Start of main content

TrustPid or the so-called 'European supercookie': necessary interplay between competition law and data protection for the development of the Digital Marketplace

| News | Privacy, IT & Digital Business

Isabel Martínez Moriel, Partner and Head of Privacy, IT & Digital Business at Andersen, analyses the TrustPid project in AJA Magazine

For online advertising activities the implementation of the General Data Protection Regulation on 25th May 2018 and its subsequent interpretation by the European Data Protection Committee has been a milestone.

Both third-party cookies, for websites, and identifiers1 for mobile devices, which allow to impact users with personalised advertising and to know their behavioural patterns, now require express consent2.

The decline in the number of users that can be targeted due to the rejection of cookies, coupled with the shortcomings of census analytics systems that would not be adapted to the possibilities of 5G networks, have led different operators to seek alternative solutions3.

Four major European telecommunications operators, Deutsche Telekom AG (Germany), Orange SA (France), Telefónica, S.A. (Spain) and Vodafone Group plc (UK), have launched the TrustPid project (also known as the "European Supercookie"), which will allow them to track users in order to offer them advertising.

What is the Trustpid platform, dubbed the 'European supercookie'?

It is a platform to support the digital marketing and advertising activities of brands and publishers, controlled by the telecommunications operators themselves.

Through this system, operators ask the user, when visiting a website or online media for the first time, for consent to generate a unique digital identifier or code derived from the fixed or mobile network to activate the system and to display advertisements from that brand or media.

This identifier is pseudonymised and is sold by telecom operators to advertisers and publishers, who use it to recognise users visiting their website or application. Consent expires every 90 days.

For their part, through the platform, advertisers can set up audience targeting and users can not only check which brands/media they have given their consent to, but also revoke it at any time (and even disable the system altogether).

Why was authorisation by the European Commission's Directorate-General for Competition necessary?

The creation of a full-function joint venture by these four operators is a transaction that exceeds the quantitative thresholds set out in the EU Merger Control Regulation.

On 23rd February the European Commission reported that it had cleared the transaction unconditionally.

 This case is particularly relevant not only because of the market influence of these operators, but above all because it is a precedent that highlights the necessary interaction and complementarity between competition law and the fundamental rights to data protection and privacy.

Aspects considered by the European Commission for its authorisation: special reference to compliance with data protection regulations and the essential nature of the user's "consent" to ensure the existence of alternatives.

The Commission has concluded that the transaction will not significantly reduce competition in the French, German, Italian and Spanish markets despite the existing vertical link between telecoms operators and other players in the provision of services in digital markets, such as the market for digital identification for the purposes of targeted advertising and/or site optimisation and the supply of online advertising space.

In its assessment, the Commission sought the opinion of data protection authorities and took into consideration that the draft is designed to implement the applicable data protection rules, including the need to seek the express consent of users, which also ensures that users can choose through which intermediary they will receive advertising of interest to them.

Conclusion: Necessary interaction and compatibility with competition and data protection law

Although they are two different legal systems pursuing different legal objectives - market efficiency on the one hand and the protection of fundamental rights on the other - the development of digital markets makes the interaction of the two sets of rules increasingly necessary.

Firstly, compliance with data protection rules ensures user choice and avoids abuses by operators with influence or market power.

Secondly, the existence of a free and efficient market, where users can choose between different providers according to their interests, gives companies an additional commercial interest to develop alternative projects that comply with the rules.

Finally, in cases where a conflict of interest may exist, it must be resolved in the same way as in the case of a conflict with another right. That is, a proportionality judgement will be necessary and special attention will have to be paid to assessing the fundamental rights that may be at stake.

1. E.g., IDFA, AAIDs, MAIDs.

2. In contrast, first-party cookies are used to facilitate navigation of a site and do not require such consent.

3. On the other hand, web browsers are transitioning to the new generation of analytical measurement systems based on user interactions (events), both for websites and applications (e.g., Google Analytics 4). Google plans to complete the transition to Google Analytics 4 by 4 July 2023 on a global basis.

You can read the article in AJA Magazine.

End of main content