Clifford Chance

As regulators look beyond the ePrivacy Regulation, the EU has an opportunity to focus on simplification and growth, leveraging existing frameworks to provide robust protections.

Digital advertising regulation in the EU remains complex and continues to evolve in a fluid, and sometimes unpredictable way. Europe's online businesses and advertisers face a fragmented legal system, with existing and emerging regulation and guidance spanning consumer protection, data privacy and competition law.

The European Commission (Commission) withdrew the Cookie Pledge and ePrivacy Regulation proposals, aimed at reducing cookie fatigue and promoting privacy-friendly practices, given their failure to gain enough industry and legislative backing. This has left stakeholders uncertain about the Commission's next steps. The Commission is undertaking a study to identify regulatory gaps in digital advertising, indicating a possible intent to further regulate this space. Proposals for a Digital Fairness Act (DFA) and rumours of a Digital Advertising Act (DAA) seem to be gathering momentum. They may incorporate principles from the ePrivacy Regulation proposal and the Commission's fitness check to promote greater fairness online.

This article reviews the current state of play and recent developments in regulating digital advertising. It suggests that the EU already provides robust protections through existing laws and that legislators may wish to assess existing frameworks and clarify regulatory uncertainties before proposing more legislation, which could hinder innovation and investment. Any new regulation should be necessary, coherent with existing obligations, and an opportunity to resolve inconsistencies. Streamlining, harmonizing, and refining current regulations through meaningful debate between key industry stakeholders, academics, regulators and policymakers along with pragmatic enforcement, may be a more productive way forward than embarking on a further round of lawmaking.

State of play: Adtech in flux

Digital advertising enables free access to online content and services and offers consumers a more meaningful, personalized ads experience. It also helps businesses using advertising to have a more tailored, efficient mechanism to reach their consumer base.

Digital advertising has had a significant impact on SMEs in particular, offering numerous benefits and opportunities for growth. It has enabled SMEs to reach a global audience and compete with larger, more established brands without the hefty costs associated with traditional marketing methods. Through personalized content and targeted campaigns, SMEs can build stronger relationships and improve customer loyalty, while leveraging valuable data-driven insights to track and measure performance in real-time. This allows businesses to make more informed decisions and optimize their strategies for commercial success.

The use of personal data for advertising has, and continues to raise privacy, transparency, and customer protection concerns. Digital advertising is sometimes associated with profiling and targeting techniques. The perceived lack of transparency extends to the economic model behind so called 'free' online services. Some European legislators and regulators argue that these practices put users in a vulnerable position because they do not fully understand what they are agreeing to when accessing a service online, and have advocated for increased transparency to help users make informed decisions, historically focusing on:

• providing simple information to help users make informed choices and ensuring organizations do not undermine user choice,
• ensuring users can change their preferences after initially agreeing to share their data, and
• tackling deceptive practices and alternative tracking methods that offer no genuine user choice.

The AdTech industry is going through a period of transition. With the deprecation of third-party cookies, alternative advertising models based on contextual advertising and first-party data processing are on the rise. Subscription models, influencer marketing and AI also offer new opportunities for businesses to engage with consumers to provide highly relevant, premium or custom content. A recent IAB Europe study showed that consumers appreciate the benefits of free access to services and recognise the potential downsides – such as paywalls, reduced content quality, and limited accessibility – if personalized advertising was restricted. These findings show it is not simply a binary choice between privacy or an ad-funded internet. Instead, it is a complex interplay of privacy rights, consumer preferences, and commercial interests.

With the rapid pace of technological development, customer perception and business model transformation across the sector, legislators, regulators, and industry must collectively balance competing customer preferences and economic models to create proportionate, pro-growth and future-proof regulation.

A congested regulatory landscape: recent developments and areas of regulatory uncertainty

The EU's Adtech regulatory landscape is complex and fragmented, characterized by a patchwork of regulations rather than a single comprehensive law. Various instruments address different aspects of consumer protection, data privacy, fairness, and competition, requiring stakeholders to navigate significant legal and regulatory challenges due to non-harmonized and occasionally conflicting measures.

Given this congested landscape, when considering whether any additional legislation is required, it is crucial to first evaluate what existing frameworks already cover, whether they are sufficient to cover key regulatory concerns, and identify any gaps or inconsistencies that should be addressed. This evaluation is particularly important as the Commission considers new regulatory possibilities.

