The European Commission and the city of Boston reached the same conclusion within 48 hours of each other. Both said the tools that keep people scrolling, infinite feeds, autoplay, personalised recommendations, are not incidental features of social media. They are the product itself, engineered deliberately, and both regulatory bodies now say so in writing.

On July 10, 2026, the Commission announced a preliminary finding that Meta breached the Digital Services Act through the addictive design of Instagram and Facebook. Two days earlier, Boston Mayor Michelle Wu had filed a federal lawsuit alleging nearly identical harms against Meta, TikTok, Snapchat and YouTube on behalf of the city's public schools. Neither case cites the other. Both describe the same mechanism, in almost identical words.

That overlap, an EU regulator and a US city government arriving independently at the same diagnosis of how modern platforms are built, is the story running through this edition. Alongside it: Google tightened a security gap in Tag Manager that had let scripts run outside their intended restrictions, and Ezoic published a slate of new monetisation tools aimed at publishers whose search traffic keeps declining. Each item traces back, in some sense, to the same underlying tension: platforms built to hold attention, running up against regulators, courts, and publishers who are starting to ask what that attention actually costs.

Brussels finds Meta's apps were built to keep people scrolling

The European Commission's press release, published in Brussels on July 10 and carried under reference IP/26/1579, does not mince words. Investigators concluded that Meta failed to properly assess how the design of Instagram and Facebook affects the physical and mental wellbeing of users, particularly minors, and singled out four specific mechanisms: infinite scroll, autoplay, push notifications, and highly personalised recommender systems. According to the Commission, these features function together to keep people "in autopilot mode," a phrase the regulator used explicitly, and that state, sustained through repeated use, contributes to what the release calls compulsive behaviour.

The investigation traces back further than this week's announcement. The Commission opened formal proceedings against Meta on May 16, 2024, and the July 10 finding represents the latest milestone within that broader case, not a standalone action. An earlier strand, addressing whether Meta's age-assurance systems for under-13 users actually work, produced its own preliminary findings on April 29, 2026. A third, separate strand covers so-called "rabbit hole" effects tied to how the same recommender systems may exploit the inexperience of younger users, and remains open.

Two specific failures anchor the July 10 finding. The first concerns risk assessment: under the Digital Services Act, platforms designated as very large online services must evaluate the systemic risks their design choices pose. Brussels concluded Meta simply had not done this properly for addictive design, despite having access to data on how much time minors spend on Instagram and Facebook at night, and how formats like Reels and Stories might drive excessive use among younger users.

The second failure concerns mitigation, meaning whatever tools Meta already has in place to limit harm, and whether they function as advertised. Here the Commission's language turns unusually pointed. Time-management prompts, even those switched on by default for teenagers, "can be easily dismissed," according to the findings, and produce no meaningful reduction in actual usage. Parental controls fared little better in the Commission's assessment: they work only if a parent already has the technical fluency and the spare time to configure them properly, a condition the regulator found frequently absent. Meta's separate safety-centre resources, tips and links to mental-health support, were likewise judged insufficient.

None of this yet amounts to a fine. Meta now enters a formal defence phase, during which the company can examine the Commission's investigation file and respond in writing; the European Board for Digital Services will also be consulted before the case proceeds further. Should the Commission ultimately confirm a non-compliance decision, the Digital Services Act sets a statutory ceiling of 6 percent of Meta's global annual turnover, though the regulator's own enforcement record suggests actual fines tend to land well below that maximum. A €120 million penalty against X in December 2025 and a €200 million penalty against Temu in May 2026 both fell far short of their respective 6 percent ceilings, which suggests the Commission calibrates penalties to the specific conduct at issue rather than reaching automatically for the cap.

Henna Virkkunen, the Commission's Executive Vice-President for Tech Sovereignty, Security and Democracy, supplied the sole quote attached to the announcement. "Protecting the physical and mental health of Europeans must be a priority for social media platforms," she said, adding that the Digital Services Act "provides a clear framework to hold platforms accountable for the addictive design and effects of their services."

The Commission is not treating Meta as a special case. It issued near-identical preliminary findings against TikTok in February 2026, covering the same quartet of design features, and ByteDance faces the same 6 percent exposure should that separate case eventually produce a confirmed non-compliance decision. Read together, the two cases suggest Brussels intends this line of scrutiny, platform architecture itself, rather than any specific piece of content, to extend across the industry rather than settle on one company. A related October 2025 action had already found both TikTok and Meta in breach of separate DSA transparency obligations covering researcher data access, a sign the two companies are now facing parallel enforcement tracks on multiple fronts simultaneously.

