European telcos are moving forward with a plan to form a joint venture to offer opt-in “personalized” ad targeting to users of regional mobile networks following trials in Germany last year. Although it remains to be seen whether European Union regulators will sign off on their plan.
In a Submit filed with the Competition Department of the European Commission (previously noted by Politics), Germany’s Deutsche Telekom, France’s Orange, Spain’s Telefonica and UK’s Vodafone outline the proposed concentration to create a jointly controlled and equally owned joint venture — to provide “a privacy-based digital identification solution to support the digital marketing and advertising activities of brands and publishers”, as they describe the proposed first party data ad targeting infrastructure.
The Commission has until February 10 to make a decision on whether or not to approve the joint venture (JV) and thus whether or not to allow the airlines to proceed with a commercial launch.
A Vodafone spokesman said the telcos are unable to comment on the proposed joint venture at this stage, while the Commission considers whether to approve the initiative. And wouldn’t be drawn on a possible launch time frame. They suggested public announcements about the project will follow after approval – assuming the telcos get the go-ahead from Brussels to collaborate on mobile ad targeting infrastructure.
Details about the carriers’ plan to dive into personalized ad targeting emerged during initial trials in Germany last summer. The technology was then described as a “cross-operator infrastructure for digital advertising and digital marketing” – and Vodafone said they would rely on user consent for data processing. The project was also given the initial name “TrustPid” (but if it takes flight, expect that clunky label to be replaced by some slicker marketing).
The telco ad targeting proposal quickly landed on the radar of privacy watcher, who raised concerns about the legal basis for processing mobile user data for advertising – given the European Union’s extensive data protection and privacy laws; and given existing microtargeting adtech (which also relies on a claim of user consent) was found to be in violation of the General Data Protection Regulation in February last year.
The project also received early attention from data protection authorities in Germany and Spain. We’re told that getting involved with regulators led to some adjustments to the way the telcos proposed to get consent – to make the process more explicit.
The telcos’ filing proposing to create a JV, dated January 6, 2023, confirms that “explicit user consent” (via an opt-in) is the intended legal basis for the targeting, stating written:
Subject to the user’s explicit consent to a brand or publisher (on an opt-in basis only), the JV will generate a secure, pseudonymized token derived from a hashed/encrypted pseudonymous internal identity associated with a user’s network subscription , which will be provided by participating network operators. This token allows the respective brand/publisher to recognize a user without disclosing directly identifiable personal data, enabling him/her to optimize online display advertising delivery and perform site/app optimization. Users gain access to a user-friendly privacy portal. They can view which brands and publishers they have given permission to and withdraw their permission.
Discussing their approach, a representative of one of the telcos involved (Vodafone) confirmed that the intention is to rely on obtaining user consent via pop-ups. So if anyone was hoping that the demise of third-party cookie tracking would turn consent spam on its head, that seems premature.
A data-based alternative to the (for now still) ubiquitous tracking cookie also requires a legal basis to process people’s data for marketing – and consent alternatives seem increasingly tricky given ongoing guidance (and enforcement) by EU data protection regulators , such as Meta’s massive fine this month for claiming contractual necessity to process user data for advertising; or the warnings TikTok received last year when it tried to switch from consent to a claim of legitimate interest for its “personalized” ads — a move it had to back away from.
However, consent as a legal basis for “personalized ads” is no easy feat either: The IAB’s Transparency and Consent Framework (TCF) – which relies on a claim of consent for third-party ad tracking – was found to violate the GDPR last year (just like the IAB Europe itself). And the Belgian DPA gave the adtech industry a tough reform mandate. Although, for now, the status quo of tracking ads continues, zombie-like – awaiting a final legal reckoning.
The distinction the four telcos behind the proposed JV want to claim for their permission-based ad targeting proposal – vs current generation (legally obscured) adtech targeting – is first that it is based on first party data (the claim for the TrustPid project does not allow and/or allow synchronization and/or enrichment of the individually linked targeting tokens between participating advertisers). So it’s not the kind of background “super-profiling” of users without permission that has gotten the current generation of adtech into such legal (and reputational) hot water. The suggested tracking is segregated by brand/advertiser, with each requiring prior consent from its own users and can only target data points they collect. (In addition, we are told that user-linked tokens are cycled regularly, with the original proposal being to reset them every 90 days.)
Second, the telcos are proposing to impose contractual limits on participants – such as requiring that no special category data (e.g., health data, political affiliation, etc.) be added by an advertiser as a target interest for a user-associated token. They also want the JV to have the final say on the language/design of consent popups (which they say will provide users with a top-level opt-out, rather than burying that option as routinely happens with cookie-cutters). permission popups). And they say they will regularly check all participating websites.
There’s a third check: a portal where mobile users can review (and revoke) any permissions they’ve given to individual brands/publishers to use their own data for advertising – and which, we’re told, will provide an option with which mobile users block the entire system (hard opt-out). While we understand that currently (during trial) it is not the case that users applying such blocking do not receive popups requesting their consent to the ad targeting, so again, consent spam and consent fatigue seem to persist. (And, well, it could be plausible that consent will be unbundled — that is, if the system booms with lots of brands and advertisers.) At least, unless or until they can find a suitable legal basis that doesn’t constant harassment required. users who have already denied permission with popups.
If the telcos’ joint venture gets the go-ahead from the Commission, the project will of course be looked at more closely – and attention to technical (and contractual) details could well raise new concerns. It is therefore still too early to assess whether the approach will/would succeed with regulators and privacy experts.
There can also be friction from mobile network users themselves – if they suddenly discover they’re encountering a new, irritating layer of permission spam while browsing the mobile web, a service they pay the telcos to provide, after all. So the tolerance for additional permission spam can be very low.
Furthermore, persuading mobile users to actually opt in to ads – assuming they are indeed given a truly free (and fair/non-manipulative) choice to refuse tracking, rather than being coerced or tricked like the dark pattern rule for years — is a major barrier to application. Many people will deny tracking if they are actually asked about it (see, for example, the impact of Apple’s App Tracking Transparency requirement on the ability of third-party iOS apps to track users).
So even if the telcos get permission to build their JV ad targeting, there’s no guarantee that mobile users on their networks will agree to participate.
But if successful, there is an opportunity for brands to win over internet users with a fresh approach. Being upfront about wanting to process people’s personal data for advertising — and possibly also being able to offer incentives for users to consent — presents an opportunity to do things differently from an eerie status quo that can’t clearly explain how the data obtained from people has been sucked up, where it may have ended up, or what has actually been done with it.
So an upfront approach could give smarter brands a way to deepen their relationships with loyal customers by asking clear questions, rather than resorting to sneaky surveillance.