Isabella De Michelis, CEO & Founder, ErnieApp
The fine in relation to personalized advertising imposed on Meta by the European Data Protection Board (EDPB) of EUR 390 million (USD414 million) announced in early January 2023 has gained much media attention, for its potential to require Meta to make costly changes to its advertising-based business model. Although restricted to the EU, the precedent created by this regulatory move has potential to vastly impact all digital media markets in all jurisdictions as well. And at the time of writing, we await the expected decision by the EDPB on WhatsApp’s similar misuse of personal information for targeted advertising, which is rumoured to make the earlier fine seem small in comparison. So, what does all this mean for the future of Big Tech, as well as all businesses that use personal targeting for their business?
In my view the game is clearly up in terms of the big platforms having unfettered free access to users’ private data, in an asymmetric power relationship without transparency and without compensation. And the impact will be felt by all businesses (including anyone who gathers personal data to inform their marketing, including Uber, Tinder, Deliveroo, Taxis, your Fitbit, and even broadcasters like the BBC). Here I will explain the complex, and often convoluted world of personalized advertising online, and what we, as users of online services, can do to take back control of our data and our digital lives.
The GDPR etc
Many people in the EU, and increasingly around the world, have heard about the GDPR which came into force in 2018, which regulates the collection and use of personal data. Even if they do not know about the regulation, they are aware of its impact, in that the GDPR requires users to give informed (and revokable) consent about the gathering and use of their personal data. But this is not the only control that the EU has introduced on the use of personal data. The ePrivacy Directive of 20021 regulates cookies and communications (metadata), which enable online service providers to track people and their online user habits. Transparency about the use of cookies has meant user refusal in many cases, which has significantly reduced the capacity of online businesses to track your movements and therefore develop a detailed user profile about you and monetize you as a targetable audience.
The EU’s regulatory moves have had global impact. There are now 130+ countries with GDPR like regulation. In Africa, for example, governments have started fining companies which exploit personal data without user consent.
Some of the strictest privacy and personal data protection regulation so far has been introduced in California, where users can say that they do not want to have their data on-sold or monetized at all (the so called ‘Do not sell’ opt in). Certain States in the US, including Montana and Idaho, for example, have introduced similar measures, while the Federal Government is now proposing to introduce a federal law (which may, however, now be in doubt due to the changed make up of Congress). The new Chair of the FTC, Lina Kahn stated on 14 December 2022 that all companies must protect consumer data and that data security must be a priority for any chief executive.
Consent and transparency
So why is there still an issue with personalized online tracking and advertising? The crux of the problem is the 40-word long definition of ‘consent’ in the GDPR, which has enabled online platforms to propose their own interpretation, which is now in dispute in the courts. The stakes are high, however, and Big Tech is very aware of the potential impact of consent mechanisms and also user transparency. When Apple released its new operating system iOS 14.5 in December 2021, everyone using Facebook on an iPhone was suddenly confronted with a pop-up seeking permission to track them, and a majority of users declined to give their consent (+90% in US only). Facebook said that Apple’s App Tracking Transparency feature would decrease the company’s 2022 sales by about USD10 billion.
Logging in to an app
So how has the industry reacted to this new regulatory scrutiny risk? Not trusting users to consent to the use of their data, many websites moved from the open web (browsers) to the application environment (eg web and mobile apps) so they could request the user to register an account (user name and password based). The account is then used to identify and profile the user as well as to track and target him/her. Web and mobile apps can harvest a huge amount of data and information like for example the user’s geolocation position automatically, such as does Uber and other delivery apps, medical services apps or even national broadcasters and media companies like the BBC if you access the premium service. This has meant that, paradoxically, users may now be handing over even more personalized information than before. And among the most valuable information is of course the geolocation data, based on which online apps can trace your movements and link this back to socio-economic data and therefore offer you individualized pricing and other local offers based on your profile as well as your known spending habits.
Many users just click and swipe
Many online users are totally unaware of how to control their own privacy settings, as this is often very complicated to understand, some would say, deliberately so. If we assume that greater transparency and information about the use of their data will incentivize all users to take back control, we would however be mistaken. This is because much of the new digital environment has all the characteristics of a new human culture, which is now all pervasive and difficult to change. The ‘Facebook generation’, aged between 35 and 45, have been shown to have the least awareness of or interest in controlling the use of their data. They have been trained to ‘click’ and to ‘swipe left or right’ when interacting online. This has become an ingrained habit and many people do it automatically without even thinking about what they are doing, or the commercial transaction that is going on behind the scenes with trading their data. In contrast, the majority of the ‘Tik Tok generation’ who are Gen-Zers between late teens and 30, are most likely to understand the value of their data and how to exploit it for their own use. Instagram influencers also are making very profitable careers out of managing their own profiles and data online.
