Is Behavioral Advertising Compliant With Data Privacy Laws?

Etienne Cussol CIPP/E, CIPM

by Etienne Cussol CIPP/E, CIPM

December 20, 2023

Is-Behavioral-Advertising-Compliant-With-Data-Privacy-Laws-01

In the world of digital marketing and advertising, one practice has become increasingly controversial — behavioral advertising.

The ability to track and target specific audiences has granted higher engagement and conversion rates. However, behavioral advertising’s reliance on tracking techniques raises privacy concerns from consumers and regulators.

Recent developments have intensified this debate, with the European Data Protection Board (EDPB) issuing a ban on Meta’s behavioral advertising practices. It’s a reminder that, without proper controls, this practice can be pervasive to the privacy of individuals.

Below, I clarify how behavioral advertising works and how advertisers and marketers can compliantly rely on this technique.

Table of Contents
  1. What Is Behavioral Advertising?
  2. Is Behavioral Advertising Compliant With Data Privacy Laws?
  3. Recent Developments
  4. Summary

What Is Behavioral Advertising?

Behavioral advertising, also referred to as Online Behavioral Advertising (OBA) or interest-based advertising, relies on a person’s online behavior to serve targeted ads and tailor marketing messages.

Behavioral advertising relies on tracking technologies, such as cookies and web beacons, to collect information on a person’s browsing history, searches, and website activity.

The most common types of information collected on users for behavioral advertising include:

Behavioral Advertising and Inferences

Behavioral advertising also relies on inferences, a term describing deriving information from other sources.

For example, if I am searching in my browser for “Who to vote for during the US 2024 presidential election,” an inference about me would be that I am a US citizen.

Inferences play a big part in behavioral advertising, providing an in-depth understanding of online behavior.

Research as early as 2012 has demonstrated big advertisers’ aptitude to accurately infer information about their users’ interests, preferences, and even emotional states regarding advertising. Since then, the growing availability of data and computing power has only increased this capacity.

While inference data is not collected per se, it is considered personal information by data privacy regulations, like the CCPA and the GDPR.

Cross-Context Tracking

An important specificity of behavioral advertising is that it relies on cross-context tracking — which refers to monitoring users’ online activities across websites, platforms, or devices.

Along with inferences, it allows advertisers and marketers to create a comprehensive profile of a user’s online behavior.

Cross-context tracking typically involves the use of:

  • Cookies
  • Web beacons
  • Device fingerprinting (i.e., using users’ device settings and browser information to identify them)

While it can provide benefits in terms of user experience and ad relevance, cross-context tracking also raises data privacy concerns because of the intrusiveness of these techniques.

Efforts to enhance online privacy and limit cross-context tracking have led to regulation changes, with the latest CPRA amendments to the CCPA giving consumers opt-out rights to cross-context behavioral advertising.

In 2018, the EU GDPR added to the requirements of the ePrivacy Directive to apply to the processing of personal data by cookies and any processing of personal data, thus including all forms of cross-context behavioral advertising.

Publishers, Advertisers, and Advertising Network Providers

Behavioral advertising is made possible through a complex network of different actors that can be summarized as follows:

  • Advertisers: Entities seeking to promote their products or services to specific target audiences.
  • Publishers: Operators of online content or services where third-party companies collect and use personal data for digital advertising or personalization.
  • Advertising network providers: As the primary facilitators of behavioral advertising, they establish connections between publishers and advertisers by selecting which ads to display on a publisher’s website.

Simply put, publishers own websites and generate revenue by selling advertising space on their online platforms.

Usually, ad selection is done via a bidding system called Real-Time Bidding, which uses the following information to determine which ad is most likely to result in a conversion (i.e., a click):

  • Advertisers’ audience target requirements
  • The publishers’ advertising space characteristics
  • The user’s online behavior

The process of delivering advertisements via advertising networks works as follows:

  • Step one: A publisher allocates space for displaying ads on their site and delegates the remaining advertising tasks to one or more advertising network providers.
  • Step two: These network providers are responsible for selecting and distributing ads to publishers in the most efficient way. The larger the advertising network, the more resources it has to monitor users and “track” their behavior.
  • Step three: The advertiser typically negotiates with one or more ad networks and will not necessarily know the identity of all publishers that distribute its ads.

