Targeted Advertisements

This project aims at providing a brief overview of the concept of online targeted advertising, and its possible ramifications on the security, privacy of Internet users. Firstly, it defines ‘targeted advertisements’, and explains their operational methodology. Next, it analyzes if these advertisements are a breach of privacy, and the consequences of sharing of data with advertising companies. The project also looks at the legislative framework governing these advertisements in the United States, European Union, and India. It concludes by highlighting possible solutions to protect user privacy.


For the purpose of this project, it is essential to define what ‘targeted advertising’ entails. It is a means of placing ads based on demographics, the consumers’ purchase behaviour and history, their specific traits, interests, and preferences. The scope of this project is limited to online ads; hence, examples of online targeted advertising include social networking ads, search engine Ads, and behavioural ads.

Targeted advertising works by focusing on individuals, not Web sites. The tracking technology permits companies to target their ads towards website users, as they browse the Internet. Once a person views a product on any retail website, his browser submits this information to any third-party advertising network. Such information is stored in a browser cookie (a minute piece of code which allows ad networks or sites to share information about visitors’ viewing or purchase history; these cookies can be cleared periodically to erase records with ad networks). If that person later uses another website in the same advertising network, ads for the product the user viewed initially could show up, on the basis of information stored by the cookie. Such an ad is targeted to the user with the intention of luring him back to purchase the product.

These ads have the potential to follow the user across different devices. Suppose, if one shops for a dress on their laptop, they can get targeted ads for dresses on their smart phones, despite them never browsing for dresses on the device. Advertisers can identify someone by analyzing their location, browsing habits, as well as the types of sites they sign in to, like Facebook or Google. It is the claim of the advertisers that despite the collection and use of this data, they do not retain sensitive personal information on their files; however, it remains difficult to understand what exactly these big-data advertisers know.

Is Targeted Advertising a Breach of Privacy?

Online targeted advertising is viewed as an invasion of privacy.

It is essential to remember that all the information submitted to the Internet can be tracked – be it social media updates, search engine requests, or the websites one visits. Since it can be tracked, this information usually returns in the form of a targeted ad.

The more advertisers know about someone (such as their age, gender, income, religion, relationship status), the more they assume about their buying habits. They can target people geographically and behaviourally, depending on common interests or things they liked in social media, or what they wrote in emails or messages to friends.

Thus, instead of casting a wide net to search for potential customers, advertisers take whatever they can get, as they now are equipped with every intimate detail about those customers beforehand, which enables them to be able to sell anything.

This will be further clarified upon understanding the consequences of such advertising.

Consequences of Targeted Advertising

Considering that online targeted advertisements are a certain breach of privacy, this begs the question – why should we care about online privacy?

Most data companies maintain that tracking is anonymous and user identity is protected when they are browsing the Internet.[9] In addition to this illusion of anonymity, a common argument which occupies most privacy discussions is that ordinary people should have ‘nothing to hide’; if one commits illegal or immoral activities, they cannot have the right to keep it private.[10]

However, these arguments focus only on a narrow concept of privacy, viewing it as a form of concealment of bad things or secrecy, as opposed to personal data being collected, analyzed and used without consent, or knowledge, as a problem in itself.[11]

Further, such form of targeted advertising fails to serve the public, as well as advertisers. It facilitates monopolization, as those possessing the biggest data troves receive all the ad money. This concentrates the potential, magnitude of abuse, with such data being used to discriminate against groups, steer vulnerable sections to financial scams, and even meddle in U.S. elections.

For instance, advertisers armed with such data can make sure that housing or employment advertisements do not reach African-Americans or Hispanics or Asians, thus discriminating on the basis of race.[13] Sham companies can deploy targeted ads to locate users prone to believing their pitches.

Such capture and storage of personal information means creation of a target, which is prone to data harvesting and breaches. Companies luring advertisers want to expand their data troves; Facebook and Google collect this data mainly as a resource for advertisers.[15]

It remains unclear if the benefits of targeted ads for consumers outweigh the privacy risks and downsides of mass data collection. Further, it is certain that targeting is not good for media companies getting top dollars for access to their audience.[16]

Logically, there isn’t much wrong with media companies sampling their audiences for determining the average income or age or voting preferences, considering market research is necessary for advertising. However, what is problematic is building specific profiles of individuals, copying their information, and distributing it for advertiser usage. Moreover, the government cannot enforce what it cannot see, so these abuses occur far under their radar.[17]

Violations of privacy may potentially and actually cause negative tangible impacts on people’s lives from various perspectives, rather than merely provoking feelings of unease. Hence, such a surveillance economy should not survive.

