What is personalized advertising?

Personalized advertising is: the targeting of ads to a person's specific interests based on their online behavior. This type of advertising allows companies to reach their target audience more effectively and increase their conversion rate. The conversion rate determines the percentage of prospects who become buyers or subscribers after visiting a website.

How does personalized advertising work

Personalized advertising works by a company collecting information about a user and then using it to play out individualized advertisements. This is usually done via cookies - small text files that are stored on the end devices or in the browser when a website is visited and are read out again in the predefined case.

In this way, login data, shopping baskets in the online store or other user preferences can be stored and displayed when the website is called up again. Another possibility is to use the IP address of the user to determine the location and to display appropriate advertising. In addition, data is often collected from the user's social media profiles.

This extensive use of user data requires companies to act in accordance with data protection regulations.

Fine against Meta - a present example of the data breach

Once again, a fine in the millions has been imposed on Facebook. After the fine in November 2022 in the amount of 265 million euros, the Irish data protection authority DPC has imposed another fine in the amount of 390 million euros against the Facebook group Meta.

Facebook and Instagram had not used the personal data of their users in a manner that complied with data protection laws. In particular, they had failed to obtain consent, which is fundamentally required for personalized advertising. Instead, they had included personalized advertising as a service in their T&Cs. This was done in order to avoid obtaining consent. This is because data processing for the purpose of fulfilling a contract is generally permitted. Consent is generally not required in these cases (exception: data particularly worthy of protection according to Art. 9 DSGVO).

This very approach has now been deemed by the European Data Protection Board (EDpa) to "circumvent" the consent that is usually required for personalized advertising.

Irish data protection authorities had accepted Facebook's approach for years.

Legal background

Everyone knows the situation. You surf on a website and immediately the cookie banner appears.

A distinction is made here between technically necessary cookies and technically unnecessary cookies.

Technically necessary cookies do not require consent, as they are necessary for the functionality of a website and therefore cannot be switched off.

Technically unnecessary cookies, in which user data is used for personalized advertising, have to be assessed differently. The use of marketing-based cookies: tracking, targeting, analysis and social media cookies is used to collect user information on location, surfing and purchasing behavior across devices. Companies use this information predominantly in their own interests. The user must therefore consent to their use.

How to use cookie banner in a privacy-compliant way

Although data protection-compliant consent gives companies a lot of leeway in terms of data use, it entails a number of necessary steps in implementation.

First of all, consent must be obtained. The cookie banner comes into play when designing a privacy-compliant declaration of consent. It is important that the user can revoke his consent at any time. To this end, companies must create appropriate processes so that the revocation is received, and the data stored to date is deleted or blocked accordingly. Moreover, this process is - understandably - not the nicest way from a UX perspective.

The most common legal grounds for processing personal data in practice are: processing for contractual purposes and processing on the basis of legitimate interest.

The advantage of these legal bases is that they allow the use of data without additional effort.

According to the prevailing view, a legitimate interest of the company does not exist in the case of personalized advertising.

When processing for contractual purposes, only the data that are necessary for the fulfillment of the purpose of the contract may be used. These are usually contact data, as well as bank data of the contractual partners. The further scope of what is permitted results from the specific contract. In principle, the contracting parties are free to determine the content.

This was also the idea of Facebook and Instagram: Personalized advertising was included as a service in the T&Cs. The use of data was consequently based on processing for contractual purposes. Consent was not obtained.

However, the EDPB classified this approach as "circumvention" of the required consent. Facebook must now offer its services without personalized advertising. This is an understandable view, since the main service of the contract is the social media platform. For personalized advertising to be played, active consent is required, e.g., by the user clicking on a button.

Solution of the legal problem

The best way to ensure that companies comply with privacy laws when using personalized advertising is to implement a privacy-compliant design. This includes creating a privacy-friendly environment on a website or app that includes features such as a privacy policy and cookie banner.

The privacy policy should provide detailed information about how a company collects and uses personal data and how individuals can access and delete their data. The cookie banner should inform individuals about how their data is used and give them the option to opt out of certain types of advertising. It is important that, again, consent is made just as easy as opting out.

As recently as December 2022, the French data protection authority CNIL had imposed a 60 million fine on Microsoft. The reason: The rejection of the cookie banner required 2 clicks, the consent only 1 click.

The same applies to the revocation of consent. Here, too, the website must be designed in such a way that it is just as easy for the user to revoke consent as to give it.

In addition, companies should ensure that they obtain the consent of the data subjects before collecting and using their data. When designing the website, urgent care should be taken to ensure that cookies are not already set when the page is called up.

Finally, companies should ensure that they regularly review and, if necessary, update their privacy policy and cookie banners. This is important to ensure that they are up to date with data protection laws and that they provide individuals with sufficient information about how their data is used.

Practical tips

The regulations in data protection and the interpretation of the authorities are strict. When it comes to marketing, companies should ensure that they comply with the legally required measures when they engage in personalized advertising. In particular through

Privacy-compliant design of the website (privacy by design)
Privacy-friendly basic settings (privacy by default).
Transparent data protection information
Privacy compliant cookie banner
Regular updating
Careful selection of marketing tools and service providers