Behavioral Advertising vs. Contextual Advertising

In opposition to behavioral advertising, contextual advertising is an approach that delivers ads relevant to content a user is currently consuming or to the context of a webpage.

See an example of contextual advertising in the screenshot below of Termly’s G2 review page.

Termly-G2-review-page

G2’s Termly reviews page serves ads for products that are similar to Termly, so we can infer that the ad is based on the page’s context, not the user’s behavior.

However, demonstrating behavioral advertising is a bit more technical, as it’s essentially the opposite of contextual advertising.

For this example, I set up a ‘fake’ online behavior to try to generate specific ads by setting up my VPN connection in Spain and using my search engine to look for sports news.

Then, I visited the Time Magazine homepage and was served an ad related to Madrid’s famous football team in Spanish.

The screenshot below shows you the ad I was served.

Time-Magazine-homepage

We can infer that at least my location and recent search queries were used to serve me this ad.

Is Behavioral Advertising Compliant With Data Privacy Laws?

You can use behavioral advertising in a way that complies with data privacy laws as long as you communicate properly with your users and provide them with the appropriate choices.

In the European Union

Let’s first consider the major data privacy laws from the European Union (EU) and see what they say about legally performing behavioral advertising.

The GDPR

To the extent that behavioral advertising involves the collection and use of personal data, the General Data Protection Regulation (GDPR) includes several provisions relevant to behavioral advertising.

Businesses seeking to use behavioral advertising would need to comply with the following GDPR guidelines:

  • Article 6: Processing of personal data is lawful only if it meets one of the legal bases defined by the GDPR, but, in a case involving Meta, the European Data Protection Board (EDPB) decided that ‘Legitimate Interest’ and ‘Fulfilment of a Contract’ cannot be used as a lawful basis for behavioral advertising, leaving ‘Consent’ as the most likely basis, which must follow all conditions described in Article 7.
  • Articles 13 and 14: Businesses must provide individuals with clear and transparent information about how they use personal data for behavioral advertising and inform individuals about the purposes of the processing and their rights regarding it.
  • Articles 15 to 21: Individuals have a range of rights, including the right to access personal data, rectify inaccuracies, request the erasure of personal data, and object to the processing of their data for direct marketing, which includes behavioral advertising to the extent that it leads to direct marketing.
  • Article 22: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, and because behavioral advertising often involves profiling individuals based on their online behavior, provisions of Article 22 apply.

It’s important to note that the principles in Article 5 of the GDPR Article 5 on the processing of personal data apply to behavioral advertising, including:

  • Data minimization
  • Purpose limitation
  • Security

Organizations engaged in behavioral advertising within the European Union or targeting EU residents must comply with these GDPR requirements to ensure the lawful use of personal data for advertising purposes.

The ePrivacy Directive

Another regulation in the EU applies to behavioral advertising, the ePrivacy Directive of 2002, which focuses on privacy within electronic communications.

Specifically, Article 5(3) requires that a business obtains informed consent to lawfully store information or to gain access to information stored in the terminal equipment of a subscriber or user.

Since this is precisely how cookies work, the ePrivacy Directive is known as the Cookie Law.

In that regard, it applies to behavioral advertising because some cookies track users online and use that information to serve targeted ads.

In the US

Now, let’s discuss what U.S. state data privacy laws say about behavioral advertising.

California’s CCPA

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines cross-context behavioral advertising in Section 1798.140. (k) as:

‘the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.’

Additionally, the CCPA’s definition of personal information includes:

‘… inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.’ 

As shown above, inference data are essential in behavioral advertising as they enable understanding a user’s behavior even with little information.

While the CCPA doesn’t have a specific provision dealing explicitly with behavioral advertising, it includes several guidelines relevant to the collection and use of personal information for behavioral advertising purposes:

  1. Section 1798.110 and 1798.115: Businesses must provide consumers with a notice about the categories of personal information they collect, disclose, sell, or share, the purposes for which they use the information, and the categories of third parties to whom personal information is disclosed, sold or shared, including information related to behavioral advertising.
  2. Section 1798.120: Consumers have the right to opt out of the sale and sharing of their personal information, which can include opting out of behavioral advertising purposes.

Other States

Similarly to California, other U.S. states have included provisions in their privacy laws that apply to behavioral advertising.

