By: Lex Zard & Alan M. Sears
Targeted advertising is the primary revenue stream for the largest online platforms that act as the internet’s gatekeepers, such as Alphabet and Meta. The financial incentives drive targeted advertising towards maximizing the efficiency of algorithmically matching advertisements with consumers, which typically requires building fine-grained profiles that rely on consumers’ personal data. In the European Union (EU), the protection of personal data is a fundamental right operationalized by the General Data Protection Regulation (GDPR), establishing the limits of targeted advertising to the extent that it relies on the processing of
personal data. Nevertheless, as online interface design and fine-grained personalization allow platforms and other publishers new ways to influence consumers, targeted advertising is also associated with the potential for consumer manipulation.
While the consumer protection framework in the EU is the primary field that protects consumers from manipulation, it has received little attention in academia in the context of targeted advertising when compared with the GDPR. In 2022, the EU adopted proposals for the Digital Services Act (DSA) and the Digital Markets Act (DMA), which contain consumer protection rules that directly limit targeted advertising. These developments in consumer protection law may fundamentally transform the internet, as its gatekeepers are now faced with a new legal regime that regulates their primary source of revenue. This Article provides an overview of the myriad of legislation that comprises the EU consumer protection framework—including how it intersects with the data protection framework—and analyzes how and the extent to which it coalesces to limit targeted advertising.