Abstract
The EU General Data Protection Regulation (GDPR) recognizes the data subject’s consent as one of the legal grounds for data processing. Targeted advertising, based on personal data processing, is a central source of revenue for data controllers such as Google and Facebook. At present, the implementation of consent mechanisms for such advertisements are often not well developed in practice and their compliance with the GDPR requirements can be questioned. The absence of consent may mean an unlawful data processing and a lack of control of the user (data subject) on his personal data. However, consent mechanisms that do not fully satisfy GDPR requirements can give users a false sense of control, encouraging them to allow the processing of more personal data than they would have otherwise. In this paper, we identify the features, originating from GDPR requirements, of consent mechanisms. For example, the GDPR specifies that a consent must be informed and freely given, among other requirements. We then examine the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features. We discuss to what extent this consent mechanism respects these features. To the best of our knowledge, our evaluation of Facebook’s Ad Consent Mechanism is the first of its kind.
Similar content being viewed by others
Notes
Children’s Online Privacy Protection Act.
Whether advertisers can be prevented from using such discriminatory targeting criteria is a different question altogether. Ad platforms like Facebook do not, in general, proactively prevent the use of such criteria.
References
Andreou A, Venkatadri G, Goga O, Gummadi KP, Loiseau P, Mislove A (2018) Investigating ad transparency mechanisms in social media: a case study of facebooks explanations. In: 25th annual network and distributed system security symposium, NDSS 2018, San Diego, California, USA, February 18-21
Article 29 Data Protection Working Party (2011) Opinion 15/2011 on the definition of consent
Article 29 Data Protection Working Party (2013) Opinion 03/2013 on purpose limitation
Article 29 Data Protection Working Party (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679
Article 29 Data Protection Working Party (2018a) Guidelines on consent under Regulation 2016/679. Text adopted by the Article 29 Data Protection Working Party on 10 April 2018
Article 29 Data Protection Working Party (2018b) Guidelines on Consent under Regulation 2016/679
Basin D, Debois S, Hildebrandt T (2018) On purpose and by necessity: compliance under the GDPR. FC Springer, Berlin
BBC News (2018a) Bereaved mother criticises Facebook over Baby Ads. https://www.bbc.com/news/technology-46543324. Accessed 19 Dec 2018
BBC News (2018b) Facebook’s data-sharing deals exposed. https://www.bbc.com/news/technology-46618582. Accessed 19 Dec 2018
Beckett P (2017) Gdpr compliance: your tech department’s next big opportunity. Comput Fraud Secur 2017(5):9–13
Castelluccia C, Cunche M, Le Métayer D, Morel V (2018) Enhancing transparency and consent in the iot. In: 2018 IEEE European symposium on security and privacy workshops (EuroS&PW), IEEE. pp 116–119
Castelluccia C, Kaafar MA, Tran MD (2012) Betrayed by your ads. In: International symposium on privacy enhancing technologies symposium. Springer, pp 1–17
Cranor LF (2012) Necessary but not sufficient: standardized mechanisms for privacy notice and choice. J Telecommun High Tech L 10:273
Dance Gabriel JX, La Forgia Michael, Confessore Nicholas (2018) As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants. https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html. Accessed 19 Dec 2018
Datta A, Tschantz MC, Datta A (2015) Automated experiments on Ad privacy settings. Proc Priv Enhanc Technol 1:92–112
Datta A, Datta A, Makagon J, Mulligan DK, Tschantz MC (2018) Discrimination in online advertising: a multidisciplinary inquiry. In: Proceedings of the 1st conference on fairness, accountability and transparency, PMLR, vol 81
