By Pascale Gelly and Elisabeth Quillatre
Online targeted advertising: the CNIL reports
“You book a plane ticket to New York on the Internet. Two days later, while reading your newspaper online, you’re offered an attractive deal on a rental car in New York. This is not a mere coincidence: this is targeted advertising, as it is developing more and more on the Internet.”
So begins the CNIL report about online targeted advertising, which was presented to the commissioners in plenary session earlier this year and recently released publicly.
It’s a fact, most content providers and search engines allow Internet users access to a lot of information and entertainment, free of charge. But there is a price to pay at one time or another: data to feed the advertising business; advertising being the main source of income of the Internet.
IP addresses, Internet search keywords, browsing histories, registration data, social networking tidbits, visualized ads, and even e-mails’ content, you name it... Any information about Internet visits and visitors potentially is analyzed to determine what advertising will correspond best to them or to their profile.
The 30-page CNIL report aims to review the privacy risks associated with online targeted advertising and provide potential answers. It also serves to open a debate among authorities that could lead to improved business practices.
The report details the various types of online advertising—personalized (common type), contextual, or behavioural—and the distribution channels for advertisements, such as Web sites (content providers) or advertising agencies that deal with several Web sites and, therefore, have more opportunities to obtain a large amount of Internet users’ data.
The report educates readers on various user-tracking and profile-creation techniques, which rely on data provided by the Internet user, himself, or on demographic assumptions made about a user based on pages visited. It also describes the models of Amazon, Google, Facebook, Linked-In, Tacoda/ AOL, and Phorm.
Technological and economic changes in e-companies’ business models are a source of concern. More and more, companies, by diversification or acquisition (e.g. Yahoo and Google) are simultaneously content providers, service providers (Internet access, e-mail, search engine…) and advertising agencies, thus having the opportunity to aggregate data about users collected via different means.
Therefore, the concentration of actors and data sources is seen as a potential risk to privacy, in particular, as individuals do not realize the impact this may have on the processing of personal data. Exacerbating these risks is the fact the CNIL finds that opt-out mechanisms (e.g. opt-out cookies) do not work properly in practice.
If advertising agencies were to share data they collect with businesses such as banks, insurance companies, or recruiters, selections and assessments of consumers and candidates could be made based on assumptions about their health, finances, or other sensitive information, without individuals being fully aware of it. The authority views this as a real threat.
The report underlines the challenges online targeted advertising presents to data protection authorities.
The first key legal issue is to determine whether the processed data is “personal,” thereby triggering the application of data protection rules. To a large extent, the report refers to the G29 opinion on the notion of personal data. That group’s decision concluded that, if profile data such as age, gender, or location is linked to an identifier (IP address or identifier placed in a tracking cookie) that can be linked to an identified or identifiable individual, the data is “personal.” The CNIL rules out all attempts to claim that the data used for online advertising is anonymous.
Referring to the G29 opinion on search engines, the CNIL believes that European data protection laws should apply even if businesses are headquartered outside of the EU.
Once these interpretations are made, the main question to address is how individuals can be properly informed of the processing activities carried out to target them so they can exercise their opt-out or opt-in rights.
The CNIL stresses the need to debate about applicable law, data retention, and notices of profiling. It suggests the drafting of template notices and codes of good practices. In addition, the CNIL calls for better public sensitization on tools to let users control or disable tracking devices, and for the promotion of privacy-compliant tools and services via labelization.
This is clearly a first-stage report to show the authority’s intention to tackle the matter and to bring this sector of economy in line with European data protection principles.
French ISP sanctioned under Data Protection Act
The CNIL sanctioned Neuf-CI, one of the main Internet access providers in France, for lack of transparency in dealing with a customer access request. The company was reluctant to address the request, which was first rejected for “confidentiality and security reasons.” Later, the company agreed to provide the customer with her subscription data (name, contact details, bank details), but failed to provide her with data recorded in the customer databases (invoices, call numbers, dealings with the customer service department), even after an injunction from the CNIL.
The company claimed that the lacking response was due to the merger between Neuf-Cegetel and Club Internet, which created some disorganization. Still, the CNIL considered that a full response should have followed the customer’s request. It also noted that the company’s policies on personal data, which had been drafted a year earlier, were still at a draft stage. Sanction: 7000 Euros.
Pascale Gelly and Elisabeth Quillatre of the French law firm Cabinet Gelly can be reached at firstname.lastname@example.org.