Boston's lawsuit levels an almost identical charge, three thousand miles away

Two days before the Commission's announcement, on July 8, Boston Mayor Michelle Wu announced that the city was suing Meta, TikTok, Snapchat and YouTube on behalf of Boston Public Schools, joining a consolidated federal case in California that now includes more than 1,500 school districts nationwide. The lawsuit, filed in the same Northern District of California where Meta is headquartered, alleges that the companies deliberately engineered features, endless scrolling, constant notifications, and targeted algorithms, specifically to keep young people engaged, and that inadequate age verification made the problem worse.

The parallel to the EU's findings is not just thematic. It is close to verbatim. Where Brussels cites infinite scroll and personalised recommenders as failures of risk mitigation, Boston's complaint describes "endless scrolling, constant notifications, and targeted algorithms specifically to keep young people hooked." Neither filing references the other; each institution appears to have reached the same technical diagnosis independently, working from different evidence and under entirely different legal frameworks.

Boston's complaint leans on local data. City officials cited figures from the Boston Public Health Commission showing that 44 percent of Boston Public Schools high schoolers reported experiencing persistent sadness in 2021, up from 27 percent in 2015. The district has expanded its mental-health staffing accordingly, from six social workers and 48 school psychologists in 2007 to 240 social workers and 105 psychologists today, according to the mayor's office, and the lawsuit seeks compensation for those costs alongside a court order forcing the companies to remove the disputed features.

The case does not arrive in a vacuum. In March 2026, a California jury found Meta and Google liable in a related case, ruling that the companies had intentionally engineered addictive features and that executives had failed to protect younger users; jurors awarded the plaintiff, a young woman who alleged the platforms had caused her depression and anxiety as a teenager, millions of dollars in damages. In May 2026, Meta and other defendants settled a separate bellwether case brought by a Kentucky school district. Whether Boston's case proceeds to a similar jury trial or follows the settlement path of the Kentucky matter remains to be seen; the sheer scale of the consolidated litigation, over 1,500 districts now party to overlapping claims, suggests the companies face a long and expensive road regardless of how any single case resolves.

Meta, for its part, has disputed the characterisation directly. A company spokesperson told WBUR that Meta "strongly disagree[s]" with the allegations and pointed to a decade of engagement with parents, researchers, and law enforcement on the underlying issues. A spokesperson for Google, which owns YouTube, offered a similarly worded rebuttal, saying that providing young people with a safer experience "has always been core" to the company's work.

Whether any of this changes platform behaviour before a court forces the issue is a separate question from whether the allegations are accurate, and it is one that advertisers buying inventory on these platforms have reason to watch closely. A recommender system compelled, by court order or by regulatory settlement, to optimise for something other than pure engagement would very likely produce different reach and frequency figures than the ones media planners currently build campaigns around. That shift has not happened yet. But two independent institutions, working three thousand miles and an ocean apart, have now reached the same conclusion about why it might need to.

Meta's other courtroom problem: a $1.4 trillion number nobody expected

The addictive-design cases are not Meta's only active legal exposure this week. On July 9, according to reporting from Deadline carried in MediaPost's Around the Net roundup, Meta's legal team filed a response disputing a damages calculation that could, if upheld, cost the company roughly $1.4 trillion, an amount close to the entirety of Meta's current market valuation. The underlying multi-state case, brought by attorneys general from California, Colorado, Kentucky and New Jersey, accuses the company of "unfair or unconscionable trade practices."

Meta's filing did not mince words either. "A sanction of that size has no analog in the history of consumer protection enforcement," the company's defence team wrote, according to the redacted document Deadline published alongside its reporting. The case is scheduled to go before a jury in Oakland, California.

The figure itself illustrates something about how consumer-protection enforcement against large technology companies has scaled in recent years. A sanction approaching a company's total market value is, by Meta's own characterisation, unprecedented, and whether an Oakland jury ultimately embraces anything close to that number remains genuinely uncertain. What is not uncertain is the pattern: within the same 48-hour span covered by this edition, Meta faced a preliminary EU finding carrying a theoretical 6 percent global turnover exposure, a Boston-led lawsuit joining over 1,500 similar complaints, and a state-level damages claim measured in the trillions. Three separate legal systems, operating independently, converged on Meta's core product design within the same short window.

Google quietly closes a gap that let scripts slip past container restrictions

Away from the courtroom, a narrower but practically significant change moved through Google Tag Manager on July 11. According to PPC Land's technical coverage of the release, Google fixed an inconsistency in how GTM containers enforce their own security restrictions, one that had allowed scripts loaded through unsupported paths, such as /gtag/js, to run without the limitations that should have applied based on the container's actual type.

