A

Hey, this is Ari with Market, and unless you've been living under a rock, you've probably heard that Market Live is coming up October 27th in New York City. The last Marketecture Live was sold out, and this one will surely be as well, with speakers like Mark Grether of PayPal, Eric Seufert of Mobile Dev Memo, and Jenny Wall from videoamp. Plus, I'll be recording my podcast live with the one and only Antonio Garcia Martinez, author of Chaos Monkeys and now part of the team building at Coinbase. It's a stacked agenda and we hope to see you there. Go to marketlive.com and grab your ticket while they're still available. That's marketlive.com this is @ Tech God and this is a word from our sponsors. Samba TV is a global leader in AI driven media intelligence. Powered by first party data from millions of opted in connected televisions and billions of web signals across the globe, its independent cross platform measurement provides advertisers and media companies with a unified view of the entire consumer journey. Leveraging real time insights and audience optimizations, Samba TV enables marketers to reach and engage audiences with efficiency and effectiveness across any platform and every screen. Visit samba.com to find out more. Again go to samba.com to find out more.

B

Foreign.

A

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter@monopoly-market.com and you can check out all of the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. I have a personal favor. If you like the podcast, please consider giving it a review and or mentioning it on social media. Those things really help. This week my guest is Tobias Juden. Mr. Juden is head of the International Section of the Norwegian Data Protection Authority, the Data til Suneg. His responsibilities include international cooperation, cross border enforcement and international transfers of data. Toby is also a member of the European Data Protection Board, a group of EU data protection authorities that advise the EU Commission and publishes compliance guidance on data protection matters, among other things. I'm looking forward to getting Toby's views on cookies, consent, the IABEUtCF and pay or Consent. So let's get to it. Hey Toby, thanks for coming on the pod. How are you?

B

I'm well, thank you. Thank you for having me. How are you?

A

I'm doing great. As I as I mentioned, we just literally flew in from the EU after a month off. And so I'm kind of excited to dive back into policy stuff because I had pulled out a little bit for the last month. And by the way, nothing happened over the last month in the U.S. did it?

B

No, no, no.

A

It's.

B

It's all business as usual.

A

Good, good. First, if you wouldn't mind, just for my audience, though, what is the Dada Tilsunit and what's its role within Norway and within the larger European Data Protection Community?

B

So, first of all, may I just say that I'm impressed by our pronunciation.

A

Well, thank you.

B

So we are the authority tasked with enforcing the data protection rules in Norway, and we have a law called the gdpr, General Data Protection Regulation that's the same across all the eu. Norway is not actually part of the eu, but we're kind of closely associated with the eu. So Norway, Iceland, Liechtenstein, we also apply by the gdpr. So essentially what we do is we try to enforce the law, we try to provide guidance on what you need to do in order to comply with all the requirements, and then we obviously try to do this in close cooperation with our European colleagues, because we've all got the same piece of legislation, so we want to do it in a harmonized way.

A

Well, and speaking of European colleagues, I understand that you're also a member of the European Data Protection Board, the edpb. And again, for my audience who might be less versed in EU Data Protection law, what is the edpb, what's its function, and what's your role within the edpb?

B

So it's essentially an EU body, and it consists of all the data protection authorities across the eu. Glaston, Norway, Iceland, Liechtenstein, and. And our job is essentially to ensure that we all interpret the GDPR in the same manner. That would be inconsistent. So you will see a lot of guidance coming out from the EDPB about what control is, what companies need to do under the gdpr, and as precisely in order for us to kind of set the bar in a harmonized manner, again, ensure that we interpret this in the same way. So it's really just a great cooperation for the data protection authorities, but also actually trying to help companies in complying with the law.

A

Yeah, I, I've noticed, I mean, over the years, I mean, going back to the Article 29 party, lots of interpretive guidance of EU data protection law. And I'm not going to say I, I would agree with all of it, but it is extremely helpful to get the perspective of, you know, of what the collective EU data Protection regulators are.

