In today’s digital age, behavioural advertising has become a powerful tool for marketers, allowing them to tailor ads based on a user’s online behaviour. From browsing habits to search history, everything we do online is tracked in some way or the other to create personalized experiences. While this form of advertising can seem convenient and efficient, it comes with hidden costs—particularly in terms of privacy.
What is Behavioural Advertising
In simple terms, behavioural advertising is a marketing technique that targets users based on their previous online actions, such as websites visited, search history, or interactions with digital content. Imagine searching online for a new phone, and then seeing advertisements for that phone everywhere you go online. This is achieved through cookies, and other trackers that follow your activities across different websites. By using these technologies, advertisers can create more personalized and relevant ads, increasing the likelihood of engagement
Privacy and Other Risks in Behavioural Advertising
- Data Collection Without Sufficient Consent: One of the primary risks is that users often remain unaware of the scope of personal information being collected. Behavioural advertising networks rely heavily on tracking technologies that operate invisibly in the background. The collection of personal data without explicit consent, or via ambiguous consent mechanisms, can expose users to privacy breaches.
- Profiling and Discrimination: Continuous monitoring and profiling of users’ digital activities could lead to discriminatory practices.
- Data Security and Misuse: Massive volumes of user data are stored and processed by companies engaged in behavioural advertising. A data breach could expose sensitive information, including a person’s financial details, browsing history, or personal preferences, to cyber criminals.
- Data Sharing with Third Parties: Often, data collected for behavioural advertising is shared with third-party entities, without users’ knowledge. This uncontrolled sharing increases the risk of misuse and diminishes user control over their data.
DPDPA on Behavioural Advertising
It is crucial for any business that engages in behavioural advertising methods to understand and implement the general data processing principles under the Digital Personal Data Protection Act (DPDPA) as well as provisions of the Act that specifically address behavioural advertising.
- Consent Requirement: The DPDPA emphasises obtaining user consent for data processing in behavioural advertising. Users must be informed about the data collected, its purpose, and usage. Consent must be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action.
- Data Minimisation: The DPDPA mandates data minimisation, requiring companies to collect only the personal data necessary for a specific purpose. Businesses must justify the need for data collection, rather than collecting and storing unnecessary information.
- Right of Data Principals: The DPDPA empowers individuals with rights over their data. If a company has your personal information, you have the right to access it, correct it, and even request its deletion. More importantly, you can withdraw your consent at any time, effectively stopping companies from using your data for targeted ads.
- Children’s data: Section 9(3) of the DPDPA expressly prohibits a data fiduciary from tracking or monitoring the online behaviour of children for the purpose of behavioural advertising.
Conclusion
As behavioural advertising evolves, it brings significant privacy risks, including unauthorized data collection and misuse. The DPDPA provides a broad framework to address these concerns by emphasizing user consent, data minimization, and transparency. With strong protections for individuals, especially children, the DPDPA ensures businesses balance effective advertising with privacy. Adapting to these regulations is crucial for legal compliance and building user trust in a data-driven world.
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.
To learn more about the impact of DPDPA on Digital Marketing Strategies, click here.
News of the week
-
- CJEU Limits Meta’s Data Use
On 4th October 2024, the Court of Justice of the European Union (CJEU) ruled against Meta, significantly restricting Meta’s use of personal data for targeted advertising under GDPR’s “data minimization” principle. The ruling curbs Meta’s practice of processing data indefinitely, even with user consent. The court also clarified that public statements do not grant implicit permission to process unrelated sensitive data, reiterating the principle of “purpose limitation”.
CJEU: Meta must “minimise” use of personal data for ads (noyb.eu)
- Comcast Data Breach Exposes 237,000 Customers’ Personal Information
In February 2024, hackers targeted Financial Business and Consumer Solutions (FBCS), a former debt collection partner of Comcast, resulting in a breach of sensitive data from over 237,000 Comcast customers. The exposed data includes names, addresses, and Social Security numbers. Comcast, no longer using FBCS since 2020, was informed of the breach in July 2024. Affected customers are being notified and offered 12 months of free identity theft protection through CyEx Identity Defense Complete, along with credit monitoring and fraud protection guidance. The details of this breach were released on 8th October 2024.
- Texas Sues TikTok for Violation of Children’s Privacy
Texas Attorney General Ken Paxton has filed a lawsuit against TikTok, accusing the platform of violating state privacy laws by sharing children’s personal data without parental consent. The lawsuit seeks up to $10,000 per violation under the SCOPE Act, alleging TikTok fails to provide adequate tools for restricting children’s privacy and permits targeted advertising. Paxton calls for accountability in protecting minors online.
- Ryanair Faces EU-Wide Probe Over Facial Recognition Practices
Ireland’s Data Protection Commissioner has initiated an EU-wide investigation into Ryanair’s use of facial recognition technology for verifying customers booking through third-party websites or online travel agents (OTAs). Complaints arose from customers required to undergo additional identity verification, unlike those booking directly via Ryanair’s platform. Ryanair claims the process is necessary for security and customer protection, ensuring accurate details from online travel agents. The airline insists its procedures comply fully with the GDPR, offering non-biometric options as alternatives.
https://www.reuters.com/business/aerospace-defense/irish-privacy-regulator-probes-ryanairs-use-facial-recognition-2024-10-04/ - Mondelez and Bryan Cave Leighton Paisner Settlement Over 2023 Data Breach
Mondelez and Bryan Cave Leighton Paisner (BCLP) have agreed to a tentative $750,000 settlement to resolve a proposed class action lawsuit following a 2023 data breach that exposed sensitive information of 51,100 current and former Mondelez employees. The breach compromised names, Social Security numbers, dates of birth, and addresses. Both Mondelez and BCLP denied liability, but the settlement seeks to address claims of inadequate data protection. Plaintiffs’ lawyers can seek up to $250,000 in fees. The case follows a June dismissal of some claims by U.S. District Judge Jorge Alonso.
https://www.reuters.com/legal/litigation/mondelez-law-firm-bryan-cave-reach-deal-end-data-breach-class-action-2024-10-04/
- CJEU Limits Meta’s Data Use
