Data Protection Concerns in the Advertising Industry

I. Introduction

In the past decade, the advertising industry seen the evolution of advertising technologies, or “adtech”, that have streamlined and optimised the process of delivering, targeting, and displaying advertisements online. Adtech encompasses a wide range of tools, platforms, and technologies that advertisers and marketers use to plan, execute, and analyse advertising campaigns. Adtech also plays a crucial role in managing and optimising the delivery of advertising impressions.

This note provides a detailed overview of the privacy concerns faced by the adtech industry. It delves into the regulatory landscape of the adtech industry in India and examines the approaches taken by regulatory authorities worldwide in addressing adtech regulation.

II. Tools used to enable targeted advertising

Adtech players use several tools to track an individual’s activity across the web, mobile apps, and devices. These tools collect and process large volumes of personal data that provide business insights about the individual’s interests, habits, preferences, dispositions, sexual orientation, and more such attributes, and thereby enable “profiling” of the individual. These profiles are then used by advertisers to predict consumer wants and promote products on relevant spaces, like social media and e-commerce sites, for personalised advertising.

Some examples of tracking tools that enable profiling include:

1. Cookies – Cookies are small data files stored on a user’s computer or browser that remember their preferences and can be accessed by the website, the user, or in some cases by a third party. Cookies can be used to track user behaviour on a website, such as what pages they visit and what items they add to their cart. 
   
2. Pixels – Pixels are small invisible images that are added to a web page and contain a link to an external server. When a user views an advertisement or interacts with an email or website, their browser downloads the pixel, which sends information to the external server about the user’s behaviour. 
   
3. Device Fingerprints – Device fingerprinting is a method used to uniquely identify a device by collecting and analysing data about its hardware and software configuration such as the device’s operating system, browser version, installed fonts and plugins, screen resolution, and other attributes. This information is then used to create a unique identifier, or “fingerprint,” for the device.
   
4. Device Graphs – A device graph is a database that links multiple devices to a single user. This can be done by collecting data from different devices and linking them based on common identifiers such as IP addresses or login credentials.

III. Current Data Protection Laws in India: Legal Framework

The legal framework on the advertising industry in India is still evolving. At present, India’s data protection regime arises out of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“) issued under the aegis of the Information Technology Act, 2000 (“IT Act”).

The SPDI Rules provide for consent as a primary ground of processing personal data. Existing legal standards (a) require written consent or electronic opt-ins for the processing of sensitive personal data or information, which is a subcategory of personal data that includes passwords, financial information, health information, details relating to sexual orientation, and biometric information, and (b) do not require consent for the processing of other types of personal data. In line with judicial precedents on the right to privacy, market trends have generally evolved to seek consent for all types of personal data, and not just sensitive personal data or information. Consent criteria under the SPDI rules are satisfied by the acceptance of privacy policies.

The Advertising Standards Council of India (“ASCI”), a self-regulatory body in the advertising sector, has laid down a self-regulatory code known as the Code for Self-Regulation of Advertising Content in India (“Code”). However, the Code applies only to members of the ASCI and regulates the content of advertisements. It does not address the data protection and privacy risks posed by adtech.

Thus, from a data protection perspective, personalised and targeted advertisements are not strictly regulated in India at present.

IV. Global Regulation of the Adtech Industry

European Union

The General Data Protection Regulation (“GDPR“) in the European Union limits profiling and grants data subjects the ability to object to the use of their personal data for such purposes. The GDPR necessitates human involvement where automated processing is concerned.

The Directive 2002/58/EC on privacy and electronic communications by the European Parliament and Council, also known as the ePrivacy Directive, regulates the use of cookies and other tracking technologies on websites. It requires that a website obtain a user’s consent before storing cookies in the user’s browser, except for strictly necessary cookies.

The recently enacted Digital Services Act (“DSA”) mandates that businesses disclose how their algorithms work when presenting advertisements to users on digital platforms. The DSA bans advertising targeted at children, and imposes certain key obligations applicable to all intermediary services, including transparency reporting, publication of terms and conditions, and internal complaint-handling systems.

United Kingdom

In the United Kingdom (“UK”), the Data Protection Act, 2018 (“DPA”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the “UK GDPR”, constitute the primary data protection framework. Together with the Privacy and Electronic Communications Regulations, 2003 (collectively, “UK data protection laws”), they regulate the use of personal data for profiling and automated processing. The ICO has issued guidance on the use of cookies and other tracking technologies, emphasising the need to clearly explain to the user what each cookie does, and to collect informed consent for placing cookies on the user’s device  

In 2019, the ICO began regulating the adtech industry after identifying serious privacy risks concerning real-time bidding and the usage of cookies and similar technologies. It asked the industry to review and modify personal data processing practices.