The mechanics matter for anyone who administers a tag-management setup. Google's permission model for GTM is meant to work off the container ID: a standard GTM-prefixed container should run broadly, while product-specific identifiers, such as those beginning with G- for Google Analytics or AW- for Google Ads, are meant to stay limited to Google-provided tags and variables only. Before this fix, containers loaded through certain non-standard paths ran unrestricted, regardless of what their actual container type should have permitted. After the change, only the container ID itself governs what a given container is authorised to execute, closing the discrepancy between Google's documented permission model and how containers had actually been behaving in practice.

The fix sits inside a broader pattern of GTM security tightening that has unfolded over roughly eighteen months. A German court ruling in March 2025 established consent obligations specific to GTM's operation. Google's tag gateway infrastructure, designed to route measurement traffic through advertiser-owned domains rather than serving scripts directly from Google's own servers, reached general availability in May 2025 with Cloudflare as the initial content-delivery partner, and has since expanded to include Google Cloud Platform, Akamai, and Fastly as additional deployment routes. In May 2026, that same infrastructure gained the ability to conceal container IDs behind randomised serving paths, specifically to make GTM scripts harder for ad blockers to identify using known ID patterns.

That last development runs on something close to a parallel track to the July 11 fix, and the two together illustrate a persistent tension inside modern tag management: the same architecture built to protect measurement continuity against ad blockers also has to be carefully bounded so that it does not inadvertently grant broader execution privileges than intended. Ad blocker developers, for their part, have not stood still either. Filter-list maintainers have begun targeting server-side GTM deployments directly, identifying subdomains by pattern regardless of whether the underlying architecture uses first-party serving, a development that keeps the contest between tracking infrastructure and blocking tools running in something close to real time.

For practitioners managing GTM at scale, the July 11 fix is unlikely to require any action; Google's release note frames it as a correction to existing behaviour rather than a change advertisers need to configure around. But it is a reminder that the security boundaries governing what any given container can do have grown considerably more intricate than the tag-management systems of even two years ago.

Ezoic bets on readers who already exist, as search referral traffic keeps falling

A separate but related pressure runs through the publisher side of the industry, and Ezoic's July 10 product announcement offers a clear illustration of how that pressure is reshaping monetisation strategy. According to the company's own blog post, written by Tyler Bishop, Ezoic rolled out nine new platform capabilities spanning integration, monetisation, identity, and analytics, crediting the underlying strategy, extracting more revenue from an existing audience rather than chasing new visitors, with a 23.6 percent quarterly rise in network earnings per thousand visitors.

The framing is deliberate, and it responds directly to a data point that has been accumulating across the publishing industry for some time. Search referral traffic to small publishers has fallen by roughly 60 percent over a two-year period, according to figures PPC Land has referenced in its ongoing coverage of the topic, and separate research from Ahrefs has found that AI Overviews correlate with a 58 percent reduction in click-through rates for pages that would otherwise rank at the top of organic results. Against that backdrop, a platform telling publishers to focus on the readers who already show up, rather than the ones search used to send, is responding to a structural shift rather than proposing a novel idea.

Six of the nine capabilities are available immediately to all Ezoic customers, according to the announcement. One feature lets publishers attach conversion pixels, for Google, Meta, Microsoft, or a custom JavaScript function, and pairs each fired pixel with a prediction of the advertising revenue that specific acquired visitor is likely to generate over time. The stated purpose is closing a loop that has historically been difficult to measure directly: what it costs to acquire a given visitor against what that visitor subsequently earns in advertising revenue, a calculation that becomes especially useful where certain pages on a site meaningfully outearn the rest, or where a publisher is already running paid acquisition campaigns with no advertising-revenue feedback signal built in at all.

Whether this self-funded acquisition model, in which a publisher's own ad earnings underwrite the campaigns used to buy more of the traffic generating those earnings, becomes a durable strategy across the industry or remains a niche tactic confined to publishers with unusually strong per-visitor economics is not yet clear from a single week of data. What is clear is the direction of travel: publishers are increasingly being asked to treat logged-in, returning, and directly acquired visitors as a fundamentally different and more valuable category than anonymous search-referred traffic, and to build monetisation infrastructure around that distinction rather than around undifferentiated pageview counts.

Google's ad-transparency label meets its own honesty problem

One more thread from this window connects the AI-transparency conversation to the same tension running through the rest of this edition, platforms building disclosure tools that depend, in practice, on the good faith of the people being asked to use them. On July 9, Google introduced a "How this ad was made" panel inside its My Ad Center dashboard, extending to commercial advertising a disclosure requirement that had previously applied only to election ads. The panel, accessible through the three-dot menu or info icon on ads across Search, YouTube, and Discover, indicates whether an ad was created or edited using AI tools.

