By Pascale Gelly and Elisabeth Quillatre

Online targeted advertising: the CNIL reports

“You book a plane ticket to New York on the Internet. Two days later, while reading your newspaper online, you’re offered an attractive deal on a rental car in New York. This is not a mere coincidence: this is targeted advertising, as it is developing more and more on the Internet.”

So begins the CNIL report about online targeted advertising, which was presented to the commissioners in plenary session earlier this year and recently released publicly.

It’s a fact, most content providers and search engines allow Internet users access to a lot of information and entertainment, free of charge. But there is a price to pay at one time or another: data to feed the advertising business; advertising being the main source of income of the Internet.

IP addresses, Internet search keywords, browsing histories, registration data, social networking tidbits, visualized ads, and even e-mails’ content, you name it... Any information about Internet visits and visitors potentially is analyzed to determine what advertising will correspond best to them or to their profile.

The 30-page CNIL report aims to review the privacy risks associated with online targeted advertising and provide potential answers. It also serves to open a debate among authorities that could lead to improved business practices.

The report details the various types of online advertising—personalized (common type), contextual, or behavioural—and the distribution channels for advertisements, such as Web sites (content providers) or advertising agencies that deal with several Web sites and, therefore, have more opportunities to obtain a large amount of Internet users’ data.

The report educates readers on various user-tracking and profile-creation techniques, which rely on data provided by the Internet user, himself, or on demographic assumptions made about a user based on pages visited. It also describes the models of Amazon, Google, Facebook, Linked-In, Tacoda/ AOL, and Phorm.

Technological and economic changes in e-companies’ business models are a source of concern. More and more, companies, by diversification or acquisition (e.g. Yahoo and Google) are simultaneously content providers, service providers (Internet access, e-mail, search engine…) and advertising agencies, thus having the opportunity to aggregate data about users collected via different means.

Therefore, the concentration of actors and data sources is seen as a potential risk to privacy, in particular, as individuals do not realize the impact this may have on the processing of personal data. Exacerbating these risks is the fact the CNIL finds that opt-out mechanisms (e.g. opt-out cookies) do not work properly in practice.
If advertising agencies were to share data they collect with businesses such as banks, insurance companies, or recruiters, selections and assessments of consumers and candidates could be made based on assumptions about their health, finances, or other sensitive information, without individuals being fully aware of it. The authority views this as a real threat.

The report underlines the challenges online targeted advertising presents to data protection authorities.
The first key legal issue is to determine whether the processed data is “personal,” thereby triggering the application of data protection rules. To a large extent, the report refers to the G29 opinion on the notion of personal data. That group’s decision concluded that, if profile data such as age, gender, or location is linked to an identifier (IP address or identifier placed in a tracking cookie) that can be linked to an identified or identifiable individual, the data is “personal.” The CNIL rules out all attempts to claim that the data used for online advertising is anonymous.
Referring to the G29 opinion on search engines, the CNIL believes that European data protection laws should apply even if businesses are headquartered outside of the EU.

Once these interpretations are made, the main question to address is how individuals can be properly informed of the processing activities carried out to target them so they can exercise their opt-out or opt-in rights.

The CNIL stresses the need to debate about applicable law, data retention, and notices of profiling. It suggests the drafting of template notices and codes of good practices. In addition, the CNIL calls for better public sensitization on tools to let users control or disable tracking devices, and for the promotion of privacy-compliant tools and services via labelization.

This is clearly a first-stage report to show the authority’s intention to tackle the matter and to bring this sector of economy in line with European data protection principles.

French ISP sanctioned under Data Protection Act

The CNIL sanctioned Neuf-CI, one of the main Internet access providers in France, for lack of transparency in dealing with a customer access request. The company was reluctant to address the request, which was first rejected for “confidentiality and security reasons.” Later, the company agreed to provide the customer with her subscription data (name, contact details, bank details), but failed to provide her with data recorded in the customer databases (invoices, call numbers, dealings with the customer service department), even after an injunction from the CNIL.

The company claimed that the lacking response was due to the merger between Neuf-Cegetel and Club Internet, which created some disorganization. Still, the CNIL considered that a full response should have followed the customer’s request. It also noted that the company’s policies on personal data, which had been drafted a year earlier, were still at a draft stage. Sanction: 7000 Euros.

Pascale Gelly and Elisabeth Quillatre of the French law firm Cabinet Gelly can be reached at pg@pascalegelly.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»