B

Thinking, well, thank you for saying that. And, you know, I think it's completely fair if you don't agree with absolutely everything. I mean, that's the point. Because even us as state protection authorities, we could have different views on an issue, but then we kind of agree how we're going to enforce it. So you can trust that the authorities will enforce the law in the way that it is interpreted in those guidelines. So it also kind of creates this sense of what to expect from the authorities to ensure that we don't do something completely random and unexpected.

A

I've listened to you on a number of other podcasts, and my sense is that you are a proponent of the idea of that data protection is, or at least can be, a competitive advantage for companies. Now, how would you suggest companies embrace that notion within the context of digital media and the ads or even the social networking space?

B

That's a brilliant question, and I do think you're correct. I definitely think that this can be a competitive advantage. And that's also because a lot of people, and at least in Norway, we're seeing this quite increasingly. A lot of people are making data protection a consideration when they opt for a new product, when they opt for a new service, they're actually interested in seeing, okay, will they protect my data? And conversely, we've seen a few incidents where companies who maybe had a certain level of trust didn't really earn that trust, and there was a data breach and they lost a lot of customers, a lot of clients, because in the end, people are not going to stick with a company that doesn't really treat their data in the way it should be treated. So I do think that makes sense. What is sometimes difficult in the digital sphere is that you've got a few companies that kind of set the standard, that kind of define the playing rules, and then everyone else just has to kind of go with that, whether they like it or not. So I do feel for a lot of companies in this space, and, you know, some of them actually tell us quite bluntly, you know, we engage in behavioral advertising and we don't necessarily agree with the system, but this is where we get our revenue, and we're just more to kind of change how this is taking place, which is very frustrating to them, and I do understand it. But in terms of recommendations to companies, we find that advertising isn't necessarily a bad thing. But you need to ensure that people know what to expect, that they feel like they have agency and that they can predict what will happen. Because if you actually Give people a choice. And I'm now talking about, for example, consent. If you give people a choice where they can actually decide for themselves freely what they accept and not, and you inform them what's going to happen, then most likely they're not going to have an issue when they see hats. And what actually happens is. This is quite interesting we've been seeing is if you have a website with a high degree of user trust, people trust your website. They trust that you will do right, you will protect the data. They will actually also trust the ads that are displayed, meaning that they will pay more to place ads on your website compared to some random website that people don't trust at all. So you can actually capitalize on that, you can monetize. So if you really do things by the book and earn people's trust, then you can actually make more money off of your ads. But obviously that also means that you need to again, keep. Give people a choice, Give people information and ensure that the data is not leaking to whatever third party, that you actually have measures in place so that you're accountable, you know what happens to the data and you're being true to the expectations of your customers.

A

Yeah. Trust is an endemic challenge within the ad space for a whole host of reasons. And I think privacy and data protection are a component of that. One of the challenges, and I think you alluded to this, is that most of the digital media space, it's almost like a feudal type of arrangement where you've got kind of big tech at the top who is imposing their own sets of rules and incentives. So everybody is trying to just make it through to the next quarter. So sometimes data protection gets pushed a little bit to the wayside. Look, I've tried to make my career out of encouraging companies not to approach that. But on the other hand, when the rule set is, is pretty decidedly stacked against you, it's hard for me at least to be super critical of companies who are looking to maybe cut some corners. I would love your thoughts on. You talked a little bit about consent or give people a choice. And my audience is going to want to hone directly into this portion of the discussion, I think, where, you know, okay, how is this consent mechanism, how is this really working within Europe? I mean, do you see it as something that's sort of working, broken, working really well? Like, how are you looking at, you know, the, the digital media space from the perspective of consent?

