Rob's Notes 19: Why We Haven't Fixed Online Advertising Yet

Revisiting some principles from 2016, and what's happened since then

Back in 2016, I was working on a DNS-based alternative monetization app for publishers, and we published research about consumer ad blocking. We gave some specific recommendations about how “online advertising companies [could] address many of the underlying reasons that consumers are flocking to block ads online”. (Note: I sold that DNS technology and related IP to an adtech company, as part of joining Facebook Ads to run the business integrity product team in early 2017).

Almost 9 years later, how have those ads recommendations played out, especially in terms of regulations and legislation in the EU and elsewhere? While our work then was primarily focused on web-wide display advertising (versus within walled-gardens like Facebook/Meta), many of the same principles apply to those firms.

1. Canonical advertiser identity

• Original context: “Bad actors change names and pop-up again. Collaborate industry-wide to prevent this”

• Still valid, and increasingly essential. Transparency is paramount given issues around scams, privacy, and advertiser accountability. Industry collaboration on verified advertiser identities could enhance trust and reduces fraud.

• Partially addressed by law: EU's Digital Services Act (DSA, 2022) and the UK's Online Safety Bill (2023) require greater transparency about online advertisers’ identities, especially for political ads. US regulations are less comprehensive here, and are primarily voluntary initiatives like Google's transparency policies.

2. No malware, popups, or adware

• Original context: “Create a three-strikes policy for providers who let anything through”

• Feedback: Highly relevant; users strongly prefer safe and non-intrusive ads.

• Indirectly required: EU GDPR (2018) mandates secure data practices, indirectly reducing malware risks. The EU DSA explicitly prohibits manipulative, deceptive, or harmful advertising. The US FTC Act prohibits deceptive practices, covering malware, adware, and intrusive pop-ups. However there are few accepted guidelines for how vendors and adtech companies should be held accountable for allowing these through inadvertently.

3. Universal ad-server approval

• Original context: “Too many firms allow any code on their site. Limit and enforce standards”

• Remains critical due to heightened security, privacy concerns, and regulatory pressures. This is especially problematic with the proliferation of mobile ads SDKs, some with unobservable fingerprinting- and other deceptive practices.

• Indirectly/partially required: EU GDPR mandates that ad servers comply with strict privacy and data processing rules, while no explicit requirement for universal approval exists. However, strict compliance indirectly demands greater oversight and standardization of ad-server and SDK practices.

4. Restrict retargeted ads

• Original context: “Users get creeped out. No more than 3 pages of these ads, per action/product”

• Retargeting is more regulated and less aggressive than it once was; numeric limits might be simplistic and hard to enforce, but giving users clear opt-outs is better.

• Indirectly addressed: GDPR (EU) and state laws in the US like California’s CCPA/CPRA may restrict retargeting by mandating explicit consent or clear opt-out rights for data-driven retargeting. However, laws do not set numeric frequency limits.

5. Three ads per page

• Original context: “Data shows that fewer is often better. Enforce limits on ads per page/minute.”

• Consumers prefer fewer, better-quality ads. Enforcement is beneficial if flexible.

• Not required by law: No laws in the EU, US, or UK currently enforce numeric limits on ads per page. Industry self-regulation (Coalition for Better Ads Standards) addresses related quality standards, not numeric counts explicitly, and it feels like ad load is worse than ever on many sites.

6. Full history of targeting data

• Original context: “See what data is being used to target any ad. Let the user delete/change/restrict”

• Highly relevant, aligning with current privacy trends and expectations.

• Explicitly required by law: GDPR (EU) and California and some newer state laws explicitly grant rights to access, correct, delete, and restrict the use of personal data, including ad-targeting history. UK GDPR mirrors EU requirements.

7. Advertiser blacklists for users

• Original context: “Let user block specific advertisers from showing ads to them, easily.”

• Valid and feasible; consumer control is widely appreciated.

• Not explicitly required: No specific laws mandate allowing users to blacklist advertisers. However, indirectly covered by GDPR and CCPA/CPRA through user consent and preference mechanisms, though not specifically blacklisting advertisers individually.

8. Label ads properly

• Original context: ““From Around the Web” and similar descriptions are deceptive. Enforce labeling for sponsorship/ads consistently”

• Essential and legally reinforced widely; ambiguous labeling is increasingly prohibited.

• Explicitly required by law: Clearly required in the US by FTC guidelines (Truth in Advertising), in the EU under the Digital Services Act (DSA), and in the UK under Advertising Standards Authority (ASA) regulations. Enforcement is more questionable, however.

9. Devote 10% of ad space to feedback

• Original context: “Have EVERY ad gather user feedback, and show why it was targeted. Make this visible to sites and users”

• Partially implemented (e.g. "Why this ad?" by Google), but 10% might be excessive.

• Partially required: EU GDPR and the UK's equivalent laws require transparency in automated targeting decisions, but do not mandate dedicating specific space for feedback. Laws like the DSA (EU) also require explaining ad targeting, though not a specific space allotment. This is still one of my pet causes.

10. Allow paid ad blocking

• Original context: “Anyone should be able to pay a fair amount & not be hassled for blocking ads”

• Highly relevant; successful paid ad-free models exist (YouTube Premium, etc.).

• Not required by law: No laws currently mandate offering paid ad-free alternatives, although regulations indirectly encourage privacy-friendly options by emphasizing consent requirements. Subscription models have grown primarily due to consumer demand and market trends rather than direct legal mandate. Meta has attempted to launch an ad-free paid program in the EU which has been widely criticized including by the competition authorities.

Overall I made some good calls in some of these areas but not others. I’ve written more recently about ways to measure abuse by harnessing publicly-available ad libraries, and I’ll keep thinking of (and writing about) what might be coming next.

Image Source: The Ad Council (2012)