Legislative Framework Governing Targeted Advertisements

United States (‘US’) Legislation

Privacy concerns have long drawn significant attention from legislative bodies.[18] The US government has the right to regulate advertising, and even limit it. The Federal Trade Commission (‘FTC’) monitors advertising and marketing, for prohibiting unfair or deceptive practices and enforcing truth-in-advertising laws.[19]

Since the last decade, the FTC has issued multiple reports and has urged for legislation to enhance user online privacy.[20] Although several acts have proposed giving rights to the FTC to bring law enforcement against tracking companies, these rights have been narrowly restricted to only ‘unfair’ and ‘deceptive’ actions, i.e., when companies fail to keep their promises to users.[21]

FTC has a set of recommended principles for behavioural targeting.[22] These policies can be summed up to themes of – transparency and consumer control (websites have to disclose to customers the type of data collected by them, and its usage; consumers also should have the choice to opt out of data collection), data security (companies can retain user data only if they have legitimate business purposes, and can prevent misuse of information), consent for policy changes (notifying users in advance in case companies decides to change its information policy), consent for sensitive data (companies have to obtain prior consent from users for collecting sensitive personal information such as data about children, health and personal finances).[23]

Further, as of May 1, 2011, the FTC has issued 32 legal actions against organizations violating consumers’ privacy rights, or misleading them by not maintaining the security of sensitive consumer information.[24]

European Union (‘EU’) Legislation

From May 2018 onwards, the EU enforced a law giving internet users more privacy, by providing them with the choice if they want to visit a website after first disclosing that all the cookie data collected and shared by each website.[25] Websites are required to get each user’s consent before storing any visitor information, and the user can see all the data collected by websites visited by them; then, they can have the right to refuse the use of these cookies.[26]

The General Data Protection Regulation (‘GDPR’) is designed to protect personal information by mandating websites to seek consent to use personal data, among other measures. It poses a challenge to those groups as they all require consent to use the data.[27]

Web browsers such as Chrome, Safari, Mozilla Firefox, and Internet Explorer must ‘offer the option’ to “prevent sites that use third party cookies from storing information on the equipment or URL of the person visiting a OR from using information already stored about that person.[28]

The browser has to inform users of its cookie use (both privacy setting options and risks), and it should necessarily have features requiring browser users to select a cookie setting before continuing. In case a browser is already installed on a device before GDPR takes effect, the browser software must comply by August 25, 2018. This helps in taking the onus off of website owners.[29]

Due to this, some ad tech groups are pulling out of Europe, because they did not know how GDPR would be applied. Such uncertainty wouldn’t change till the GDPR application in specific cases.[30]

However, companies with deep pockets can ensure compliance, throwing their engineers and lawyers at the problem and reassuring brands at a time of uncertainty.

Google and Facebook will benefited irrespective, as their loyal customers are more likely to give consent to carry on using these sites, thus allowing them to continue collection, analyzing, and studying vast amounts of GDPR-compliant data and information that advertisers will pay to use.[31]

Even big publishers such as newspapers are also more likely to keep their readers, as they eventually charge advertisers more for online slots in the knowledge they are compliant with the new EU rules. They understand that if consumers feel confident that their data is being protected, and can figure how it is being used and it is done with permission, it is ultimately a good thing for their clients and them.[32]

However, despite this, Facebook lost about 1 million European of its monthly active users after GDPR, and it said that a desire by some users to avoid targeted ads is likely to lead to a modest revenue hit. Further, in response to GDPR, it has asked advertisers to certify that they have the proper consent to use any data from third-party brokers, potentially relieving itself of some liability.[33]

Even Google mandates publishers to secure consent when using its ad products on their properties. Marketers and partners also need to now use more of Google’s own services. It has also stopped providing easy access to lists that helped companies evaluate the success of their ads by showing which users clicked on them. Advertisers must now use Google’s Ads Data Hub application to measure the effectiveness of campaigns.[34]

It is unclear how long the initial impact of GDPR will last; this is because many consumers – tired of the constant permission pop ups – are just giving consent to access sites. Prosecutors are also yet to bring any cases for data breaches.[35]

However, the GDPR has ramped up the speed of change in what has been such a fragmented industry. This dramatically changes internet advertising across the web, as everyone now recognizes the consumer’s desire for transparency with how websites share their personal data. Sites failing to comply with the GDPR will be fined by the Information Commission’s Office in the UK.[36]

Indian Legislation

Presently, India does not have any express legislation governing data protection or privacy, except for the pending Personal Data Protection Bill, 2018. This project shall not delve into a deeper analysis of the provisions of this Bill, with respect to online targeted advertisements.