B

That's an excellent question. So once we got, I mean, back in 2018, when we got the GDPR then consent was kind of seen as a gold standard and something that was being very protected of users so that users should be fully free to decide over their own data. And consent is a bit tricky because some websites and services do get it right, where people know what they're consenting to and they do so freely. That's great. And then a lot of websites are not necessarily getting it right. And by that I mean that it could be deceptive design so that you nudge people to consent. And that could, for example, be the use of colors, making one option more prominent or nurturing people to think that that is the correct option. And then they end up being frustrated or disappointed when they learn what has actually taken place. But also under the gdpr, you have kind of different legal basis. If you're doing online tracking, most likely you will need to get a consent that's to do with something called the privacy directed. But you do also have other forms of marketing that could potentially be based on, on what we call legitimate interest. And that's a very different assessment because then essentially you as a company take responsibility and you say that, okay, my interest in processing your personal data is more compelling than your interest in me not doing it. And it doesn't, it's not overridden by any fundamental rights, et cetera. But then I take responsibility to ensure that the processing is actually proportionate. So you don't need to take a choice about something if don't understand me, don't care about you don't have time to read the information, just click. I will take the responsibility and I'll ensure that nothing bad happens with your data and that that can sometimes actually be a better solution. So we're not saying that consent is going to be a silver bullet and all we need on the Internet is just ensuring that all consent requests are look great and they're super valid. We also need to look at, okay, in which direction are we going here? Do we want to kind of feed into what is often referred to as the consent fatigue, where people just get 100 pop ups a day. No one has time to read all that information, just click a button, hope for the best. It's quite complex.

A

And so here's my challenge with, with the, the apparatus that's been set up and, and I'm not going to let industry off the hook here either, but I do want to at least ask you directly. So if you need a consent to place a cookie in connection with a contextual ad, you also need a consent to serve a targeted ad that Involves, I don't know, that's, you know, an interest in travel. So where does proportionality really come in? Because is the marketplace necessarily incented if you got to get a consent anyway? And if a, if an interest in travel ad is probably going to pay you a higher cpm, then the incentive is to serve that interest in travel ad.

B

Exactly, exactly. And this is the issue, and this is something we've been grappling with internally as well, because ideally, I mean, if we don't look at the law as it is right now, but if you think what should data protection regulation look like in the future? And I'm not saying we should reopen the gdpr, I'm just saying, you know, for the sake of conversation, I do think it's important to have those incentives. And we do sometimes get questions of whether it is correct that you always need a consent to even the less intrusive processing, which could be first party analytics on a website. Do we really want that to be subject to a consent requirement or is it even always subject to such a requirement? Not necessarily. And the same goes also for contextual advertisement. So again, this idea that consent is what we're looking for, it will solve all our problems. It's much more nuanced than that. And I think that it would be worth revisiting in which cases do actually contextual advertising need to have consent? And arguably in some cases you can't avoid it. But I think it's important, an important conversation to have. But. So you also asked about proportionality. Where does it come into play if you still need a consent to both forms of advertising? Again, that's a big if. But let's say that you do. You still have the principle of fairness within the gpr. And so fairness is about meeting the reasonable expectations of the user. It's about not leveraging any vulnerabilities, it's ensuring that your data processing is not going against anyone's best interests. For example, and I do sometimes wonder when you look at behavioral advertising, where data is just shared and shared and shared with all kinds of third parties, where you're reading articles about foreign intelligence now, participating in those bid requests, just so that can kind of intersect the data and use it for very different purposes than what was intended. I mean, I do question whether this is actually fair at all. Under the gdpr, I think we will reach a point in time where we need to have a discussion. Is this form of advertising the way it's been carried out today? Is that really consistent with the fairness principle? Is it really lawful under the gdpr? I'm not so sure. So there are still some considerations here as to why contextual advertising or other forms of advertising could actually be a better solution and a more longer term sustainable solution.

A

Okay, a couple of observations. First, you haven't said this, but I'm inferring it a bit. The idea that a hundred entities that you can manifest consent to a hundred different entities to have data, even relatively non sensitive data, I think is problematic at best. And that's a huge challenge for I think the digital ads industry and one that I don't think that they've entirely grappled with. Second observation is that things that one might be made fun of even five years ago and called a tinfoil hat type of a statement are really starting to come true. And you just raised one of them where, you know, we literally have law enforcement reaching in here in the States and pulling in data from precise location data from people who might be seeking reproductive care. I mean, the stuff that we made fun of collectively in the ad space years ago is starting to come true. And I do think the ad space needs to do a much more effective job of grappling with that. That said, we need, I think collectively to admit that the current mechanism isn't working in Europe and it's bad in Europe, it's coming to the US in some respects, albeit from a more circuitous path. But the idea that consumers are, every website that they visit are just now reflexively hitting a button to get the pop up to stop is not data protection. I don't know what it is, but it certainly is in data protection. And I just wonder if, if more policymakers would admit what to me seems like blindingly obvious, if we could then start to move towards how does one address a way so that we can create something that isn't broken? I would love your reaction to that.

