By: Emily Gross
Have you ever felt like your phone was listening to you? Have you ever felt like certain ads were made just for you? This is not the result of actual eavesdropping, but rather it stems from the tracking of your online searches, purchases and location.
Behavioral advertising is a powerful tool that allows marketers and advertisers to develop highly relevant and personalized content. By analyzing users browsing habits marketers create ads that resonate with the exact needs and desires of a specific user. Marketers leverage the wealth of personal data they collect to customize advertisements that prompt users to ask themselves questions such as are my devices spying on me or can my phone hear my thoughts? While undeniably lucrative, the ethical and legal considerations related to behavioral advertising have come under scrutiny particularly from the European Data Protection Board.
Recent European Data Protection Board Decision
On October 27, 2023, the European Data Protection Board issued a binding decision prohibiting Meta from processing personal data for “behavioral advertising on the legal basis of contract and legitimate interest across the entire European Economic Area.” The European Data Protection Board’s decision was issued to cement two previous court cases detailed below.
In January of 2023, Ireland’s Data Protection Commission (DPC) fined Meta Ireland €210 million and €180 million for breaches to the General Data Protection Regulation. The European Union’s General Data Protection Regulation (GDPR) has been said to be “the toughest privacy and security law in the world.”
Article 6 of the GDPR details the situations where data processing can be done legally. Prior to 2018 and pursuant to Article (6)(1)(a) of the GDPR, Meta Ireland relied on user consent to collect personal data; however, in 2018, Meta Ireland changed its terms and conditions thus changing the legal basis on which it relied on to process users’ personal data. Now, Meta Ireland sought to collect data under Article (6)(1)(b) of the GDPR which states that processing of personal data is lawful if it “is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” In the end, the DPC found that Meta Ireland could not rely on this “contract” legal basis.
Subsequently, in September of 2023, an Oslo District Court imposed a temporary ban on the collecting of personal data for use in behavioral marketing by Meta Ireland and Facebook Norway on the same basis as the DPC’s decision. Ultimately, the European Data Protection Board’s decision extended the DPC and Oslo District Courts decisions to the entire European Union.
These decisions highlight the European Union’s dedication to consumer protection as codified in Article 5(1)(a) of the GDPR which “enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner.” As such, it is no surprise that in reference to its recent decision the European Data Protection Board stated that its purpose was to protect the privacy of Meta’s 250 million users in the region. This begs the question: What is the data privacy regulatory landscape in the United States?
Current United States Regulation
Unlike the European Union’s General Data Protection Regulation, the United States lacks a general federal legislation governing the collection of personal data by corporations. Instead the United States has a nuanced approach to data protection consisting of sector-specific regulations. For example, the Gramm Leach Bliley Act relates to personal data specifically handled by banks and insurance companies.
The United States federal government does however empower the Federal Trade Commission (FTC) to bring enforcement actions to protect consumers from deceptive trade practices. While the FTC has been involved with the oversight of online behavioral advertising for more than 20 years, it has not promulgated binding regulations on this topic.
In 2007, the FTC published a set of principles aimed to help online advertisers self-regulate themselves. The principles “call for companies to obtain affirmative express consent from consumers before they use data in a manner that is materially different than promised at the time of collection and before they collect and use ‘sensitive’ consumer data for behavioral advertising.” Then, in 2011, two bills were introduced that would give the FTC the power to develop rules surrounding online behavioral advertising. Neither of the bills were passed. The absence of a comprehensive federal regulatory framework has resulted in a patchwork of state level regulations with varying degrees of protection.
What’s Next?
The current international regulatory landscape of data protection and online behavioral advertising illustrates the tension between corporate goals and ethical considerations concerning personal privacy. The European Data Protection Board’s decision to restrict Meta’s ability to collect and use personal data for targeted advertisements underscores the global concern for individual privacy rights. As technology continues to evolve, it becomes imperative for the United States to evolve its legal framework to put consumer protection above corporate profits.