Gaia-X, trade and innovation
Concern about the monetization of European citizens’ personal data by foreign Big Tech companies has moved beyond a desire to rein in the power of the data gatekeepers and is now driven by EU trade and innovation policy. By requiring users to become aware of the use of their personal data and the monetization of their data by foreign-based players, EU governments want to ‘repatriate’ these services that will become the new driver of the digital economy and spur innovation in digital services. The aim is for EU data to be monetized in Europe, so that EU member states will be able to reap the economic benefits themselves, rather than exporting them to the US.
These policy objectives are also driving the European Gaia-X project2 initiated “by Europe for Europe and beyond”. It aims to create the next generation of data infrastructure in Europe, “an open, transparent and secure digital ecosystem, where data and services can be made available, collated and shared in an environment of trust”. The data infrastructure is being developed to reflect shared EU values of openness, transparency, and trust. I currently serve as a member of the Gaia-X community in a Deputy Chair working group capacity. Companies will be able to plug into the federated cloud services and exchange and share ‘data’ in compliance with GDPR, e-privacy and other European data protection and governance regulation, benefiting from a pro-competitive level playing field, to enable the future AI connected society.
Data intermediaries: the new business model
The future of data monetization will be driven by data intermediaries, third parties who collectively represent digital users and who develop a core business of returning value to the user whose data is being accessed, but also serve the other side of the market in need of constant data supply. The principles behind this type of service will be user choice and awareness. People will be recognized as a crucial part of the digital value chain, who deserve to be rewarded for the value that they create by sharing their data. And those who do not want to share their data will be able to choose to reclaim their freedom from data harvesting if they want. However, experience shows that many will be quite willing to exchange their data for an appropriate reward – be it monetary, loyalty points, free offers, or other benefits. This will unlock innovation and many new business models built around data intermediation, while staying compliant with the core values set by GDPR.
ErnieApp’s mission is to offer a mobile easy to use solution (to both sides of the market – consumers and enterprises) based on transparency and fairness, to help companies quickly gain user’s consent (and users to assert their rights) and match the user’s data supply with the enterprise’s data demand. ErnieApp should be seen as a utility application offering an outsourced ‘consent management platform’ solution both to the ‘data intermediaries’ as well as to companies in general, who want to incorporate a consent process into their data processing.
In summary, regulatory action in the EU to control access to personal data by US Big Tech companies has unleashed a global movement to take back control of data belonging to individuals and citizens, for the benefit of those individuals and countries. New business models based around data intermediation will help inform the user about the value of their data and return a fair share of its value back to them. Digital will thus be reshaped through user empowerment.
1 https://edps.europa.eu/data-protection/our-work/subjects/eprivacy- directive_en
2 https://www.data-infrastructure.eu/GAIAX/Navigation/EN/Home/ home.html
Isabella founded ErnieApp (www.ernieapp.com) in 2017, one year ahead of GDPR entering into force, with the conviction that only a user-centric consented free internet based model could resolve the conundrum of how privacy, innovation and competition in a digital connected society heading toward AI and IoT could coexist peacefully. More than 150,000 unique users have downloaded the mobile app since its launch in 2020. The App is used by a wide demographic and split equally between Android and iOS users across 3 continents. App is available in 50 markets and 3 languages.
Before launching her reg-tech software company, Isabella was VP EMEA Government Affairs and Technology Policy Strategy at Qualcomm Inc. (QCOM) for 12+ years and before that she held various executive and senior positions at CISCO, IRIDIUM, ELSACOM, TELESPAZIO, being responsible for corporate development strategy, regulatory affairs, business development, market access and IP, industry alliances and partnerships. Isabella has often advised EC and EU member states on matters related to telecom regulation (2018 Italian Broadband Action Plan), internet, IP, competition and privacy (2022 Italian Data Strategy). She is a frequent ‘lecturer’ in European universities (Postgraduate classes) on topics related to EU digital sovereignty policy, privacy economics and engineering, gatekeeper regulation and competition law. Isabella is an IUHED/Geneva University graduate w/major in competition law; holds an Executive MBA from (UCL) in London. In Jan. 2020 she was appointed board member of CDP Ventures (+€2Bn in assets) and is also a member of the Risk Control and Compensation Committee. She is currently managing director at HIGH PULSE and is a frequent guest on TV and Radio talking about the interplay between tech, privacy, competition, digital innovation and societal impacts. She is Vice Chair of the Business and Operational working group of GaiaX, UPA member, and Digital EU SME Alliance member More recently she was appointed by SBS as standardization expert to ISO/IEC JTC1/Standard Committee 35 which is responsible for standardizing user system interfaces in ICT. In 2018 she co-created the concept of the Right to Monetize with Luca Bolognini, President of the Italian Institute of Privacy which proposes a responsibility for digital companies to provide users a fair compensation for the contribution they give to the innovation cycle (through data generation).