By Jasper van den Boom & Sarah Hinck
This brief summary of the Amazon workshop sheds light on its most important changes, some of the most relevant questions and answers in the Q&A, and shares some general observations. These reports are intended to represent facts and convey information on what was discussed during the workshops. They are not intended to provide normative considerations on whether the undertaking complies.
Opening remarks
Amazon’s workshop revolved around its Amazon Marketplace and Amazon Advertising services. In their opening statement, Amazon stated that at its core they are a retailer, facing intense competitive pressures from other online and offline retailers. From their role of retailer, Amazon has evolved into a Marketplace with a growing number of third-party sellers. In fact, third-party sellers now make up around 60% of the sales on Amazon and that number is growing. While Amazon presented this as an impressive statistic, this still means that 40% of all sales are dominated by one single entity, namely Amazon itself.
Amazon often described itself as customer obsessed throughout the workshop. It explained that their advertising service is different from those used by social media platforms or search engines, as Amazon’s advertising services took place on behalf of its customers, namely third-party retailers selling on its platform. As such, Amazon, its sellers, and its advertisers have aligned interests. After these opening statements, Amazon explained that it has worked over 2 years to introduce changes to comply with the DMA, related to a large number of provisions. Hereunder, we present an overview of the changes per provisions as discussed in the workshop.
Data processing – Article 5(2)
Amazon reiterated its customer obsession in deciding how to comply with art. 5(2) DMA. In order to gain and retain consumer trust, they have started thinking about compliance by putting the consumer perspective first. They have introduced and tested consent prompts with customers to ensure informed compliance. However, Amazon again explains that they are not like a social media network, they do not track browsing activities across the internet and does not sell information to third parties. Instead, the data used is only related to their browsing on Amazon services and used to find the most relevant advertisements or sponsored links. In line with art 5(2) DMA, Amazon asks for permission before personalizing users’ experiences. These consent flows have been presented, and Amazon has explained why they believe they present a neutral choice, are informative, and comply with the DMA.
They ask for consent to promote Prime video content on the basis of browsing in the store and vice versa, as well as to use this data to personalize other services. In December 2023 Amazon introduced two new consent prompts: one related to data sharing between its services (related to functionalities and recommendations) and one related to advertising. These have two different impacts: users that give consent to personalize services may be recommended a t-shirt related to a certain show on the Amazon store based on their viewing behaviour. However, this is not a sponsored link but just an ‘organic’ personalized recommendation. For users that give consent to personalize advertising, they will be subjected to personalized ads in the store.
In order to comply, Amazon has created data access barriers in the back end, which separate which personal information can or cannot be accessed depending on consent. Data is labelled on the basis of where it is generated, if the data is generated in the Store, and users have not consented for the cross-use of their data from the Store to another service, access to the data will be denied if it is requested by another service such as Prime Video or Alexa. In order to ensure that data is not used illicitly, Amazon has introduced a range of technical and human oversight mechanisms.
In the Q&A, observers asked questions related to a range of topics. Firstly, about the design of the choice screen and informed consent, it was asked if Amazon could release testing data and data on the uptake. Here, Amazon reiterated that it believed that it’s screens are compliant and did not answer the question about whether they will make data publicly available. On the back-end mechanisms, they were asked about fraud prevention measures, how the data was labelled, and if the system meant that user data would still be collected during the non-consent period and if it could be used if consent was given after all. Here, Amazon highlighted the importance of taking security measures related to data, explained that it’s data is stored in secure data centres at the account level of users and that the collected data was related to the customer ID. On the use of data, it answered that if consent was given at a later stage users would receive new recommendations on the basis of combined data, but that it does not give retroactive recommendations on the basis of data. This still does not really answer the question as to whether all data is then made available for combination, or only data that is generated from the moment of the change in consent status.
Data portability and access obligations – Article 6(9) and 6(10)
For its data sharing obligations, Amazon provides data portability in two manners. First, by sharing data with an authorized third party through an API. Second, a self-service which is called the Transfer Portal. The portability API allows users to grant access to their data collected through the stores and apps. This API builds on existing Amazon APIs and involves security measures. Third parties are granted access to a designated workspace through the API, after completing identity and security verifications. After doing so, third parties can gain access to category 1 data, which includes public account details , reviews and seller feedback. There is also category 2 data, which include physical and digital order history, shopping preferences, return history and other data related to the store and advertising services. Third parties who want to access category 2 data must go through additional security measures including answering questionnaires and sitting through interviews so Amazon can understand their security practices.
Customers can authorize Amazon to transfer their data to a third party as verified by Amazon by clicking a button on the third party’s website or app, customers will then authenticate themselves through log in with two factor identification. Users can select the types of data they want to transfer based on what the third party has selected in the catalogue. They can share data on specific time periods (anything forms a few days to years), and select if they want to have a one-time transfer or a continuous transfer over a certain period of time. To ensure security, customers are warned about the risk of data sharing and asked again if they want to continue the data transfer after the period ends.
Advertising transparency obligations – Articles 5(9), 5(10), 6(8)
On advertising transparency, Amazon again reiterated that their starting point for compliance was the customer experience. Amazon provided a historical overview of its advertising activities, starting with product ads which linked customers back to sellers’ product pages as a means to drive discovery, this has evolved over time into advertising services and sponsored links, as well as designated boxes.
While Amazon already provides a number of metrics and performance related information, they have made several changes to comply with the DMA. Their updates relate mostly to pricing transparency and performance metrics, granting more information (on a daily basis and free of charge) on prices paid. Amazon has introduced new Transparency reports, which include information on each fee paid by each advertiser and publisher and offer the opportunity for advertisers and publishers to granulate information. Advertisers and publishers can consent to having their information shared, including their name, but if they withhold consent their information will be included in the aggregated estimates. Amazon makes these reports available through a dedicated portal.
