The Price of Personalization: How Targeted Advertising Breaches Data Privacy and Challenges the GDPR’s Shield
Imagine browsing the Myntra website and coming across some cool pants. Instead of making an immediate purchase, you decide to think about it and maybe buy them later. Then, when you open your Instagram account, there it is – an ad for those exact same pants. Coincidence? Not quite. Welcome to the world of targeted advertising.
Targeted advertising is a powerful tool that allows advertisers to present consumers with ads tailored to their specific traits, interests, and shopping behavior. This concept works on the principle of “surveillance,” where customer data is collected to segment audiences based on demographics, interests, and browsing behavior, resulting in unique ads for each segment.
Targeted advertising benefits both marketers and consumers. When consumers encounter relevant ads, they become more interested in what the seller has to offer, increasing engagement and boosting sales for the seller.
However, while targeted advertising offers advantages, many websites and apps have been tracking and collecting user data without their knowledge or consent, violating the General Data Protection Regulation (GDPR) that safeguards user data and privacy.
Recent Cases in News:
Recently, the Irish Data Protection Commission (DPC) imposed a fine of $400 million on Microsoft for using targeted advertising practices that violated GDPR on its subsidiary social media website, LinkedIn.
A similar case involved Meta (the parent company of Facebook and Instagram), which was fined €390 million (€210m for Facebook and €180m for Instagram) by the DPC. Meta utilized Article 6(1)(b) of GDPR, which allows data processing if ‘necessary for the performance of a contract,’ to process users’ personal data for profiling purposes without clear consent.
The DPC found that Meta had unlawfully forced users to provide consent for data use by making it a condition to use Facebook or Instagram. Additionally, Meta failed to clearly state how users’ personal data would be used for targeted ads, violating GDPR guidelines.
To comply with GDPR, Meta asked users to click on “I accept” to indicate their agreement to the updated terms of service, outlining how their data would be used in ads. However, if users did not accept, they were unable to use Facebook or Instagram. The DPC deemed Meta’s approach as unlawful, as it “forced” users to give consent to data usage for ads, thus breaching GDPR. Further, the DPC observed that Meta did not adequately inform users about how their personal data would be used and why it was being used. The DPC also highlighted that companies engaged in targeted advertising often fail to collect proper consent for personal information processing by employing incomplete and overly vague privacy policies. Additionally, data is not always transmitted correctly to fulfill “right of access” requests, leading to failure in completely deleting stored data of subjects who withdrew consent. Moreover, companies sometimes fail to meet data controller obligations in their relationships with transfer partners.
These recent cases have exposed a conflict between two visions regarding social media. On one hand, social media may be seen as private spaces where users can share personal content with loved ones. On the other hand, they may be perceived as public forums, spaces for social interaction, and services essential to exercise constitutionally protected freedoms.
Are Users Truly Aware of Data Protection Risks?
As users, we often wonder what would happen if websites were required to seek specific consent to process user data for targeted advertising, rather than merely stating it as a sentence buried within lengthy Terms of Service? Would we still mindlessly click on the ‘I accept’ checkbox just to gain access to the website?
Unfortunately, even with the GDPR setting clear requirements on acquiring user consent, reality shows that users tend to rely heavily on free online services and have limited understanding of the significance of data protection.
GDPR Fines: A Costly Lesson for Non-Compliance
To address data security non-compliance, GDPR imposes fines in two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, whichever amount is higher. More serious violations can lead to fines of up to €20 million or 4% of a firm’s annual revenue from the preceding year, again depending on the higher amount.
These fines serve a crucial purpose in educating big corporations about the importance of data protection. However, it is equally essential for these corporations to find ways to simplify their terms of service, enabling users to better comprehend the implications.
Strategies for Websites to Protect User Data in Compliance with GDPR
Data holds immense importance in marketing as it provides valuable insights into consumer behavior. However, with the implementation of GDPR, certain considerations must be taken into account.
First and foremost, companies should prioritize transparency and mandate every advertiser to inform the audience about all data being collected, the purpose of data collection, and how the data will be used.
Secondly, websites should draft their terms of service in a manner that is easy for users to understand, avoiding complex language and convoluted sentences.
Lastly, websites should incorporate an unchecked checkbox by default, allowing users to opt-in consciously. Only the cookies permitted by users should be set on the website, and users must have the option to opt out of cookies as well.
Logging Out
Social media websites may currently face challenges in complying with GDPR norms, but in the long run, it will be beneficial for both consumers and organizations. Users prefer websites that are transparent about data usage and privacy, favoring those that prioritize their security. This compliance with GDPR may just be the silver lining website owners have been seeking.
DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.