B

So this is where I'll probably go a bit political. Not sure if everyone will agree with me on this. In a way we're actually having a serious discussion as to whether we should ban behavioral advertising in some way or form. And what we see is that all of these 100 cookie banners, most of them, are actually driven by the desire to do behavioral advertising. And you realize that most, most individuals don't necessarily want it, or maybe some of them do and that's fine, a lot of them don't. But you know that this is where you get your income, right? And you know that if you do contextualized advertisement whilst everyone else is doing behavioral advertisement, well, your advertisers are going to want to invest in behavioral advertisement instead because they prefer that option. So you wouldn't be winning if you kind of contextual advertisement on your own. Right. So we need to look at what are the incentives that are actually driving this development with, you know, cookie pop ups, cookie walls, et cetera, et cetera, with the data sharing en masse where you also have foreign intelligence. I mean all of this recklessness is driven by the idea that we absolutely need to do behavioral advertisement and we need to collect as much data as possible and we need to ensure that we get everything we can on users, that we're able to share it and that we're able to do so without any limitation. So it seems that a lot of this actually stems from this very particular form of advertisement. And the question is how can we drive innovation in different forms of advertisement? And I think that's going to be very difficult to achieve while we still have behavioral advertisement because the players are too big, the revenues are too large. And I think we as an authority have said that this is an idea that is worth to entertain that we should look into this because we are very much concerned with the way things are going right now. And not only are you receiving 100 pop ups a day, but now you might be charged a fee if you don't press the okay button. So what are you going to do as a consumer? What am I going to do? I work at a day protection authority, but still I'm not going to pay €5 for every single website I visit. Right.

A

So I want to get to payer consent in a minute. But if you'll allow me, I would love to just react to what you just said.

B

Yes please.

A

I'm going to get myself probably tarred and feathered at the next IAB meeting. I hope Norway does this. I absolutely, positively hope you do, but, but if you do it, I, I also hope that we can get enough publishers to provide an honest assessment and ad text. I'm sorry but, but get enough of the marketplace to provide an honest assessment of how that's working. I don't know if that would work, but I love the idea because I think it's an implicit admission that status quo isn't really working for anybody. So we need to try different things. And if at the end of the day the market creates a scenario where, you know what if everything is contextual and it's not great for certain types of news, but overall CPMs rise and you don't have as much costs associated with, with data, then that's a really interesting and worthwhile experiment to have. I don't know where this goes, but I absolutely applaud you guys for even trying it and I hope that Norway is able to do it. For whatever it's worth, I don't think Norway is exactly taking their cues from Alan Chappelle. But, but to the extent that, that, that they are, boy, my, my vote is go for it.

B

That's very interesting to hear because obviously when we speak with stakeholders, some of them think it's a good idea, some of them think it's a horrible idea. And honestly it is difficult because we don't really know. Right. We don't know how it's going to play out. I mean also because this is a global industry. So if a single country such as. Nor does it. I mean that's part of the criticism against this idea. It's just one small country, five point something million people do it, will that actually work or will we just hurt our own publishers?

A

I feel like I'm going to take a half step back to what I just said in that I certainly am not qualified to say what's in the best interests of the publishers of Norway and I would hope that they also get a voice in this discussion.

B

Don't you worry.

A

Yes. I'm sure the minute this gets published you're going to have a series of calls thrown, thrown your way. You're probably already getting them. But. Okay, so I, I would love your thoughts on payer consent because. And, and this is a really good segue because what drives the idea for me conceptually is publishers are being bled from a hundred different directions and I fear that we are going to have a mass extinction over the next year or two, even from some of the larger ones. And not to get political, but if you know there's only 8 to 10 mega publishers left standing in a few years, that's not great for a whole bunch of things. And data protection becomes the least of our problems.

