Personalised advertising needs to be less personal

Personalised advertising has become a tightly focused subject in the field of data protection and consumer protection. Large, data-driven companies leverage their access to consumers’ information, tailoring advertisements and marketing, and selling them personalised goods and services. Companies often sell such information to third-party advertisers wishing to gain a competitive advantage within their markets. In the surveillance economy, personalised advertising has gained traction and has inevitably attracted data protection and antitrust concerns.

Personalised advertising is usually achieved through profiling, involving the collection of personal data to create a picture of an individual’s likes, dislikes, and associated behaviour. Advertisers use these profiles to anticipate consumer needs and market products through appropriate forums, such as social media and e-commerce platforms. Profiling involves the collection and processing of vast amounts of personal data, including browsing histories, health and financial backgrounds, search queries, and sexual orientation.

In the European Union, the General Data Protection Regulation restricts profiling and gives data subjects the right to object to the processing of their personal data for that purpose. The recent Digital Services Act requires companies to be transparent about the parameters they follow in displaying advertisements to users on online platforms. Recent judicial developments within the jurisdiction have scrutinised the way large companies obtain data to produce profiling and personalised advertisements. An investigation shows that companies often do not meet transparency and disclosure requirements. Individuals may not sufficiently know or notice the way their information facilitates profiling and personalised advertising. The extent of the processing of data to conduct such activities often exceeds the legitimate purposes for which the data were collected. Courts have recently directed companies to lower their transparency thresholds and meet legal disclosure requirements.

In India, data protection laws do not impose particular restrictions on the processing of personal data for direct marketing or advertising purposes. Advertisers have no compliance requirements to follow when employing targeted advertisements. This allows large companies to easily leverage their databases to push products and services. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules), require businesses to publish their data processing activities within privacy policies. That said, the SPDI rules do not require these policies to be clear or accessible, and individuals are often unaware of the extent to which their personal data is being used for marketing and advertising.

No comprehensive rules, including transparency requirements, regulate personalised and targeted advertisements from a data protection angle. Though related provisions such as consumer protection and antitrust regulations ensure the display of lawful advertisements, they do not deal with the protection of an individual’s privacy.

While consent is the only ground for the processing of certain classes of personal data under the SPDI rules, thresholds for compliance are low. People accepting fine-print privacy policies in legalese satisfy consent requirements. Most users are unaware of the profiling to which they have consented, and opt-out rights are often met with threats of denial of service, something not prohibited by law.

Regarding the most recent proposed data protection law, the Digital Personal Data Protection Bill, 2022 (DPDPB), defines profiling as “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a data principal”. The DPDPB includes the processing of personal data outside India if the processing is in connection with the profiling of data subjects within the country. The DPDPB is far from its final form, and even when enacted many operational and compliance requirements will be governed by rules yet to be drafted. While the DPDPB does impose a blanket prohibition on tracking or behavioural monitoring of children, much of the legal landscape surrounding privacy and personalised advertising is yet to emerge.

Aadya Misra is a counsel and Vishnu Naduvakkad is an associate at Spice Route Legal.