The French Data Protection Authority (CNIL) published on 5 February 2009 a targeted advertising report detailing the recent developments in the marketing sphere, the threats for the online privacy of individuals and the potential remedies.
There is nowadays three kinds of targeted advertising: the personalized advertising which is function of the features divulged by the individual himself, the contextual advertising which is function of the literal content of the webpages viewed by the individual and the behavioural advertising which is function of the observation of the individual’s online behaviour through time.
The way how online advertising companies build user profiles is twofold: either the profiles are based on the information given by the user when for instance he subscribes to a service (explicit profiles with personal data) or they are based on the observation of the users at a given moment or though a time lapse thanks to cookies (predictive profiles with anonymous data).
There is a market tendency to the convergence between the different advertising stakeholders, especially between the advertising suppliers (media owners/ publishers) and the content or services suppliers, as for instance the recent acquisition of DoubleClick by Google. So now, the advertising stakeholders can cross explicit and predictive profiles and benefit from a pool of precise data, in order to target the advertising. The threats for the online privacy of individuals are that:
announcers are going to be very interested in buying the data of such precise profiles which can be used to select customers or applicants (loan, health insurance, etc.), to recruit employees or to modulate prices,
more and more data and notably delicate data (health, political opinions, sexuality, etc.) are stored and computer systems can be hacked and the data stolen,
the individuals lack for information about the data which are collected and about the profiling mechanisms. Usually, they do not know that they can opt-out of receiving targeted advertising. Furthermore, this opt-out cookie has to be reinstalled each time the individual clear his browser’s cookies, and only deals with the use of the data for marketing purposes, not with their collection. In this respect, if the individual chooses to block cookies, he will have access to almost none of the Web services.
To find remedies to this very obscure situation, the CNIL recommended:
to adopt a wide definition of what is a personal data including IP address and to consider that since the content of an ad is targeted in function of a pre-definite profile, the personal data protection law should apply,
to clearly and fully inform the Internet users of the installation of cookies even if the collected data are not personal but anonymous, of the purposes of such an installation and of the way how they can oppose to it,
to encourage the adoption of codes of conduct and of good practice by the professionals and the application of the opt-in rule,
to increase the Internet users awareness of the means how to control and delete their Internet usage tracks,
to homologate the websites or the online advertising stakeholders which will comply with the data protection,
to distinguish tracking cookies from the other cookies in order to facilitate their control.
Targeted and behavioural advertising is booming. The means by which the individuals should be informed and the tools by which the protection of their rights should be insured, have to be found now.