transparency framework in 2021
Google is deprecating third-party cookies in 2024
A slew of privacy legislation is either already in place (like the California Privacy Rights Act, EU General Data Protection Regulation) or is about to be in place (like the EU Digital Services Act)

While the effects of these changes have been felt by the advertising industry globally, the EU in particular has been at war with behavioral advertising for a few years now. And winning. In the past three weeks, there have been significant announcements from Meta, Snap and TikTok about upcoming changes to their products in the EU. It’s probably fair to say these changes mark the end of an era for behavioral advertising in the EU, and the platforms have made peace with that.

In this piece, we’ll dive into:

How the advertising ecosystem runs (or used to run)
Privacy interventions and impact on behavioral advertising
EU’s war on behavioral advertising and why platforms are conceding
Possible future paths

How the advertising ecosystem runs (or used to run)

Let’s start with some simple concepts. An ad shown to you can be contextual or behavioral (sometimes both).

A contextual ad is something that is shown alongside organic results (non-ads) in the context of whatever you are doing. For example, if you are on a food delivery app like DoorDash and you see an ad for a restaurant alongside organic results, that is a contextual ad. In that case, your identity doesn’t really matter. DoorDash knows your location and what you’re looking for, and therefore shows you a relevant ad. Knowing your identity and interests does help improve relevance of these ads, but it’s secondary to the context itself.

A behavioral ad is something that’s shown to you because of your past behavior. For example, you might have visited an office chair brand’s page on Instagram and therefore you get served ads for another office chair brand; that’s exactly what happened to me with the ad on the right. This can either be based on direct behavior (like the office chair example), or inferred behavior — people like you that looked for chairs also looked for monitors. One step further, people who looked at chairs are also likely to work from home more and therefore open to a lunch service. All of those are potential ads that can be shown to you.

Contextual ad on DoorDash (left) vs Behavioral ad on Instagram Stories (right); Source: author

A subset of products, most often search products, are perfect for contextual ads — Google Maps, Google Search, DoorDash, Yelp, Thumbtack, TripAdvisor, Zocdoc to name a few. The user has high intent to do something specific. However, most high-intent products are low-medium frequency. You are not looking for plumbers every day on Thumbtack and you are not looking to order food delivery every hour of the day on DoorDash, and therefore the amount of contextual ad inventory is lower — highly effective but lower in volume.

On the other hand, social media platforms where users spend hours doomscrolling have a large volume of non-contextual inventory. Random ads are annoying and ineffective, and therefore the most effective way to monetize this inventory is through behavioral ads.

Unsurprisingly, behavioral ads require a lot of data, and specifically data about you. Before ~2018 (when EU’s GDPR kicked in), there was essentially free flow of data about you, collected through a long list of highly effective AdTech mechanisms. Some notable examples:

Every iOS or Android phone had a unique “mobile advertising ID” assigned to it (and by association, to you). This ID was accessible to all apps on your device, i.e. your Uber app and your Google Maps app both knew you are mobile advertising ID 123, and could easily cross-identify you across apps.
Most browsers (except Safari and Firefox) supported “third party cookies”, which is essentially a piece of data that one site could place on your browser and another site could access. There would be a “cookie ID” associated with you and you could be easily cross-identified across websites.

Note that these identifiers, for all practical purposes, were permanent. You could go deep inside your settings and reset these IDs but most people never do that. This resulted in a couple of second order effects.

First, companies that are “data brokers” started purchasing data from several different data providers and building “profiles” about you; for example, app 1 could tell the broker that you bought an expensive piece of furniture, website 2 could tell them you have an account with a high end bank, and the data broker could put that together and categorize you as “high propensity of spend” person; note that when I say “you”, that refers to your identifiers (mobile advertising ID or third party cookie ID)

As more and more data became available, the profiles had more fidelity to them and identification became more sophisticated; for example, if app 1 had your mobile advertising ID and website 2 had your Chrome third-party cookie ID, a data broker or an ad platform could compare your IP addresses and know it is the same person.
Take this one step further. A data broker could also use a third data source and find an email associated with your IDs. One more step further, they could buy your address from a utility or telecom company and find your address.
This might sound far-fetched but it’s not — device graphs are a very commonly used data product in the AdTech stack today, and telecom companies are notorious for selling your data. If you need a more entertaining take, check out John Oliver’s episode on data brokers.