In the current global economic environment, with major economies like the United States leaning towards deregulation to spur growth, Europe needs a proportionate, pro-growth regulatory framework that carefully considers the economic implications of new regulation on the European economy. The Draghi Report has called for deregulation and regulatory simplification, viewing current regulations as a high hurdle for technology innovation. IAB Europe's recent study also reports that consumers are calling for clarity and the effective and consistent implementation of the existing legal framework. Complex compliance processes and potential conflicts in enforcement can stifle EU-based digital innovation and drive emerging tech enterprises and investors elsewhere. New EU tech laws may provoke countervailing measures from the US, especially under the current administration. Maintaining the EU’s global competitiveness means ensuring that regulatory frameworks are robust, whilst aligning with the EU's competitiveness objectives and simplification agenda.

Given the current landscape, it is particularly important that legislators, regulators, industry and national Data Protection Authorities (DPAs) work closely together to identify a way forward that balances user preferences and economic models, while fostering innovation and protecting consumer rights. The legislative framework should be technology and business-model neutral, principles -based, and implementation-focused, with user transparency and experience at the heart of it.

ePrivacy's incremental user consent requirements for cookies are superfluous

Most actors in the EU's online ads supply chain are in scope of the GDPR, which mandates data processing be minimized and based on a lawful basis, which, in the case of sensitive personal information (e.g., political views, health, gender), requires explicit, informed, freely given and specific consent. Additional protections apply to children's data and of other vulnerable groups.

When an online service provider stores or accesses information on a user's terminal equipment or device, they must also comply with the ePrivacy Directive, which lays down rules on direct marketing, cookies, and electronic communications, and requires prior informed consent for cookies.

The ePrivacy Directive has significantly contributed to cookie fatigue. Attempts to update it with the Cookie Pledge and ePrivacy Regulation proposal failed due to lack of support. Meanwhile, the EDPB's Guidelines 02/2023 have expanded the technical application of ePrivacy, requiring GDPR-standard consent for all tracking technologies, including URL and pixel tracking, local processing, IP-based tracking, IoT reporting, and unique identifiers, without consistent exemption guidance. This has exacerbated cookie fatigue, and conflicts with the withdrawn ePrivacy Regulation, which aimed to harmonize and simplify cookie rules. The Guidelines also appear to require consent for contextual advertising.

The EDPB has the authority to issue guidelines on the interpretation of data protection law under Article 70(1)(e) of the EU GDPR. However, the ePrivacy Directive is a separate legal instrument and its implementation varies across member states. Furthermore, not all national DPAs cover ePrivacy. While the EDPB's guidelines aim to provide clarity, they may contribute to regulatory and legal uncertainty due to the varying implementation of the ePrivacy Directive across member states and the fact that not all DPAs cover it.

With the rise of privacy-preserving advertising models, and given that recent CJEU jurisprudence and regulatory guidance have been pushing towards "consent" being the only feasible lawful basis, there may be benefit in the Commission exploring if consent requirements are hindering a shift towards these models and are also hindering innovation and competitiveness (e.g. by working with a wide range of stakeholders to arrive at a workable definition for "contextual" advertising, and consent requirements for the same).

Regulatory guidance on 'consent-or-pay' models questions the validity of consent

In the Meta vs Bundeskartellamt (C-252/21) decision, the CJEU concluded that users who refuse consent to behavioural advertising (BA) must be offered an equivalent alternative, if necessary for an appropriate fee. Subscription models as an alternative to users’ consent to BA have been on the rise as a result.

In this context, the impact of the EDPB Opinion 08/2024 of 17 April 2024 remains to be seen. The Opinion introduces the concept of large online platforms (LOPs) and asserts that LOPs cannot comply with valid consent requirements if users must choose between consenting to BA and paying a fee. The EDPB suggests LOPs should offer an 'equivalent alternative' without a fee.

The EDPB's scrutiny of 'consent-or-pay' models stems from concerns that users may not have a free choice if they must either surrender personal data or pay a fee. Freely given consent appears to be undermined in the pay-or-consent context (i.e. as it undermines individuals' ability to freely choose to consent to processing), while also being advanced as the only effective lawful basis for behavioural advertising under ePrivacy. The Opinion also appears to undermine the validity of consent for specific types of controllers due to their size or position in the market, who may otherwise be GDPR-compliant (and where material privacy impacts could easily arise for other categories of controller).

The recent fine imposed by the Commission against Meta reinforces the idea that the consent-or-pay model prevents users from exercising their right to freely provide consent to the combination of personal data for targeted advertising under the DMA. The Commission is assessing whether Meta's new option, which allegedly uses less personal data to display advertisements, is compliant with the DMA. References to 'less personal data' remain unclear and lack objective parameters for organizations to tailor their practices to ensure compliance with the DMA. Future guidance should consider these dynamics and the practices deemed lawful under the regulation.

