By: Ankita Biswas and Lavanya Jha
Technological advancements and the increasing access to the internet has ascribed value to information and thereby, the value of profits. There has been an increase in a mode of advertising known as targeted advertising. Services employing targeted advertising offer customised user campaigns by first – sending a ‘notice and consent’ form and second – tracking and profiling the user data.
Facebook generates a large chunk of its revenue from advertisement alone, and this increased invasion of user data will help Facebook improve its targeted advertisements visible on its platforms – Facebook and Instagram.
The debate around the legitimacy of this form of advertising has been largely contentious. This is because traditional legal principles have failed to evolve at the same pace as the growth of digital markets. Therefore, while most popular businesses have adopted this model of advertising, its legality is still unclear.
Without conflating the two, at the outset it is clarified that targeted advertisements work on the user information gathered by the AI-based services. WhatsApp offers a platform for mining user information, which is then used for tailoring the targeted advertisements on other social media platforms owned by Facebook.
THE PROCESS OF TARGETED ADVERTISING
1. Notice and consent
This is aggravated by the fact that in India, a large number of people might not be in a position to understand and comprehend the vague and technical terms used in these notices and consent to it.
Secondly, it can be argued that in the event of breach of privacy in order to claim damages under S.43 of the Information Technology Act, the burden of proof which lies upon the afflicted individuals is unjust. This is primarily because practically the organization having a greater proof of record and information in comparison to the individual should be the one to bear the burden of proof.
2. Collection of user data
Upon obtaining the consent from the user, user data is collected in two ways, by means of ‘tracking cookies’ and by hardware-based collection systems. In the first model, when the user visits a particular website, few lines of code are dropped on the user’s browser, known as ‘tracing cookies’. These cookies record the user’s activities and report it to the targeting software. The second model employed tracks the user’s activities on their phone/computer. Every activity for example – the items searched, websites accessed, information about places visited, etc. is stored. The combined metadata is used to estimate the behavioural and demographic attributes of each user.
The information collected by publishers and the cookies are sent to ‘supply side platforms’ (SSP), who operate parallel to the ad exchanges to connect the users/consumers with the advertisers. The information is incorporated by SSPs into what is known as a bid request – which is broadcast to the advertisers who compete with each other to land ‘impressions’ on the targeted individuals in an almost instantaneous auction mechanism where every individual user’s information is sold to these advertisers.
For an advertiser looking for an ideal ‘target’, the more information they have about a user, the greater the price they are willing to pay to an ad exchange for placing an ad, or an ‘impression’ on the user. Thus, the supply side of the advertising ecosystem therefore has an incentive to collect as much information about individuals and ultimately profile them for the purposes of selling to advertisers.
CONCERNS UNDERLYING TARGETED ADVERTISING
A. Lack of healthy competition
The European Commission clearly defined the objective of the Competition Act in the case of Intel Corp v European Commission, where it said that in order to prove anti-competitive practice by a dominant firm two criteria needs to be proved – whether the firm is capable of excluding rivals and whether it is liable to reduce consumer welfare.
This accumulation of user data brings to fore the concern that individuals lose the right to their own data identities. It also highlights the concern that the more data a dominant form accumulates the more it entrenches its dominant position in the market. This creates a vicious cycle where the more data a firm collects and analyses, the better its products are and more users are attracted to it, leading to more collection of their data.
In a 2016 paper titled Privacy and Competitiveness, it was understood that there is a close link between the dominance of the company, its data collection processes and the competition from relevant markets which could justify the consideration of privacy policies and the regulations in competition proceedings.
B. Harm to consumer welfare
In India specifically, the Competition Commission of India (‘CCI’), has not relied on these aspects of consumer harm to hold such social media giants responsible for abuse of dominance under Section 4(1) of the Competition Act, 2002. In this regard, the approach of CCI should be that a tech giant which is in a dominant position has special responsibility to protect the consumer from harm as it has previously observed in the Google ‘Search Bias’ case. Further, as per CCI’s report, abuse of dominance can take the form of lowering privacy protections. This consequently would pose a harm to consumer welfare, as lower standard of privacy falls under the ambit of antitrust.
IMPACT OF DATA PRIVACY REGIME ON TARGETED ADVERTISING
The Bill has been drafted in similar lines to the GDPR. It identifies the users as ‘data principals; and ‘data fiduciaries’ (which includes social media intermediaries). The Bill introduces an element of consent which the data fiduciaries are bound to obtain from the principals while they move to store their information, and for processing it. While seeking this consent it is imperative that the principal knows what purpose the data will be used for as well with whom the data will be shared. For the latter – the fiduciary will need to acquire explicit consent of the data principal.
While this does not explicitly denote an impact on the phenomenon of targeted advertisements- it has an effect on the two major user data gathering processes the process of attaching cookies as well as gathering of demographic data. Upon implementation of the Bill, the principals will be informed of their said data being, stored and processed (the option for this is available in multiple languages) – and the users will have to consent to both these processes. This would serve to solve the two problems outlined above by lucidly explaining the diverse population in India about what they are consenting to. It will also help ease the burden of proving breach of privacy as individuals will now have information available to them in greater transparency.
It is natural that upon seeing the information (majority of which will be sensitive user data) the principal will choose not to consent to it. This could eventually lead to falling out of this phenomenon as observed from the judicial pronouncements in the EU, US and Norway on non-compliance with GDPR in reference to programmatic advertising – which have categorically targeted advertisements violate the European and national data protection law and that courts and governments should adhere to it.
CONCLUSION – THE WAY FORWARD
(Ankita and Lavanya are current law undergraduates at West Bengal National University of Juridical Sciences, Kolkata. They may be contacted via mail at firstname.lastname@example.org)