B

Exactly. And I think this is super important because we like to think a data protection that's something that can support the economy, a healthy economy and something that can support democracy. It's about ensuring that you have all the human rights. And I think data protection has a role to play in ensuring that. So we definitely don't want to apply data protection law in a way that could prejudice societal values, important players in society. That is not what we want to do at all. And just to kind of tie this in with what I was saying about the European Data Protection Board, because the EDPB is actually now working on guidelines on consent obey. So I think those will be very important to follow. And then you have all the 31 regulators kind of voicing in on what the results should be. There was stakeholder events, so they got a lot of feedback, a lot of context. So I think in the end this is something that the E2 will decide to which extent you can do. So it's not really about what those Norwegians think, but since you asked about our views, I think, honestly I'm saying it's wrong. But you do hear a lot of publishers saying we can't survive without consent or pay. And I get it, because ad revenues are going down or they're at a standstill and they're getting a smaller and smaller proportion of the income from the actual advertising. So I think there's merit to saying that. But our question is, if we legitimize consent or pay, can you then survive? And arguably the answer will be the same. You probably can't survive with consent to pay either. At least that's some of the indications we've been getting when we look at the research, when we look at the figures and the budgets. I do question whether online behavioral advertising is a long term sustainable income model. And that is because the big tech players will continue to take a larger and larger proportion of the revenue. So it doesn't really save you. And the question is, should we then validate consent or pay? It might buy the publishers a few extra years and kind of hold off on the current trends, but it doesn't change the direction in which the trend is going. So you might still end up in the same place if you don't figure out something to do about that. But then the important thing is that we can't discriminate, right? As regulators, as policymakers, we can't discriminate. So we can't say, okay, so this is a form of business that we would like to survive, so you get to do this. We can't say that and then say, oh, but other businesses can't do that. This is about interpreting the law and we need to do that in a manner that is fair and that is non discriminatory. So if we say that these publishers can do it, then actually all the other publishers must be able to do it as well. And if everyone can have consent of pay and everyone wants to make money offered behavioral advertisement, what's to stop every single website, every single app from implementing it? And the question is, what kind of Data protection rights are you left with right, if you always need to accept, because you're not going to pay $5, €5 for every website, what's left of your data collection, You've already consented to sharing your personal data with 30 companies that will share it onwards, and that will be auctions, online auctions, bid requests, everything would just be disseminated. What is left of data protection? Is it just going to be the paperwork? Are we then outsourcing, enforcing the right of data protection to other fields of law that don't have this consensual pay mechanism? Is it going to be consumer law, competition law that's going to save us? It's something about what will our society look like if we give a thumbs up to consent or pay. And I think the Norwegian Data Protection Authority, we've been quite clear about what we think about this. We think that everyone should have the same level of data protection, regardless of financial situation, income, etc. But at the end of the day, we do understand, you know, that a lot of companies rely on this income and it's going to be up to the EDP to decide, not us.

