DSA advertising and recommender systems Transparency duties and evidence

Article 26 applies when a provider of an online platform presents advertisements on its online interface. The DSA defines an advertisement as information designed to promote the message of a natural or legal person, for commercial or non-commercial purposes, when it is presented by an online platform against remuneration specifically for promoting that information.

Article 27 applies when an online platform uses a recommender system. The DSA definition covers fully or partially automated systems that suggest, prioritise, rank, or otherwise determine the relative order or prominence of information shown to recipients on the platform interface.

VLOP and VLOSE duties are an additional layer. The Commission describes very large online platforms and very large online search engines as services with over 45 million users in the EU; once designated, they face added duties for systemic-risk management, non-profiling recommender options, data access, audits, and advertisement repositories.

For each specific advertisement shown to each individual recipient, the platform must make key facts identifiable in a clear, concise, unambiguous way and in real time. The required facts are that the information is an advertisement, who the ad is presented on behalf of, who paid for it if different, and meaningful information directly and easily accessible from the ad about the main parameters used to determine the recipient.

The implementation should be designed as a user-interface requirement, not just a policy statement. The ad unit or an immediately accessible control should expose the label, sponsor, payer when different, and the main targeting parameters. If users can change those parameters, the ad explanation should point to the change control.

Article 26 also requires a functionality for recipients to declare whether content they provide is or contains commercial communications. If the recipient makes that declaration, the platform must make that commercial-communication status clear and unambiguous to other recipients in real time.

Article 26 prohibits online platforms from presenting advertisements based on profiling using special categories of personal data referred to in GDPR Article 9(1). The operational control should prevent campaign creation, audience import, model features, inferred segments, and optimisation rules from using those categories for ad delivery.

Article 28 adds a separate rule for online platforms accessible to minors: when the provider is aware with reasonable certainty that a recipient is a minor, it must not present advertisements based on profiling using that recipient's personal data. The same article says compliance does not require providers to process additional personal data to assess whether the recipient is a minor.

The Commission's platform-impact guidance summarizes the policy goal as zero tolerance for targeting ads to children and teens and for targeting ads based on sensitive data. For compliance evidence, the useful record is not a general privacy statement; it is proof that ad-delivery systems, audience tools, and sales workflows cannot route prohibited targeting into production.

Article 27 requires online platforms that use recommender systems to explain the main parameters in their terms and conditions in plain and intelligible language. The explanation must tell users why certain information is suggested and include the most significant criteria used to determine the suggestion and the reasons for the relative importance of those parameters.

Where several options are available for recommender systems that determine the relative order of information, the platform must provide a functionality that lets the recipient select and modify their preferred option at any time. That functionality must be directly and easily accessible from the part of the interface where the information is being prioritised.

For VLOPs and VLOSEs, Article 38 adds a stronger choice requirement: each recommender system must include at least one option that is not based on profiling. The Commission describes this as a non-personalised feed option for large platforms with over 45 million monthly users in the EU.

Article 39 applies to VLOPs and VLOSEs that present advertisements on their online interfaces. They must compile and make publicly available an advertisement repository in a specific section of the interface, through a searchable and reliable tool that supports multicriteria queries and application programming interfaces.

The repository must cover the entire period in which an advertisement is presented and remain available until one year after the advertisement was last presented. It must not contain personal data of recipients to whom the advertisement was or could have been presented, and the provider must make reasonable efforts to keep the repository accurate and complete.

The minimum repository fields include ad content, product, service or brand, subject matter, sponsor, payer if different, presentation period, whether the ad was targeted to particular recipient groups, the main targeting and exclusion parameters where applicable, commercial communications identified under Article 26(2), reach, and Member State breakdowns where applicable.

The useful evidence pack shows that DSA disclosures are live in the product, that the underlying systems supply accurate information, and that prohibited targeting cannot bypass the controls. Treat ads, recommender systems, child-safety, privacy, and VLOP/VLOSE governance as connected records because one product change can affect all of them.

For VLOPs and VLOSEs, evidence also needs to support independent audit, Commission or Digital Services Coordinator questions, and systemic-risk review. The Commission's VLOP/VLOSE guidance lists audits, data sharing with authorities, vetted researcher access, non-profiling recommender options, and public ad repositories as part of the enhanced compliance environment.