In 2021, the ICO issued an opinion titled “Data protection and privacy expectations for online advertising proposals”. The ICO’s opinion sets out several aims for regulating the use of personal data in the adtech space and highlights areas of data protection that it expects organisations to consider while making proposals for new online advertising technologies.

United States of America

The USA lacks a comprehensive federal data protection law. Some states have enacted their own privacy laws, such as the California Consumer Privacy Act (“CCPA”), the Colorado Privacy Act, and the Utah Consumer Privacy Act.

No state law regulates the advertising industry in particular, but certain states provide consumers with the right to opt out of the sale or sharing of their personal data. These rights are enforceable against adtech companies. If exercised, the company would have to cease to share the individual’s data with other players in the adtech chain.

Singapore

The Personal Data Protection Act, 2012 (“PDPA”) establishes a “Do Not Call” (“DNC”) Registry. The PDPDA regulates the obligations of organisations relating to the sending of certain advertising and marketing messages to Singapore telephone numbers over phone calls or text messages, as well as by fax. Individuals may subscribe to the DNC registry if they wish to cease receiving marketing communication through any of these modes.

An organisation that contravenes the DNC provisions of the PDPA is liable to be punished with a civil penalty of up to SGD 1 million (~ INR 6 Crore). The PDPA has issued fines and warnings to registered salespersons for sending telemarketing messages to individuals who were enrolled on the DNC registry, which constituted a violation of section 43(1) of the PDPA. This section requires a person to check the DNC registry and confirm that the relevant phone number is not listed in it prior to sending telemarketing communication to the intended recipient.

The PDPA has in the past fined advertising companies for failure to implement reasonable security measures to protect individuals’ personal data collected from an advertising campaign and failure to cease retention of such data when it was no longer required, an infraction that ultimately resulted in the company’s database being breached and personal data being made freely accessible over the internet.

V. Challenges Posed by the Upcoming Data Protection Law in India

On 11 August 2023, the Indian Parliament passed the Digital Personal Data Protection Act, 2023 (“DPDPA”). The DPDPA is not yet in effect but is expected to come into force in a phased manner over the next few months. Once in effect, the DPDP Act 2023 will repeal the SPDI Rules.

The DPDPA requires that data fiduciaries to identify appropriate grounds for processing personal data, provide privacy notices or consent requests where necessary, implement security measures, comply with the exercise of rights by data principals, appoint grievance redressal officers or data protection officers, and appoint data processors only under contract if such processors are engaged in providing goods and services in India.

The DPDPA imposes enhanced obligations on data fiduciaries with respect to the processing of children’s personal data. Entities in the adtech industry should note that data fiduciaries are prohibited from tracking, monitoring, and targeting advertisements aimed at children. However, the DPDPA does not place the same limitations on the processing of adults’ personal data.

Post the implementation of the DPDPA 2023, an issue that adtech companies in India may grapple with is the determination of actor characterisations – that is, whether the company is a “data fiduciary” or a “data processor” under the law. Given that an adtech player can perform a multitude of functions depending on its position within the adtech chain, it may qualify as a data fiduciary for one set of activities and a data processor for another. Actor characterisations may become more complex with the addition of new adtech players in the chain.

For instance, a single adtech chain may involve advertisers, DSPs, and publishers. A DSP collects personal data of individuals from both the advertiser and the publisher, based on which it creates a profile unique to each individual. This profile is used to identify a particular target audience following which relevant advertisements are delivered to the individual. This brings up the issue of whether the DSP acts as a data fiduciary or data processor in this chain, and of its consequent legal obligations.

Another issue that companies may encounter is the selection of a legal basis for processing. Consent remains the primary ground for processing personal data under the DPDPA. The DPDPA does not permit the collection of personal data without an individual’s consent, which must meet stringent standards: consent must be free, specific, informed, unconditional, unambiguous, and capable of being withdrawn. Adtech players like DSPs, SSPs, ad exchanges, or ad networks that typically collect data from sources other than directly from the individual, such as through data brokers or data aggregator platforms, will have to restructure their business models to account for consent. Alternately, adtech companies may have to contractually transfer the obligation to collect the necessary consents to the entity that supplies the data to them.

An exception to the obligation to procure consent is where the individual voluntarily provides their personal data to the data fiduciary, but the scope and operation of this exception is unclear at this stage. Publicly available data is also exempted. Guidance is expected to be issued by the central government of India in the near future.

VI. Conclusion

The lack of specific laws and regulations governing the adtech industry in India has raised concerns about privacy and data protection. The DPDPA is not yet enacted, and many operational and compliance requirements will be governed by rules yet to be issued. In the interim, businesses in the adtech industry in India are recommended to review and adopt global best practices to prepare for compliance with the upcoming data privacy policy in India.