Starting Friday, Europeans will have a much different experience than their American counterparts when dealing with large tech companies.
The European Union’s Digital Services Act, which will eventually apply to any online service provider, will take effect for very large online platforms with more than 45 million users. Requirements under the law include a ban on targeting users with ads based on sensitive data, transparency requirements about how platforms’ algorithms work, and new liability obligations for illegal content such as hate speech and bans on deceptive design patterns.
The regulations are already shaping up to have a significant impact on how American tech companies treat user data in Europe. The DSA prohibits large tech companies from targeting advertising using sensitive data such as sexual orientation and entirely prohibits targeted ads against children.
Sensitive data as defined in the DSA refers to a broad range of attributes, including sexual orientation, religion, health history and political persuasion. “Just eliminating this type of data from the profiling of users for targeted advertising is going to be a very difficult task, regardless of the size of the company,” Gabriela Zanfir-Fortuna, vice president for global privacy at the Future of Privacy Forum, told CyberScoop.
The law has already brought a flurry of changes by other tech companies. TikTok announced earlier this month it would allow users in Europe to switch off personalized results for its For You feed and that users age 13 to 17 would automatically be opted out of personalized ads based on their online activities.
Meta, which runs Facebook and Instagram, will allow users to view results based on keyword searches rather than personal activity, the company announced Tuesday. Meta proposed to European regulators in August that it would switch to a “consent-based” model for behavioral advertising, The Wall Street Journal reported.
Whether or not those changes will be enough to avoid the scrutiny of EU regulators remains to be seen. Twitter (now called X), TikTok, and Meta all underwent voluntary “stress tests” in July overseen by the European Commission this summer to see if they met new standards. Both Twitter and TikTok reportedly came up short, according to EU officials.
The changes come in stark contrast to unsuccessful legislative pushes in the U.S. to ban tech companies from using sensitive and children’s data for targeted advertising. While the practice hasn’t been banned in the U.S., targeting advertising has caused tech companies to run afoul of other laws. For instance, in 2022 Facebook entered into a settlement with the Justice Department over allegations that its housing advertising system ran afoul of federal protections against housing discrimination based on race, sex and age.
Experts also say it’s too early to tell if, like GDPR, the DSA Act will have trickle-down effects on the rest of the globe. Advertising is the key revenue source for tech giants such as Meta with targeted advertising making up a large portion of revenue.
“Just looking at the GDPR experience, we might indeed see these protections or functions being made available outside of Europe as well,” said Zanfir-Fortuna.
Anthonia Ghalamkarizadeh, a partner at Hogan Lovells noted that requirements for complying with the DSA are still “far from clear on many aspects” and that the European Commission has issued limited guidance for platforms expected to come into compliance on Friday
“They are thrown into the deep end of a pretty dark pond,” she said. “They will have to anticipate what a lot of the DSA language means and requires and are facing the risk that — with additional guidance coming through further down the line — they may very well have to adjust a lot of the implementation decisions they had to take quite early on without really having sufficient guidance on them.”
American companies have reported dedicating significant resources to complying with the law. Meta said Tuesday that it has dedicated more than 1,000 employees to meeting the requirements, for instance.
In some cases, this lack of guidance could lead to further privacy complications. For instance, while not mandated by the act, the distinct treatment of minors that it requires could lead some companies to pursue age verification technologies that lead to privacy concerns like additional data collection on children, said Zanfir-Fortuna.
One other major distinction between the DSA and the European Union’s landmark data privacy law is that for very large online platforms, enforcement will be centralized through the European Commission rather than individual countries’ data protection agencies, a process that has in the past resulted in disagreements between EU members over how to penalize tech companies for breaking the law.
Fortuna says that the consolidated process may result in swifter enforcement actions against big technology companies but it’s too early to say.
Correction August 22, 2023: An earlier version of this story stated that enforcement would be centralized through the European Council. The correct enforcement body is the European Commission.