Specifically, the privacy laws that are in effect that provide consumers with the right to opt out of profiling and targeted advertising include the following:

  • Virginia’s Consumer Data Protection Act (VCDPA)
  • Connecticut’s Data Privacy Act (CTDPA)
  • Colorado’s Privacy Act (CPA)

These state laws also provide notice requirements that would apply to a business engaged in behavioral advertising.

Other states, like Texas, Utah, Montana, and Iowa, have also recently signed privacy laws with provisions applying to behavioral advertising.

While they have not yet entered into effect, they’re worth preparing for if your business operates in these states or meets their legal thresholds.

Recent Developments

Now, let’s explore some recent developments regarding privacy laws and how they impact behavioral advertising.

Meta and Behavioral Advertising in the EU

Meta’s behavioral advertising activities in the EU and European Economic Area (EEA) recently became the object of a ban by the European Data Protection Board (EDPB), Europe’s lead data protection authority.

While Meta’s quarrels with privacy in the EU are not new, this is most likely a turning point for behavioral advertising.

To understand this decision, let’s see how this situation came to this point.

2018 – 2022

Meta’s issues with EU/EEA regulatory authorities stem back to 2018 when a consumer association in the field of privacy called NOYB ( ‘None of your business’) filed two complaints with European privacy authorities.

The complaints were that Meta, through Facebook and Instagram, relied on its Terms of Services to use personal data for behavioral advertising, not on consent.

The matter divided European data protection regulators as to whether this was a breach of GDPR, and after several years, the EDPB settled the dispute.

In December 2022, the EDPB confirmed that Meta could not rely on contracts with its users to use their personal data for behavioral advertising.

2023

Shortly afterward, in January 2023, the Irish data protection authority (responsible for Meta’s EU activities) fined the company 390 million euros, giving them three months to bring their operations into compliance with the GDPR and the EDPB’s decision.

In an attempt to stop relying on contracts without needing to request consent for behavioral advertising, Meta announced in March 2023 that it would instead rely on legitimate interest.

Legitimate interest is a lawful basis for processing personal data under the GDPR, giving companies the flexibility to use data when there’s no other way to reach the desired goal so long as individuals’ interests and rights don’t override the data collection.

Several EU regulators criticized this change, and on July 2023, the Court of Justice of the European Union (CJEU) ruled that Meta, in ‘an abuse of a dominant position,’ had infringed the GDPR.

The Norwegian data protection authority, Datastylnet, was the first to act on this ruling and announced a three-month ban on Meta’s behavioral advertising in Norway from August 4 to November 3, 2023.

Finally, on October 27, 2023, the ban reached a far more consequent level for Meta when the EDPB permanently extended it to the entire EU/EEA.

Meta was forced to adopt a consent-based approach and rolled out an ad-free paid subscription version of Facebook and Instagram for its EU users this November — for €9.99 per month.

You can see what the pop-up looked like to EU users in the screenshot below, which a Reddit user posted in r/askIreland.

Meta-consent-based-approach-Facebook-Instagram-for-EU-users

The EU AI Act

EU institutions hope to finalize another important regulatory development that may impact behavioral advertising in the coming months: the European Union’s Artificial Intelligence Act (EU AI Act).

The EU AI Act is a formal regulation proposed by the European Commission to regulate and create a legal framework for using artificial intelligence.

It defines several levels of risks associated with AIs and requires that businesses using AI systems take appropriate measures depending on these risk levels.

With the development of AI to analyze patterns and make predictions on vast pools of data, it’s no surprise that one of its many applications has been for targeted advertising.

Tech giants like Google, Meta, and Amazon have implemented AI features as part of their advertising platforms.

While it’s too early to know the specifics, the EU AI Act coming into force would add new requirements to businesses using AI for behavioral advertising, which could include:

  • Notifying users that they are interacting with an AI system, like if generative AI creates target-specific ads.
  • Provide transparent information to users about an AI system’s design, development, intended use, characteristics, capabilities, and limitations.
  • Enable human oversight through interface tools, either built into the AI system or implementable by the user.

Summary

The evolution of behavioral advertising, pushed by social networks and boosted by the apparition of AI, has brought wider attention from the public and regulators.

In navigating this landscape, it becomes imperative for companies to understand the mechanics of behavioral advertising and adopt practices that align with data privacy regulations.

Striking a balance between effective advertising strategies and respecting individuals’ privacy is a legal requirement and a fundamental consideration for a business’s reputation.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author

Related Articles

Explore more resources