Today, the European Commission imposed a fine of EUR 120 million on company X for violating the transparency obligations of the Digital Services Act. Violations include the misleading design of its “blue check mark”, the lack of transparency of its ad repository and the inability to provide access to public data to researchers, the European Commission said.
X’s use of a “blue check mark” for “verified accounts” is misleading to users. This violates the obligation of online platforms under the Digital Services Act to prohibit misleading design practices in their services. In the case of Company X, anyone can pay to obtain “verified” status without meaningful verification of the company behind the account, making it difficult for users to assess the credibility of the account and the content they are dealing with. That deception exposes users to fraud, including phishing scams, as well as other forms of manipulation by malicious actors. Although the Act on Digital Services does not stipulate an obligation to verify users, online platforms are clearly prohibited from falsely claiming that users have been verified if such verification has not been carried out.
Company X’s ad repository does not meet the transparency and accessibility requirements of the Digital Services Act. Accessible and searchable ad repositories are critical for researchers and civil society in detecting fraud, hybrid threat campaigns, coordinated disinformation operations, and fake ads.
X includes design features and barriers to access, such as excessive processing delays, that compromise the purpose of the Ad Repository. X’s ad repository is also missing key information, such as the content and topic of the ad, as well as the legal entity that pays for it. This prevents researchers and the public from independently monitoring all potential risks in online advertising.
X is not meeting its obligations under the Digital Services Act to provide researchers with access to public platform data. For example, Company X’s terms of service prohibit eligible researchers from independently accessing its public data, including scraping. Moreover, X’s processes for researchers’ access to public data impose unnecessary barriers, effectively undermining research into several systemic risks in the European Union.
The fine imposed today has been calculated taking into account the nature of the infringements, their gravity in terms of EU users affected and their duration.
This is the first non-compliance decision under the Digital Services Act.
X now has 60 working days to notify the Commission of the specific measures it intends to take to put an end to the infringement of Article 25(1) of the Digital Services Act in relation to the misleading use of blue safety marks.
X has 90 working days to submit to the Commission an action plan setting out the measures necessary to address the infringements of Articles 39 and 40(12) of the Digital Services Act relating to the ad repository and researchers’ access to public data. The Digital Services Board will have one month from receipt of X’s action plan to deliver its opinion. The Commission will have another month to adopt a final decision and set a reasonable deadline for implementation.
Failure to comply with the non-compliance decision may lead to periodic penalty payments. The Commission continues to work with X to ensure compliance with the decision and the Digital Services Act more generally.