Besides this, Amazon has also started to offer a clean room where advertisers with campaigns in the EU can assess the impact of their campaign in a privacy safe manner. This was introduced in light of Amazon’s obligations under art. 6(8) DMA. In the clean room, advertisers can look at the viewability of their ads, the number of times it as clicked or displayed in a specific time period, what ads or clicks were removed due to errors or illicit content, and create, receive and share a report that can be used by third-parties or third-party tools and software to analyse the data further.
In the Q&A, Amazon answered some questions on the scope of the data that can be collected or shared, often noting that this was up to what their customers decide. Amazon explained that it only intervenes in a limited manner as to advertisers’ and publishers’ decision to share data.
Use of Seller data and self-preferencing – Articles 6(2) and 6(5)
The final session related to the use of non-public data for competition and self-preferencing. On art. 6(2), Amazon explained that in essence, it cannot and does not use non-public data that is provided by business users. This covers the services that third parties provide. Amazon mentioned that it has entered into commitments with the European Commission in 2022, and that this has determined their data-uses in this regard, while the solution was designed with the DMA in mind. As of last year, Amazon ensures that their retail business will not use non-public seller data to compete against sellers. Here, it explained that the meaning of seller data related to data provided by sellers and data generated through the use of the marketplace and supporting services. This includes data related to offers and transactions, including sales and revenues, and information on seller performance and future promotions. I t also covers data that is provided directly by sellers such as inventory levels and delivery times. The compliance measures cover both the use of seller specific and seller provided data.
Amazon also explains that it does not use their data in competition with sellers. Here, they used their own operations to identify where they compete with sellers and the areas that are outside of that scope. As ranking activities help users to select which products they want, there is some inherent use of data. If these activities relate to product selection or prices then they are including din the scope. Amazon also performs activities where it does not compete with sellers, such as improving the experience of the store as a whole, developing new features, customers support, and addressing fraud. This is all part of providing a good store for sellers and customers, and are not considered competing activities.
On the basis of these two types of scopes, Amazon has introduced a number of compliance measures including a review of the automated systems and employees that could be in competition with sellers, the introduction of new controls that prohibit any use of seller data, and on the system side a review of the data input that their automated systems fill into the retail system, which includes selection decisions, inventory decisions and pricing decisions. Amazon’s review of those systems has confirmed that none of the systems ingest these types of sensitive data. On the employee side, they offer additional training and conduct internal audits.
Amazon specifies that its advertising service relates to advertisers and not sellers, so that this is a distinct service. Here, they will not use advertising data to compete with advertisers. However, they do not exclude using non-public seller data for advertising and vice versa.
On article 6(5) DMA, Amazon argues that it does not engage in self-preferencing for two reasons: to gain long-term consumer trust, and the mutual interest they share with their sellers. For Amazon, the success of sellers enhances their own success. As part of the DAM preparations, Amazon ensures that the ranking operates on objective inputs , like aggregated past customer actions and information about the product. As for other search-based components, Amazon focuses on the customers. Sometime results pages include widgets and recommendations which are designed to enhance product discovery. Product placement and sponsored links can also appear in searches, which happens on the basis of a real-time auction. None of the criteria look into whether the bidder is a seller or vendor, Amazon products do not participate in these auctions. The search results are also based on objective criteria according to Amazon, and Amazon in-house products are clearly labelled.
In the Q&A, Amazon’s presentation attracted scrutiny. One observer asked whether Amazon had actually introduced any changes related to art. 6(5) DMA, to which amazon referred to its reviews of how products are ranked. Amazon believed to be compliant on the basis of this review. However, other observers noted that Amazon can still preference its own products by placement in certain boxes that are not open to other sellers, by branding, or simply by offering better terms or prices. Amazon continued to reiterate that it does not provide itself any preferencing in ranking, pricing or delivery. However, that if they offer a better price or delivery they should not make this worse off for consumers. Finally, one observer asked to explain why The Commission then found that when prompted with a choice between Amazon products or third-party products, users chose Amazon products 90% of the time. Here, Amazon argued that this referred to their commitments and declined to answer. On 6(2) DMA, it was also asked if this means that Amazon will use seller data for competition in advertising and vice versa. Here, Amazon stated that they believed that their decision to do so is not prohibited under the DMA.
Observations
Amazon mentioned several times throughout the workshop that their activities as a retailer differ from other core platform services such as social media and search engines, not only does Amazon act more in the physical world than these counterparts, it also has a representative function of its third party sellers in a different way as this relates to the delivery of physical goods. Amazon also mentioned in every presentation that the customer experience is central to its compliance strategy. This raises several questions. First, do these activities in the physical world allow them to escape scrutiny under the DMA to a larger extent? Secondly, is the most customer-centric compliant decision also the best to ensure effective compliance? Third, does Amazon believe that the best user experience also involves buying (mostly) Amazon’s in-house products? Amazon’s internal review around self-preferencing and the use of non-public data will be reviewed by the Commission, so it will be clear if they are compliant at some point in the future. For now, Amazon has escaped the first round of the Commission’s non-compliance investigations. One further question that may be pondered is the lack of attention to Amazon’s Prime bundle and it’s cloud services, which are at the core of its commercial success. Will this be addressed as the DMA evolves, or will these issues escape the scrutiny of the Commission? Perhaps Amazon’s compliance strategies highlight the risks of a one-size-fits-all approach to a number of heterogeneous businesses.