A

Fair. So I want to react to some of that because there's a lot of really great stuff in there. The first is that. And again, this is. You didn't state this out, but I'm kind of implied. It's implicit. I've been a privacy guy for going on 20 something years and what I've discovered over the last couple of years is you cannot talk about privacy without talking about competition. And the reality in the digital media space is that competition, regulators, and I'm mostly talking about the US here, they missed the moment. They missed the moment in 2016, they missed the moment in 2020. And we are now left with the scenario where you've got a whole bunch of very large companies who are dictating terms on a whole bunch of different levels. And one of the, one of the many challenges as a result of big tech dominance is that it's just getting really hard for publishers to survive. Now, from my perspective, if consent or pay can buy publishers a couple of more years, to the point where the competition enforcement can actually have an impact on the marketplace, I would see that as a very valuable thing. Now, that may be a very optimistic view of how long these things tend to take. One thing that sort of blew me away because I hadn't really considered this is your assertion that, okay, well, if every single website now asked you for, you know, a 5 subscription or a you know, even like the small recipe site, you know, does that then make a complete sham of consent or pay? Because, you know, I don't know many people who are going to pay, you know, even a nominal amount for a recipe site or for, you know, to learn when the next TED Lasso is, is coming on or something along those lines. Very few people are going to, are really going to want to pay for that. And so then your challenge as a data protection regulator is, well, wait a minute. Okay, so now how do I ascertain that, you know, the big news publisher who, you know, everybody has heard of and is a brand name gets to do consent or pay, but the recipe site does not? I think my, my off the cuff response to that would be, well, I do think that there is the ability to draw a line somewhere and I'm making a pretty, this is a straw man argument here. You know, the, the New York Times gets to do consent or pay. Allen's, you know, tacorecipe.com doesn't. Now I don't know how you guys make that assertion like it's, it makes sense to me given those two broad examples, but I don't know how a data protection authority even entertains the idea of saying this site is worth X per month and this other experience isn't worth X a month. I, I don't really have a question in there. I, I'd love your thoughts if, if, if you're, are we on the same page here or am I just rambling?

B

No, I think this is super interesting and this is a bit of the issue because we also don't want to put ourselves in a situation of overreach. Right. And we're sometimes being criticized for overreach as state protection authorities. So is it for us to, to kind of ascertain where should companies get value from? What do we think is fair remuneration? You know, we don't want to be the ones speaking about what kind of business model you should have or who should have what kind of business model, and that this is not regulated by the gdpr, it's completely beyond our remit. So that then the question is, can we, looking at the GDPR where the criterion is, is consent freely given? Can we, by way of assessing what is freely given consent, say that you can do it and you can't. Or maybe we can if there are circumstances that say, well, in this situation you did have a free choice and in this situation you were kind of compelled to consent. That can be, you know, looking at different factors, but to Say generally one industry can and one industry can't. I mean, intuitively people might feel, oh, that should be possible, or whether it's possible under the gdpr. That is kind of the question.

A

Yeah. And I feel like the entire payer consent model puts data protection regulators in a rather unfair position because regardless of how you're looking at it, you are now in the position of evaluating that you're evaluating things like value and who knows, I mean, I see consumers spend money on stuff that I think is complete trash and that's okay. That's what a free market is supposed to do. It's difficult because I don't know the data. Any data protection authority is an economist, I'm sure there's some, but that tend to be separate disciplines. And so what we really need is maybe the economist to weigh in. I don't know. But it does strike me that the entire debate around payer consent is only partially about data protection.

B

It's an interesting observation and I do think that you could apply different disciplines in looking at pay consent. The economical perspective is certainly one of them. And here again, we're just looking at the legal part under the gdpr. So I think it's fair to say that it's bigger than data protection for sure.

A

I've got one final question for you and it's sort of a broad one, but to what degree do you see size and scale and scope of data being a core component of EU data protection law? Like, I know it's in the GDPR somewhere, but how much does that really rise to the level of like, that's what's driving enforcement decisions?

B

I think for us, when looking at where we want to enforce, how we want to enforce it certainly factors in. So we always try to take a risk based approach when we carry out inspections, when we're enforcing, to kind of understand, okay, so where is the risk to fundamental rights the greatest? What is going to affect people's data protection? Is it going to be, you know, the small shop with a CCTV camera or is it going to be a data broker? It's probably the data broker. So in terms of where we kind of steer our enforcements, we don't necessarily get a lot of resources, we have backlogs. We're struggling to be everywhere. So then we need to try to be clever in where we prioritize our efforts. So essentially, do you have a lot of data? But also what is the nature of the data? Is it special category data, is it sensitive? Is it location financial data? Okay, we're Going to be more interested in that. Who are the people whose data you're processing? Is it vulnerable individuals? Is it children? Okay, probably we should focus there. And this is not clearly set out in the law, it's for us prioritize. But I do feel like data protection authorities are kind of moving in the same direction on that. Though in all fairness, we get a lot of complaints. We need to handle all the complaints. The complaints are not necessarily into that high risk stuff. It could be something a bit more mundane or everyday or related to something else than data protection. But also within the regulation itself, you do have a lot of provisions that are very clearly risk based in terms of, for example, what kind of systems do you need to have in place? Measures for compliance, organizational measures, technical measures? Well, that depends on the risk. So that will kind of be an assessment. Again, how much data, what kind of data? Whose data? What are the impacts of the way we are processing it? You know, are we storing it kind of passively or we are we using it for automated decision making? That also influences the risk. Same goes for security measures, et cetera, et cetera, data collection, impact assessment. It also, you know, scale is a, is a massive factor in terms of deciding what you need to carry out an impact assessment. So it's there, it's certainly there.

