3. Behavioral Targeting and consequences for ‘John
Doe’
Hello!!
Male, age 25, single, lawyer
Interested in travelling and
literature
Regular Internet user
4. On-site behavioral targeting
• Visits Amazon.com to order a book
• Amazon places a cookie at the desktop of John
• The cookie helps to build a personal profile of John
• Amazon analyses the info en decides (automatically) which content
it will offer to John
• With every return visit, John Doe (or its computer) will be
recognized
5. Network behavioral targeting
• John Doe is looking for a partner and registers on Lexa datingsite
• Lexa is part of a large network of advertisers
• When visiting the Lexa site, a third party cookie of the
advertising network is placed on John’s desktop
• The Internet use of John is stored in a profile that is build up and
refined whenever John uses sites that are part of the advertising
network
6. ISP behavioral targeting
• John Doe is a subscriber of a telecoms provider
• John’s use of the Internet is registered and analysed in order to
send him targeted adds
• For this purpose, online marketing companies (e.g.
NebuAd en Phorm) are granted access to the technical
infrastructure of the ISP
7. Behavioral targeting: all about the cookies
• Artikel 4.1. Dutch Decision Universal Service on cookies
Storage of cookies is only allowed if the user or subscriber is informed
upfront and in clear and accurate manner on the purposes for which the
cookie will be used and the subscriber or user has been provided the
opportunity to refuse the placement of the cookie
This obligation does not apply in the event that the cookie’s sole purpose is to
enable or simplify the sending of messages via the Internet, or in the event
the cookie is strictly necessary for the rendering of a services that the user or
subscriber has ordered. NOTE: this exception does not apply for behavioral
targeting!
8. Current Dutch regulation: upfront information
• Elements of the obligation to inform
1. ‘Upfront information’: theory vs practice
2. Notification on certain minimum requirements for online
collection of personal data in the EU, WP 43 of the Article 29
Working Group
3. Relation to article 10 Privacy Directive 1995
9. Behavioral targeting: new regulation
New article 5 sub 3 E-privacy Directive
• Cookies are allowed if the subscriber or the user has
granted permission after being provided with clear and
complete information on the purposes of the processing
• Relevance of consideration 66 : some room for creative
solution. Could permission be granted by the settings of
the browser?
10. Behavioral targeting: new regulation
• Position EDPS 18 March 2010
• On network behavioral targeting
• Problem: the ‘naive’ user requires greater protection
• Solution: default privacy settings (no third party cookies)
+ privacy wizard
• Future: opinion Article 29 Working Party
11. Behavioral targeting: Cookies: personal data?
• Advice Article 29 Working Group (WP 148)
• Any cookie with a unique user identification code qualifies as
personal data
• Consequences for behavioral targeting? By means of a cookie it is
easy to identify the use of the Internet from a unique computer and
thus a user.
12. Behavioral targeting: Directive on Data Privacy
1995
Requirements for behavioral targeting?
• Purpose: upfront, specific and justified purposes (art. 6)
• Grounds for processing (art. 7)
• Difference on site, netwerk and ISP behavioral targeting
• Term for storage (art.6)
13. You want more information?
Nicole.Wolters.Ruckert@kvdl.nl