A broader question is whether digital platforms should be required to offer free access in all circumstances. IAB Europe's recent study shows that, after learning more about the funding role of personalised advertising, a high percentage of consumers would favour providing their consent to access digital services with personalized advertising for free. Forcing businesses to provide free services or identical free alternatives can stifle innovation. The idea that a free alternative should always be provided to users seems to ignore that online service providers legitimately pursue profitable results, and thus clashes with the well-recognised need for promoting innovation and competitiveness of enterprises operating in Europe. European law supports businesses' rights to conduct commerce and recoup costs. The CJEU recognizes that subscription-based or ad-financed services can coexist, provided user consent meets GDPR requirements. If fees are fair, choices transparent, and refusal of tracking does not deny essential services, different monetization options are appropriate and pro-competitive. In practice, consent-or-pay models can balance user autonomy and revenue generation. This fosters innovation and offers consumers meaningful choices on data use and engagement with online platforms.

Recent decisions and guidance on consent-or-pay have created new inconsistencies and more confusion than clarity. The evolving regulatory landscape raises questions about the validity of consent and the balance between user autonomy and sustainable revenue generation. It is crucial for future guidance to address these inconsistencies and provide clear parameters for compliance, ensuring that regulatory frameworks support innovation while protecting consumer rights.

The DMA and DSA address opacity issues with digital advertising, but many open questions remain as to scope

The DMA tackles transparency, unfair data-driven advantages, conflicts of interest, and dependencies on a few online platforms by regulating core platform services to prevent anti-competitive behaviours in digital advertising. The DSA aims to create a safer digital space and level playing field for businesses by addressing illegal activities, misinformation, and ensuring user safety and advertising transparency.

The DMA requires gatekeepers to obtain consent for processing, combining, or cross-using user data across services and to ensure transparency about consumer profiling techniques. It mandates real-time, cost-free access for advertisers, publishers, and third parties to ad portfolio information, enabling ad verification and performance assessment.

The DSA complements the DMA by increasing digital advertising transparency. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must maintain a public ad repository for the duration of ad presentation and one year after. The DSA also prohibits ads based on profiling using special categories of personal data, profiling-based ads to minors, and dark patterns.

Opportunities for alignment:

• Areas for further clarification: Article 46 of the DSA encourages the drawing up of codes of conduct to "contribute to further transparency" for actors in the advertising value chain. According to Recital 107, codes of conduct are intended to "support and complement" the DSA's existing transparency obligations relating to digital advertising. The Commission's recent workshops on a voluntary code of conduct for digital advertising  covered ad targeting, ad fraud, brand safety, and B2B ad transparency.  There is an opportunity to align with the Commission on the scope of the code, particularly whether it should go beyond the existing ads transparency provisions or attempt to 'complement' obligations already arising under the DSA. It is also worth noting that, while voluntary, compliance with the code will be part of the annual DSA audit, and refusal to participate without proper explanation could be considered in determining whether an entity has breached the DSA.
• Gaps and inconsistencies: stakeholders and consumer associations have flagged gaps in the DSA and DMA. For instance, the DMA and DSA obligations apply only to ads on regulated companies, leaving some actors in the digital advertising supply chain unregulated, which would potentially allow targeting to minors or based on special categories of data outside these platforms. The DSA also does not prevent non-special categories of personal data from being combined or inferred to create new targeting options in sensitive contexts, e.g., analyzing non-sensitive data such as browsing history, social media activity, or purchasing history to infer an individual's sexual orientation, religion, or health based on their behavior, social media following or purchases online.

Actors in the digital advertising supply chain left outside the DSA and DMA's scope are regulated under other instruments which equally aim to ensure fairness by prohibiting or sanctioning certain potentially harmful behaviours and imposing less-invasive obligations and standards of compliance. The DFA proposal provides the opportunity to clarify the interplay between different set of rules and to establish a level playing field among different actors, while enhancing competitiveness and tech innovation. Interventions should be in the form of  instruments aimed at providing guidance and clarification, as opposed to imposing additional regulatory burdens.

Many harmful online practices are caught by consumer protection and digital services legislation, but gaps remain and clarification and simplification are needed

Consumer law was one of the first areas to regulate advertising, with standards set by the Unfair Commercial Practice Directive (UCPD), Consumer Rights Directive (CRD, as amended by the enforcement and modernization of Union consumer protection rules Directive in 2019), and the Directive on Misleading and Comparative Advertising (DMCA). The UCPD does not prohibit personalized advertising but may deem certain practices unfair, such as manipulating consumers, targeting vulnerable groups, persuading children, or omitting essential information. The CRD imposes transparency rules on traders, including informing consumers about personalized pricing, while the DMCA regulates misleading advertisements.