However, the relevant laws in India that deal with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. The former deals with the issues relating to payment of compensation, as well as punishment in case of wrongful disclosure, misuse, and violation of contractual terms, in respect of personal data.[37]

Moreover, India has a self-regulatory, non-government sanctioned body dealing with both online and other forms of advertising – the Advertising Standards Council of India (‘ASCI’).[38] The role and function of the ASCI is to deal with complaints received from consumers and industry against advertisements that are considered as false, misleading, indecent, illegal, leading to unsafe practices or unfair to competition and in contravention to the Advertising Code, laid down by the ASCI.[39]

However, both the ASCI Advertising Code and the aforementioned legislations have clear guidelines regarding online targeted advertisements in India, and their impact on the privacy of Indian citizens.


Dealing with Status Quo – Possible Solutions

Addressing privacy problems poses multidisciplinary challenges from both technical and economic points of view. Two main technical challenges are highlighted:[40]

  • Detecting privacy leaks in targeted advertising: Laws and regulations have been increasingly empowering privacy watchdogs with audit and law enforcement rights, in order to prevent trackers from abusing user sensitive data. Unfortunately, data held by these trackers may intentionally or accidentally be leaked to other entities through their business practices. Such data leakage can significantly enlarge the risk window to user privacy and obstruct the enforcement of accountability. Since ad technologies are evolving quickly, there needs to be constant effort to study and remedy privacy flaws in these technologies.
  • Privacy-preserving targeted advertising: Since detecting (and fixing) privacy problems in targeted advertising are necessary, it can only be considered a form of short-term approach. Enhancing user privacy needs a privacy-by-design long-term solution to protect user privacy by modes of prevention rather than cure. A possible direction is by designing a targeted advertising system that does not rely on tracking.

Keeping the above in mind, in order to stop these ads, or have more control over one’s online information, is to remember that nothing one does online is private.[41]

Once can use the private browsing or incognito mode; however, this method is not foolproof in blocking targeted ads, as advertisers can still track one using their search engine history and social media information. If one simply wants to stop seeing ads, they can download an ad blocker for their web browser, which ideally gets rid of most of them.[42]

Moreover, to prevent advertisers from tracking one’s information altogether, one can delete their cookies and ask websites not to track them, in their privacy settings. They can also visit opt-out sites and request that participating ad agencies must tracking their information.[43]

Most importantly, one can limit the amount of information shared on their social media, which gives advertisers less to learn about them.[44]

As a more drastic measure, these advertisements should be banned. All individually targeted ads should be disallowed, with large fines or even removal from the public airwaves for repeated violations. Nothing that is tied to a user’s identity should be used to serve them a particular message. Companies would have to necessarily make all ads on its networks publicly viewable and searchable, so regulators can oversee them properly.[45]

Such a ban would remove all the financial incentive to collect data and spy on users. Still, companies might continue doing it, to understand what keeps users on their sites. But competitors can overcome that by delivering users compelling and useful content, which may actually become important again.[46]

Consent is too much of a burden on users. The US could impose an opt-out of data collection, as the case is in the EU, but it could potentially be a paid product, which creates a two-tiered divide on a service fundamental to modern life.[47] The US could also change nothing, and levy fines after commission of breaches, to affect corporate behaviour; however, penalizing measures are hardly a deterrent.[48] Tech platforms could also be made legally responsible to act in the best interests of users, or creating nonprofit web 2.0 alternatives. However, the easiest way to eliminate this menace is to ban targeted ads altogether.[49]

This proposal implies a loss of jobs of people working at ad companies and tech firms. But, it is imperative to remember that the tech-platform giants have been the main beneficiaries of the surveillance economy, and their earnings have been skyrocketing since the moment they unleashed the power of mass spying.[50] Even without personalized ads, Facebook would continue having an audience of two billion users. Google, even without its personalized ads, would still host billions of searches daily on their website. This can surely be translated into profit.

Further, ensuring the profitability of tech companies is not the government’s concern; protecting the public is.[51] Hence, the governments of most nations must take stringent measures to ensure the internet security, as well as data protection of their citizens.