In a filing submitted to the European Commission’s competition division (spotted earlier by Politico), Germany’s Deutsche Telekom, France’s Orange, Spain’s Telefonica and the UK’s Vodafone set out the proposed concentration to create a jointly controlled and equally owned joint venture — to offer “a privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers”, as they describe the proposed ‘first party’ data ad-targeting infrastructure. The Commission has until February 10 to take a decision on whether to clear the joint venture (JV) and, therefore, whether or not to let the carriers go ahead with a commercial launch. A spokesman for Vodafone said the telcos are not in a position to comment on the intended JV at this stage while the Commission considers whether to clear the initiative. And wouldn’t be drawn on a potential launch timeframe. They suggested public messaging on the project will follow approval — assuming the telcos do get a green light from Brussels to work together on the mobile ad targeting infrastructure. Details about the plan for the carriers to dive into personalized ad-targeting emerged last summer during initial trials in Germany. The tech was described then as a “cross-operator infrastructure for digital advertising and digital marketing” — and Vodafone said they would be relying on user consent to the data processing. The project was also given the initial moniker “TrustPid” (but if it flies expect that clunky label to be replaced with some slicker marketing). The telco ad targeting proposal quickly landed on the radar of privacy watcher who raised concerns about the legal basis for processing mobile users’ data for ads — given the European Union’s comprehensive data protection and privacy laws; and given existing microtargeting adtech (which also relies on a claim of user consent) was found in breach of the General Data Protection Regulation in February last year. The project also faced some early attention from data protection authorities in Germany and Spain. We’re told engagement with regulators led to some tweaks to how the telcos proposed to gather consent — to make the process more explicit. The telcos’ filing submission proposing to create a JV, which is dated January 6, 2023, confirms that “explicit user consent” (via an opt-in) is the intended legal basis for the targeting, writing:
Subject to explicit user consent provided to a brand or publisher (on an opt-in basis only), the JV will generate a secure, pseudonymized token derived from a hashed/encrypted pseudonymous internal identity linked to a user’s network subscription which will be provided by participating network operators. This token will allow the brand/publisher concerned to recognize a user without revealing any directly identifiable personal data and thereby enable them to optimize the delivery of online display advertising and perform site/app optimization. Users will have access to a user-friendly privacy portal. They can review which brands and publishers they have given consent to, and withdraw their consent.
Discussing their approach, a representative for one of the involved telcos (Vodafone) confirmed the intent is to rely on gathering consent from users via pop-ups. So if anyone was hoping that the demise of third party cookie tracking would knock consent spam on the head that looks, well, premature. A first party data-based alternative to the (still, for now) ubiquitous tracking cookie also requires a legal basis to process people’s data for marketing — and alternatives to consent look increasingly tricky given ongoing guidance (and enforcement) by EU data protection regulators, such as the massive fine this month for Meta for trying to claim contractual necessity for processing user data for ads; or the warnings TikTok attracted last year when it sought to switch from consent to a claim of legitimate interest for its ‘personalized’ ads — a move it was forced to back away from. Consent as the legal basis for ‘personalized ads’ is no picnic either, though: The IAB’s Transparency and Consent Framework (TCF) — which relies upon a claim of consent to third party ad tracking — was found in breach of the GDPR last year (as was the IAB Europe itself). And the Belgian DPA issued the adtech industry with a hard reform mandate. Albeit, for now, the tracking-ads status quo lumbers on, zombie-like — pending a final legal reckoning. The distinction the four telcos behind the proposed JV are seeking to claim for their proposal for consent-based ad targeting — vs current-gen (legally clouded) adtech targeting — is, firstly, that it’s based on first party data (the claim for the TrustPid project is no syncing and/or enriching of the individual-linked targeting tokens is allowed and/or possible between participating advertisers). So it’s not the kind of consentless-by-design background ‘superprofiling’ of users that’s landed current-gen adtech into such legal (and reputational) hot water. The proposed tracking is siloed per brand/advertiser — with each needing to gain up-front consent from their own users and only able to target against data-points they gather. (Plus we’re told user-linked tokens would be cycled regularly, with the initial proposal being to reset them every 90 days.) Secondly, the telcos are proposing to put contractual limits on participants — such as requiring that no special category data (e.g. health data, political affiliation etc) can be attached by an advertiser as an targetable interest to a user-linked token. They also want the JV to have the final say on the language/design of consent pop-ups (which they say will offer users a top-level refusal, rather than burying that option as routinely happens with cookie consent pop-ups). And they say they will audit all participating websites on a regular basis. There is a third check: A portal where mobile users can view (and revoke) any consents they have provided to individual brands/publishers to use their first party data for ads — and which, we’re told, will provide an option that lets mobile users block the entire system (so a hard opt-out). Although we understand it’s not currently the case (in the trial) that users who apply such a block are prevented from receiving pop-ups asking for their consent to the ad targeting — so, again, consent spam and consent fatigue look set to continue. (And, well, could plausibly multiple as consent gets un-bundled — i.e. if the system takes off with lots of brands and advertisers.) At least, unless or until they can figure out an appropriate legal basis that does not require ongoing pestering of users who already denied consent with pop-ups. If the telcos’ JV gets the green light from the Commission, scrutiny on the project will of course dial up — and close attention to technical (and contractual) details may well throw up fresh concerns. So it’s too soon to judge whether the approach will/would pass muster with regulators and privacy experts. There could also be friction from mobile network users themselves — if they suddenly find they’re encountering a fresh, irritating layer of consent spam when browsing the mobile web, a service they do, after all, pay the telcos to provide them with. So tolerance for extra consent spam could be very low. Moreover, convincing mobile users to actually opt in to ads — assuming they are indeed provided with a genuinely free (and fair/non-manipulative) choice to deny tracking, rather than being forced or bamboozled into it as has been the dark pattern rule for years — presents a major barrier for uptake. Plenty of people will deny tracking if they are actually asked about it (see, for e.g., the impact of Apple’s App Tracking Transparency requirement on third party iOS apps’ ability to track users). So even if the telcos are allowed to build their ad targeting JV there’s no guarantee mobile users on their networks will agree to play ball. Still, if this flies there could be a chance for brands to win web users over with a fresh approach. Being transparently up front about wanting to process people’s personal data for ads — and, potentially, also able to offer incentives for users to agree — offers an opportunity to do things differently vs a creepy status quo that can’t clearly explain how people’s data got sucked up, where it may have ended up, or what’s really been done with it. An up-front approach could thus provide a route for savvier brands to deepen their relationships with loyal customers by making straightforward asks, not resorting to sneaky surveillance. European carriers file to create joint venture for opt-in ad targeting of mobile users by Natasha Lomas originally published on TechCrunch