The Commission's 2022-2023 'fitness check' confirmed that these directives remain both relevant and necessary to ensure a high level of consumer protection but highlighted the need for rules better adapted to the harms users may face online. Talks of a DFA have emerged to adapt EU consumer laws for the digital age, focusing on dark patterns, influencer marketing, addictive design and problematic personalization, while enhancing the protection of minors online and the imbalance with online subscriptions. This proposal is slated for Q3 2026.

Given the need for simplification and reduction of unnecessary regulatory burdens in new legislation, the DFA aims to strengthen consumer protection while easing legal and administrative burdens for businesses to create a pro-consumer and pro-business environment. It is expected to simplify existing regulations, as well as information obligations for digital content purchases and to fill regulatory gaps rather than replicating existing provisions.

There are arguments that existing instruments sufficiently address these issues – e.g., influencer marketing is addressed by the DSA and other non-binding instruments, dark patterns and addictive design are covered by the DSA, and manipulative practices and problematic personalization are sufficiently addressed through the GDPR and existing guidance – they just need to be better enforced. The Commission has indeed acknowledged that DMA and DSA mechanisms (such as codes of conduct), together with other regulatory tools, if implemented to their fullest extent, have the potential to contribute to a fair, open and contestable online advertising sector, and to empower advertisers to become responsible actors when exercising control over the placements online platforms choose to display their ads on.

However, some gaps remain:

• Dark patterns. Article 25 of the DSA prohibits dark patterns, but there is no binding definition. Various instruments, including the UCPD, CRD, the AI Act, DMA, and the Data Act mention dark patterns, but do not define it. Enforcement cases to date predominantly relate to a limited set of known dark patterns commonly recognized by regulators. There is also a potential tension with transparency, as it is currently very unclear when bona fide efforts to provide enhanced transparency to a customer may tip into a dark pattern, e.g., by being designed in a way that manipulates user choice. This points to possible gaps in guidance, available evidence and enforcement capacity. The evolving nature of dark patterns favours a mix of a principles and rule-based approach whereby new practices not currently envisaged might still be covered.
• Addictive design. The Commission's fitness check demonstrated that existing regulations address design features aimed at inducing users' digital addiction, even in the absence of a specific definition. The UCPD and the Commission's UCPD Guidance give examples of addictive interface designs in the context of gaming, and the DSA broadly addresses the risk of digital addiction, since risks arising from interface design that may cause addictive behaviour in users shall be addressed by VLOPs and VLOSEs through mitigating measures. However, there is still legal uncertainty due to the lack of guidance and case law, and limited scope of application of the regulatory instruments.
• Personalised targeting. Various legal instruments ensure consumer protection in respect of targeted advertising, including the CRD, DSA, DMA and the AI Act. However such provisions do not cover all practices (e.g., the obligation to provide ranking parameters does not apply to the organization of a website, nor when traders offer only their own products) and potentially even traders (e.g., the DSA prohibition to use personalized advertising based on special categories of personal data applies only to online platforms, while the obligation to add at least one recommender option not based on profiling only applies to VLOPs and VLOSEs).
• Additional areas of intervention in the Commission's strategy. The DFA aims to provide further guidance also in the context of digital subscriptions and social media/influencer marketing. Influencer marketing has so far been addressed by non-binding instruments, and CJEU case law is lacking. Certain guardrails are provided for under the DSA (e.g. functionality to declare commercial communications for clear and prominent markings and trader traceability obligations), but concerns associated with brand safety, deceptive practices, engagement manipulation and undisclosed sponsorships remain. Regulatory fragmentation, as well as the lack of guidance and case law might cause legal uncertainty as to the rules applicable to different players in the value chain and the standards and modalities of advertising disclosures.

It is unclear if the DFA would be put forward as a regulation. Given that simplification is one of the Commission's objectives, it might be better addressing issues outlined by the Commission's fitness check through guidance (to ensure consistency in interpretation and enforcement), or targeted amendments, rather than by implementing a new, standalone regulation.    

Is the bar for introducing new legislation met?

1.      Existing frameworks are comprehensive – As set out above, a range of EU instruments already offer powerful tools for consumer protection, data privacy, and competition. The GDPR comprehensively governs consent and data processing transparency, imposing severe penalties on non-compliant controllers. Where additional clarity is needed—such as defining contextual advertising, or dark patterns—regulators could provide guidance and refine enforcement rather than introducing yet another legislative framework.