Second, Attribution / measurement of advertising campaigns became more and more precise; through a combination of technical mechanisms, an advertiser could say you first saw an ad on Facebook, then an ad on Google Search, then a display ad on NYTimes, and eventually bought an item from their website, so each of those three advertising platforms get shared credit

While this sounds privacy invasive (and it is), this resulted in a highly efficient advertising ecosystem. Advertisers knew exactly which users they were targeting and since they had all these extra behavioral signals to know how likely a user was to engage, they were willing to pay higher cost per impressions (CPM) for ad inventory, thereby generating more revenue for a media publisher. Precise attribution / measurement turbocharged this further.

However, you can see how this was becoming the wild west — highly effective advertising no doubt but also an uncontrolled orgy of data acquired with non-existent or questionable user consent. This rightfully raised concerns about data consolidation in the hands of both data brokers and large technology companies, and an intervention was inevitable. It was less a matter of if and more a matter of when.

Privacy interventions and impact on behavioral advertising

Let’s dive into each of the three privacy interventions that arose in an attempt to tame the Wild West.

First, Apple introduced the App Tracking Transparency (ATT) framework. It sounds jargon-y but the change is relatively simple. Prior to ATT, every app by default had access to your advertising ID, i.e. it was opt-in by default. This meant you could easily be tracked across apps and therefore shown effective behavioral ads. For example, you installed the Strava app to track your runs, you are now on Facebook, and you are shown an ad for Strava Premium. After ATT, the access to this identifier became opt-out by default, i.e. an app had to show you a pretty aggressive prompt to get access to your identifier and you explicitly needed to say yes. The average opt-in rate ended up close to ~34% (with a lot of caveats).

We won’t go into much detail here but this prompt was launched by Apple in the guise of embracing privacy — a smart chess move. The consensus opinion today is that this was an opportunistic move from Apple, which no doubt improves privacy but also heavily hurts Apple’s competitors as they prop up their own ads business. The impact was that user identity was available much less often.

Note here that for behavioral advertising to happen in the Strava-Facebook example, there is not one but two apps that needs to have received opt-in from you, i.e. the addressable market does not drop to 34%, it drops to 34% * 34% = ~12%. Therefore, cross-app behavioral advertising on iOS is no longer effective at scale.

Second, Google announced that they will deprecate third-party cookies in 2024. The consensus opinion is that the change helps Google achieve a dual purpose: appease regulators who are breathing down their neck for potential anti-trust behavior in AdTech, while taking control back from what’s now a fairly bloated advertising tech stack. Google’s new mechanisms post third-party cookies will still allow cross-site retargeting but in a more private way where all information is stored on-device within the browser, i.e. there are no more cross-site “cookie IDs” assigned to you. While the new mechanism preserves some of the status quo, cross-site behavioral advertising is going to have much less fidelity and therefore effectiveness.

Which brings us to the third intervention — privacy regulations. The most aggressive of these is the EU’s GDPR, which went into effect in 2018. The California Consumer Privacy Act (CCPA) went into effect in 2020. While the progression has been gradual, the reason these laws matter for advertising companies today more that ever is because the laws take aim at the only remaining and mission critical advertising mechanism — behavioral advertising within companies’ own apps (i.e. you do a bunch of different things inside the Facebook app and Facebook gets to use that data to show you behavioral ads within the app).

EU’s war on behavioral advertising and why platforms are conceding

A primary feature that makes the California laws (arguably the strictest privacy law in the US) less aggressive than EU’s GDPR is that it does not require explicit opt-ins and only requires platforms to provide opt-outs. For example, the 2020 California Consumer Privacy Act (CCPA) requires companies that are considered “data sellers” under the law to provide explicit opt-outs on web pages, but the default is still opt-in.

EU’s GDPR takes this up another notch and requires explicit opt-in / consent for behavioral advertising. This consent needs to be freely given, specific, informed and unambiguous. For example, Meta cannot gate content behind a behavioral advertising consent prompt.

So, the simplistic inference from this is that Meta needs to get explicit consent for all behavioral understanding, including the last remaining mechanism — showing ads within their own platform. If Meta is forced to do this, the opt in will likely be small (the Apple opt-in rates were ~34%) and this majorly shrinks Meta’s addressable advertising market in the EU.

