Online Behavioral Advertising

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements.
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings

The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on October 13 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of the DAA Principles of Transparency and Control to

As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.”  This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here).

According to the EDPS, data-driven technologies and services are important for economic growth, but the users of those services are generally unaware of the nature and extent of the “covert tracking”  that fuels the sector.  The growing imbalance between consumers and service providers would diminish choice and innovation and threaten the privacy of individuals.  In fact, the rights of individuals enshrined in the EU Charter of Fundamental Rights would be threatened by “normative behavior and standards that now prevail in cyberspace.”    At the same time, EU rules on data protection, consumer protection, and antitrust and merger control are applied in silos, despite their common objectives.
Continue Reading EDPS Issues Opinion on Big Data and Enforcement

The FTC’s cross-device tracking workshop on Monday focused on the benefits and challenges of cross-device tracking.  FTC Chairwoman Edith Ramirez emphasized that regardless of the specific technology employed, companies should continue working to address issues of transparency, notice, and choice in this area.  She also highlighted the self-regulatory efforts of the advertising industry on cross-device

The FTC has announced the final agenda for its November 16 cross-device tracking workshop.  According to today’s press release, the workshop “will examine the practice of collecting data through these devices and the potential wide-ranging effects on consumer privacy.”

Opening remarks will be provided by FTC Chairwoman Edith Ramirez, followed by a presentation from Justin

The Federal Trade Commission will hold a workshop on November 16 to address cross-device tracking.  The FTC’s announcement highlights two forms of cross-device tracking: “deterministic” tracking, which requires that a user log in to the same service across multiple devices, and “probabilistic” tracking, which collects data about users to create a digital fingerprint that links

The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on May 7 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of Self-Regulatory Principles to the Mobile Environment (DAA Mobile

The Online Internet-Based Advertising Accountability Program issued five decisions in November enforcing the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising.  The Accountability Program’s first two decisions, issued November 18 against BMW of North America and Scottrade, addressed those companies’ failure to provide notice of third-party data collection on their websites.  On November 20, the Accountability Program issued three more decisions stemming from a recent online behavioral advertising campaign by personal genomics and biotechnology company 23andMe.Continue Reading OBA Accountability Program: A Recap of What Happened in November

Earlier this week, the organization that enforces the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising issued a “Compliance Warning” to website operators, advising them to provide “enhanced notice” on every web page where data is being collected or used for online behavioral advertising (“OBA”) by January 1, 2014

The DAA

The last two weeks have brought two important decisions in the ongoing litigation over behavioral advertising firm NebuAd’s alleged use of a device to intercept data from ISP networks. Several ISPs allegedly permitted NebuAd to install an “appliance” on their networks in order to collect and analyze subscriber data for ad targeting purposes.  In lawsuits that began to be filed in 2008, plaintiffs have alleged that NebuAd–and the ISPs with which it allegedly partnered– violated Title I of the Electronic Communications Privacy Act (i.e., the Wiretap Act) as well as other federal and state laws.  Plaintiffs have sued the ISPs in separate suits around the country.  Two of these suits–against ISPs Embarq and WideOpen West (“WOW”)–yielded decisions in favor of the ISPs last week. Continue Reading Two New Decisions on the Wiretap Act and Secondary Liability