A

So that makes sense. I think that the DMA has sort of implicitly taken the concept that, you know, bigger, larger needs to be subject to, we'll just say additional scrutiny. And I think conceptually that makes sense.

B

Yeah, absolutely. We do see more and more kind of asymmetrical regulation coming out of the eu. And that is again, because some of these companies do actually have a lot of power. Not speaking about data protection merely as a competitive advantage, but actually how it kind of supports our democracies. We have these companies that are so powerful in part because they have so much data. So then it makes sense for us to actually focus our efforts towards them because that is where we like it to have the most impact. And then it will make life easier for those, those companies that actually rely on services provided by those very few, very large companies that kind of dictate the terms of the systems.

A

Yeah, and that brings me back to the, you know, the regulators in the US missed their moment 10, 15 years ago. And so we're seeing a reaction to that. And you know, there's a certain level of, you know, whenever there's a void, that void gets filled. And one of the ways that void got filled in this case, I think, is, is via DMA and dsa. Well, this has been a fantastic discussion, Toby. I really appreciate you taking the time to talk to me and thank you so much.

B

Thank you so much for having me. I really enjoy speaking with you. It was a super interesting conversation and I think there's more to be said. This is just the beginning.

A

I agree. Well, hopefully we have you back on. That was a great conversation. I went into this discussion assuming that Toby and I might disagree in a number of areas, but once again I found myself agreeing with a good deal of his thoughts. First, I think we're generally aligned that the current approach of consent for just about any type of ads in the EU just isn't working. And I think that's important because if we aren't willing to admit when something's broken, we significantly limit our ability to find solutions. Second, and I recognize that this view may be unpopular with some of my ad tech and publisher colleagues weeks but I really like the idea of experimentation and data protection. And if experimentation means we try eliminating targeted ads for a period of time in just a limited market so that we can evaluate how that impacts the market, particularly on publisher revenues, well, that strikes me as an idea worth exploring, provided that Norway can put into place some guardrails to ensure that their publishers don't get killed by the experiment. And to be clear, I don't think that this should be the only experiment. I'd also like to see an EU market entertain and approach what I'll call lightly targeted ads are able to be disturbed without consent. I get the sense that the UK may be looking in that direction, but I guess we'll see. Third, when it comes to pay or consent, Toby recognized that it involves an economic analysis which most in data protection are just not well suited to engage in. On that note, I saw a recent study by N O Y B on payer consent, and I'm not sure that their numbers really add up in their economic analysis, but I think that Toby makes a great case that there are hidden risks around payer consent. Namely, if regulators bless the model, would they need to bless payer consent for all content creators, even some tiny pub like my example of Alan's Taco Recipes? Well, that would be problematic, as if every website simply adds a draconian fee as the alternative to consent. I have to admit that it turns the idea of informed consent on its head. So if we're going to support payer consent because we want to save the news publishing industry, then we need to figure out a framework of when it would be acceptable and and when it might not be acceptable. Lastly, I was a bit taken aback by Toby's observation that payer consent might simply prolong the inevitable publisher extinction event, although I'm not really sure I disagree with them there. We covered a lot of ground, and I do hope that I can encourage Toby to join me on the Monopoly Report again. We have a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And if you like the podcast, please consider giving it a review and or mentioning it on social media. And thanks for listening.

B

Bundle and Safe With Expedia you were made to follow your favorite band and from the front row we were made to quietly save you. More Expedia made to travel savings vary and subject to availability. Flight inclusive packages are atoll protected.