To not meet that fate, Meta made a creative legal argument:

GDPR requires any company to have one of six legal bases if the company needs to process personal data. Paraphrasing, these are — consent, necessity to fulfill a contract, necessity for legal compliance, necessity to protect vital interests of the user, necessity to perform a public interest task, and necessity for legitimate interests pursued by the company
Of these six, Meta held the stance that they were processing personal data using “legitimate interests” (the last of the six) as the legal basis, and therefore does not need to show an explicit opt-in prompt

Last month, the Norwegian Data Protection Authority provided their enforcement decision that Meta’s use of “legitimate interests” as the legal basis is not valid. Paraphrasing the enforcement decision:

Based on several past court rulings, Meta must prove that legitimate interest “cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects”
Based on another past court ruling, despite the face that Meta provides a free service, the user of that network cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalized advertising

Four days after the Norwegian Data Protection Authority’s ruling, Meta announced that they will be changing their legal basis from “legitimate interests” to “consent”. In practice, what this means is that Meta is conceding that behavioral advertising within their own app in the EU can no longer be opt-in by default. While Apple’s changes significantly cut down the ability to advertise cross-app, Meta was holding on to hope that it would be able to preserve all in-app behavioral advertising (including in the EU), and the writing is now on the wall. Snap, TikTok followed suit shortly after with their own announcements that non-personalized versions of their products will soon be available to users. A total of 19 platforms that are in scope are likely to follow suit.

Possible future paths

It is still to be seen what percent of users opt into behavioral advertising. If the Apple opt-in rates are any indication, it may get to the ~34% rate seen there but it may also go higher if platforms are allowed to be creative about opt-in language and user interfaces.

It is hard to say what exactly the long-term effects of ending the opt-in-by-default regime for behavioral advertising in the EU will be, but here are some educated guesses:

Explicit preferences instead of inferred interests — Meta has made some progress towards letting users provide inputs to the feed algorithm. I would expect the creation of more explicit preferences / interests that users explicitly select. While it has worked to a smaller extent for some products like Reddit, it is likely that the quality of content provided by just preferences will be nowhere close to the relevance of a system that is constantly ingesting data and inferring interests.
Non-personalized feeds: TikTok has announced that they will create a non-personalized feed that is based on what’s popular in your region. Most social feed-based platforms will also (re)introduce simplistic ranking options like chronological. I am not bullish any of these will create an engaging user experience.
Degraded user experience, leading to more opt-in: My (potentially contentious) take is that opted out users will see a significantly degraded experience and eventually decide to provide platforms consent to personalize. The platforms will likely use this mechanism to receive content for all personalization (including behavioral advertising) — it’s unclear if there are any regulatory constraints that force them to not bundle consent for user experience personalization and behavioral advertising. I don’t expect the consent rate to go anywhere close to status quo but I think it will be a meaningful bump to what’s seen with Apple’s opt in rates.
Experiments with subscriptions: Twitter launched Twitter Verified a few months back, and Meta is experimenting with a similar concept. I am not bullish that a majority (or even a minority) of users will be willing to pay for social media products after years of being conditioned to getting these products for free.
De-prioritization of EU markets: If platforms are not able to effectively monetize the EU market, it is likely that they will start de-prioritizing investments for the EU market, which is a real risk of an aggressive regulatory regime. I don’t expect them to stop supporting EU markets but every new feature built is an investment, and companies will start heavily questioning if they are willing to do any extra work for this market. For example, if there’s additional work to make a feature comply with GDPR, that might not be worth it anymore. We have seen other equivalent situations of this — several apps have a much better experience on iOS than Android because iOS apps monetize better.

The advertising market exploded over the last several decades due to availability of essentially infinite user data, which brought both large efficiencies in advertising and major privacy risks. Regulation was necessary. Great regulation is about finding the balance between promoting innovation / letting new businesses emerge that move society forward, and having guardrails so people are protected. Did the EU go too far? I personally think they did, and if that is true, the effects will start showing in a 5–10 year horizon and course correction will follow.

Until then, this is the new reality of behavioral advertising in the EU. The regulators and legislators came all guns blazing, and they won.

🚀 If you liked this piece, consider subscribing to my weekly newsletter. Every week, I publish one deep-dive analysis on a current tech topic / product strategy in the form of a 10-minute read. Best, Viggy.