Age verification hampers EU plans to ban targeted ads for children under DSA

28 March 2022 13:15 by Matthew Newman

Targeted Ads

A planned prohibition on targeted advertising for children is causing trouble for negotiators on the EU’s Digital Services Act, with age verification emerging as a particular hurdle for legal as well as practical reasons.

The European Commission, European Parliament and national governments all agree in principle that the DSA should ban targeted ads for children, whose harms are well established; but how to do so is still up for debate.

The stakes are high. If the final law is too lax or vague, it risks being unenforceable, or being enforced to a different degree in each EU country. If it’s too strict, some websites might decide to forgo targeted advertising altogether, crimping a valuable revenue stream for many small businesses.

Some legislators, particularly in the parliament, called for a complete ban on targeted advertising: One group of lawmakers, the Tracking-Free Ads Coalition, described it as “a dangerously powerful tool” that can manipulate people by using their most intimate personal information including data on their health, sexuality and religious beliefs.

The parliament’s chief negotiator on the DSA, Danish socialist Christel Schaldemose, is part of that group. Nevertheless, the assembly in January rejected a complete prohibition. This suggests that the idea won’t make it into the final version of the law, but a significant coalition will stand firmly against any further relaxation of the ban on targeting ads at children.

On the other side of the debate, European publishers have said that they rely on programmatic advertising for revenue. The digital ad market in the EU reached 69 billion euros ($75 billion) in 2020, an increase of 6.3 percent from the previous year, IAB Europe has said.

Age verification

A complete ban could hurt makers of physical products as well as digital service providers. Niche manufacturers rely on targeted advertising as a cost-effective way to reach their small market of enthusiasts. Imagine for example a craft beer company, which can use ad targeting to identify the relatively small group of people who might pay 7 euros for a can of IPA.

While a brewer shouldn’t be targeting children in any case, other products might legitimately be aimed at adults and children alike. How can a bicycle manufacturer tell for sure if someone browsing cycling feeds on Instagram is 18 years old, or only 17, without a robust age-verification system? And should it be the seller’s responsibility to do those checks, or Instagram’s?

This is the murky reality that lies far from the most obvious cases of a ban being required, which might be a publisher of an addictive mobile phone game who deliberately seeks out young children on social media to target them with ads.

To add to the complications, the European Parliament’s draft of the DSA includes a prohibition on websites asking for additional personal data from users to check on a user’s age — thereby preventing them in many cases from knowing whether a given user is underage.

The General Data Protection Regulation, in force since 2018, also requires data controllers to minimize the amount of data they collect and process, limiting themselves to what is directly relevant and necessary to accomplish a specified purpose. It’s not clear how this provision would interact with an age-verification requirements under the DSA.

In the Netherlands, for example, publishing company DPG Media was fined 525,000 euros last month for breaching the GDPR by asking its customers to provide more personal data than needed. The data protection authority found the company had asked users to upload proof of identity whenever they wanted to view their data or to have it removed.

And even if the DSA does establish a clear need to verify age, and allow the collection of data for that purpose, actually doing so can be difficult. Many websites that are already required to verify age, such as pornographic websites or those of alcohol brands, simply require their users to claim to be an adult by checking a box.

Is this approach — the digital equivalent of allowing two children in a trenchcoat into the cinema — enough for a company to be able to claim it is doing age verification? Some regulators think not: French media regulator Arcom has pursued porn websites in court because they’ve failed to verify users’ ages robustly.

And finally, EU governments don’t even share the same definition of who is a child, a minor or a youth; it can vary between 14 and 18 between different EU countries and for different purposes. That makes it difficult for companies to standardize the approach on their websites.

With all these complications to consider, and with potential fines for violating the DSA running up to 6 percent, it’s easy to see how our hypothetical bicycle manufacturer could choose to forgo targeting advertising altogether.

Pressure to act

France, which is leading negotiations on behalf of EU governments for the first half of this year, is eager for an overall deal on the DSA, particularly after negotiators struck a deal on its sister legislation, the Digital Markets Act, on March 24. Officials no doubt have an eye on the presidential election, whose first round of voting is on April 10.

Schaldemose said in a tweet on Friday that after the DMA agreement, “We are getting closer to a deal here as well. At best there is a chance we land a deal on the DSA [at the] end of April.”

But nobody has come up with specific wording to address the question of targeted advertising. French officials have asked the European Commission to draft something — even though the executive didn’t include any bans on targeted advertising in its original proposal in December 2020.

The European Parliament’s draft does mention a ban on targeting ads at children, but doesn’t address any of the complications; it simply states that “online platforms should also not use personal data for commercial purposes related to direct marketing, profiling and behaviorally targeted advertising of minors.”

The can has already been kicked down the road once. A provision in the DMA on targeted ads to children was removed in the final stages of the negotiations with a pledge to tackle the issue in the DSA.

The next move is likely to come from the commission, following France's request for a compromise proposal; this will also likely include new wording on “dark patterns”. The plans won't be part of the next session of negotiations between EU governments, the parliament and the commission on March 31.

While the EU is closer to banning targeted ads for minors, negotiators say that a political agreement may be reached on the general principle, and then the commission may be left to come up specific wording on implementation and age verification.

If officials get it wrong, they risk a repeat of the GDPR cookie-wall debacle: an added layer of pain and frustration for businesses and Internet users alike, with little tangible improvement to privacy.

Related Articles