The mechanism splits cleanly along one line. When an advertiser builds an ad using Google's own generative AI advertising tools, such as AI Max or Performance Max, the disclosure appears automatically, requiring no action from the advertiser. When an ad is built using AI tools outside Google's own ecosystem, the advertiser must manually flag that involvement using a new control, and Google has said plainly, through both its own blog post and confirmed independently by TechCrunch, that it will not run any check to verify whether that manual flag reflects the truth. The system runs, in effect, on an honour code.

That gap matters because the timing is not incidental. The European Union's AI Act imposes transparency obligations on AI-generated content that become enforceable on August 2, 2026, a little over three weeks after Google's rollout, with penalties reaching €15 million or 3 percent of global annual turnover for non-compliance, a deadline covered in PPC Land's own reporting on the EU's AI labelling icons. Google's voluntary, self-declared labelling system arrives well ahead of that legal deadline, and functions as a considerably lighter-touch mechanism than what Brussels has proposed in the statutory version, a distinction that retailers and advertisers lobbying to soften the mandatory EU rules have not missed, as The Next Web reported in its own coverage of the rollout.

In specific markets, the label carries more legal weight than elsewhere. For campaigns targeting the European Union, India, and New York specifically, ads with assets an advertiser designates as AI-created or AI-edited will also display a visible overlay directly on the ad itself, rather than remaining tucked inside the My Ad Center panel alone, according to Search Engine Land's coverage of the announcement. That regional escalation puts Google's approach broadly in line with Meta, which already runs a comparable "AI Info" tag across its own social feeds, and extends a labelling infrastructure Google had already built around SynthID, its invisible watermarking system embedded in content generated through Google's own AI tools.

The honour-system design has drawn direct criticism from several outlets covering the rollout. Android Headlines called the gap a "big loophole," noting that "shady digital marketers who intentionally use misleading AI images to move low-quality inventory have zero incentive to manually toggle an AI warning checkbox." An advertiser hoping a synthetic product image passes as a genuine photograph has essentially no incentive to volunteer that it was not, and Google has confirmed it will not independently verify the claim either way. Until platform moderation systems can reliably detect synthetic media on their own, without depending on advertiser self-reporting, disclosures built this way will only be as reliable as the honesty of the companies buying the ad space, a limitation that applies with particular force in the weeks immediately before a much stricter, legally binding version of the same requirement takes effect across the European Union.

The thread connecting five separate stories

Taken individually, these are five unrelated items: an EU regulatory finding, a municipal lawsuit, a corporate legal filing, a tag-management security patch, and a publisher monetisation announcement. Taken together, they describe something more specific. Two governments, an EU institution and a US city, independently arrived at the same technical critique of how major platforms are engineered, using language close enough to suggest the underlying diagnosis has become close to consensus among regulators and litigators working from entirely separate legal traditions. Meanwhile, the infrastructure layer beneath all of this, tag managers, ad-transparency labels, publisher monetisation tools, continues to be built and patched in real time, often on systems of trust, an honour code for AI disclosure, a container ID that is supposed to govern execution privileges, that depend on good-faith compliance from the parties being asked to follow them. Whether that trust holds up under the kind of scrutiny Brussels, Boston, and Oakland are now applying is likely to be one of the more consequential open questions running through the rest of 2026.

Also noted

  • July 9, 2026: Google introduced platform properties inside Search Console, letting creators with no website track which search terms drive clicks to their Instagram, TikTok, X, or YouTube posts, with the full feature rolling out over the coming weeks. PPC Land reported on the launch, and Search Engine Roundtable documented the same rollout with a hidden URL trick for accessing generative-AI performance reports.
  • July 10, 2026: Several media outlets, including The New York Times, asked a federal judge to sanction OpenAI for what the filing calls "discovery misconduct," alleging the company is withholding datasets and ChatGPT logs relevant to a pending copyright case. MediaPost carried the filing.
  • July 10, 2026: The IAB released its Redefining Media Types standard for public comment through August 8, 2026, aiming to establish consistent definitions across connected TV, online video, social video, FAST, video podcasting, and retail video formats. MediaPost reported on the draft standard.
  • July 10, 2026: OpenAI added a new Overview tab to ChatGPT Ads and expanded the ad platform to Japan and South Korea, according to an email the company sent advertisers. Search Engine Roundtable documented the expansion.
  • July 9, 2026: An Adobe survey of more than 1,000 consumers found that only 17 percent of shoppers recall an advertisement 24 hours after exposure, tying forgettable creative to irrelevance and mistrust among the respondents surveyed. PPC Land reported on the findings.