2.      Simplification and harmonization could go a long way – IAB Europe's April 2025 report outlines the need to prioritise effective implementation over further reform, as well as a renewed focus on risk-based regulation. Instead of layering on more regulation, the Commission could consider streamlining existing requirements, issuing more accessible guidance (including where legislation overlaps on the same topic), and focus on effective, pragmatic enforcement. This approach is in line with the purpose of the Commission's Competitiveness Compass and the gaps identified by the Commission's fitness check. It would address the current regulatory patchwork while promoting consumer welfare, trust in digital services, and the growth of Europe’s digital economy—particularly important given the need to keep pace with economies that are steering towards lighter regulatory burdens.

3.      Risk of duplication and inconsistency – Given the existing tapestry of rules, a potential DFA risks overlapping with or even contradicting the GDPR, DSA, and DMA. Similar challenges apply with the withdrawn ePrivacy Regulation and the complexity of a potential DAA aiming to impose uniform standards across diverse business models, technologies, and jurisdictions.

4.      Competitiveness and a volatile global economic environment – At a time when key trading partners such as the United States are pushing for deregulation, the EU needs a proportionate, pro-growth regulatory framework. Complex compliance processes and potential conflicts in enforcement can stifle EU-based digital innovation and drive investment away. 

Key focus areas for policymakers

1.      Maintaining a global outlook – The Competitiveness Compass emphasises the need to consider the impact of regulation on foreign investments and on European enterprises' growth. EU decision-makers must remain cognisant of competitive pressures from international markets. Overly complex new proposals may slow Europe’s digital economy at a time key markets opt for greater deregulation and flexibility.

2.      Clarifying existing law and ensuring effective implementation – The Commission's fitness check identified inconsistency and complexity with the existing legal framework, and reports that there is space for improvement in simplifying existing rules, without compromising the high level of consumers' protection. Businesses need clear and coherent rules on cookies and tracking technologies, especially for less privacy-intrusive practices. Harmonizing interpretations of existing legislation on consent, data minimisation, and permissible advertising practices could resolve confusion and ensure uniform application across Member States. IAB Europe's report outlines that consumers' apprehension about the correct implementation of existing legislation might be well tackled through effective implementation and consistent enforcement of existing laws, rather than through further reform. The Commission and industry's collective focus should be on working together to clarify the existing set of overlapping regulations and guidance that applies to AdTech.

3.      Robust evidence and market research to inform decision-making – Current regulatory proposals assume that consumers do not want or value (and wish to avoid) personalization, which does not reflect the benefits of personalization to customers, or the value they place on it (as shown in IAB's recent study). It is crucial for legislators to consider whether the assumptions underpinning current policy ambitions are held out in practice. In order to stick with the Commission's commitment to ensure that legislation in place is evidence-based and reflects the actual needs of stakeholders, targeted research reflecting consumer expectations and industry needs would be very helpful and informative.

4.      Technology and business neutral approach –  New regulatory guidance, and elements in broader digital regulation, aimed at AdTech should generally be business-neutral and based on principles and rules to ensure they are future-proof. Both subscription-based and ad-based revenue models should be allowed to flourish, as long as they respect legitimate consumer expectations and maintain data protection safeguards.

5.      Forum for industry dialogue – As recently outlined by the Commission in its Competitiveness Compass, regulation should involve proactive dialogue with stakeholders to arrive at practical solutions collectively. Legislators, regulators, and industry must reconcile different objectives to ensure new regulatory instruments reflect the sector's reality and what can be implemented. Clarifying the technical issues created by the EDPB's Guidelines and the consent-or-pay opinion could be a starting point.

Conclusion

The Commission’s aim to shield consumers from deceptive or overly intrusive advertising practices is highly commendable. Creating more legislation in this space however risks exacerbating the problems caused by an already highly fragmented regulatory landscape. Existing frameworks such as the GDPR, ePrivacy Directive, consumer protection law and measures contained within the DSA and DMA, combined with robust enforcement and clear guidance, can uphold consumer rights while allowing all legitimate business models to flourish.

At this juncture, Europe stands to gain a great deal by clarifying and refining existing rules. This strategy offers a pragmatic way to safeguard fundamental rights while lowering unnecessary barriers to growth. In a global landscape where the US and other key jurisdictions are favouring simpler and pro-growth regulatory approaches, European legislators should be conscious not to overburden its innovators and hamper growth. By consolidating and simplifying existing frameworks, the EU can ensure it remains a leader in responsible digital regulation, without hindering Europe's economic potential or restricting legitimate consumer choice.