Drake G (2017) Navigating the Atlantic: understanding EU data privacy compliance amidst a sea of uncertainty. S Cal L Rev 91:163
Duncan B (2018) Can eu General Data Protection Regulation compliance be achieved when using cloud computing? In: Cloud computing 2018: the ninth international conference on cloud computing, GRIDs, and virtualization, IARIA, pp 1–6
European Commission (2016) General Data Protection Regulation
Facebook (2020) https://www.facebook.com/about/privacy/legal_bases. Accessed 17 Feb 2020
Fatema K, Hadziselimovic E, Pandit HJ, Debruyne C, Lewis D, O’Sullivan D (2017) Compliance through informed consent: semantic based consent permission and data management model. In: PrivOn@ISWC
Ferrara P, Spoto F (2018) Static analysis for gdpr compliance. In: ITASEC
Forbrukerradet (2018) Deceived by Design. https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf. Accessed 28 Nov 2018
Freitas M, Mira da Silva M (2018) GDPR compliance in SMEs: there is much to be done. J Inf Syst Eng Manag 3(4):30
Garber J (2018) Gdpr-compliance nightmare or business opportunity? Comput Fraud Secur 2018(6):14–15
Hellwig O, Quirchmayr G, Hötzendorfer W, Tschohl C, Huber E, Vock F, Nentwich F, Pospisil B, Gusenbauer M, Langner G (2018) A gdpr compliance module for supporting the exchange of information between certs. In: Proceedings of the 13th international conference on availability, reliability and security, pp 1–7
Irfan F, Aleksandra K (2018) Facebook’s advertising platform: new attack vectors and the need for interventions. CoRR. arXiv:abs/1803.10099
Kerr, Anna England (2018) An Open Letter to Facebook. https://stillnothere.com/2018/10/09/the-journey-begins/. Accessed 19 Dec 2018
Kirrane S, Fernández JD, Dullaert W, Milosevic U, Polleres A, Bonatti PA, Wenning R, Drozd O, Raschke P (2018) A scalable consent, transparency and compliance architecture. In: European Semantic Web Conference. Springer, pp 131–136
Korolova A (2010) Privacy violations using microtargeted Ads: a case study. In: ICDMW 2010, The 10th IEEE international conference on data mining workshops, Sydney, Australia, 13 December 2010, pp 474–482
Kurtz C, Semmann M et al (2018) Privacy by design to comply with GDPR: a review on third-party data processors
Lee D (2018a) Facebook security breach: up to 50m accounts attacked. https://www.bbc.com/news/technology-45686890. Accessed 19 Dec 2018
Lee D (2018b) Facebook sued by top prosecutor over Cambridge Analytica. https://www.bbc.com/news/technology-46627133. Accessed 19 Dec 2018
Macenaite M, Kosta E (2017) Consent for processing children’s personal data in the eu: following in us footsteps? Inf Commun Technol Law 26(2):146–197
McDonald AM, Cranor LF (2008) The cost of reading privacy policies. ISJLP 4:543
New York Times (2018) Mark Zuckerberg testimony: senators question Facebook’s commitment to privacy. https://www.nytimes.com/2018/04/10/us/politics/mark-zuckerberg-testimony.html. Accessed 19 Dec 2018
Palmirani M, Martoni M, Rossi A, Bartolini C, Robaldo L (2018) Pronto: Privacy ontology for legal compliance. In: ECDG 2018 18th European conference on digital government, academic conferences and publishing limited, pp 142
Parra-Arnau J, Achara JP, Castelluccia C (2017) MyAdChoices: bringing transparency and control to online advertising. ACM Trans Web (TWEB) 11(1):7
Politou E, Alepis E, Patsakis C (2018) Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. J Cybersecur 4(1):tyy001
Reidenberg JR, Russell NC, Callen AJ, Qasir S, Norton TB (2015) Privacy harms and the effectiveness of the notice and choice framework. ISJLP 11:485
Ribeiro FN, Saha K, Babaei M, Henrique L, Messias J, Benevenuto F, Goga O, Gummadi KP, Redmiles EM (2019) On microtargeting socially divisive ads: a case study of Russia-linked ad campaigns on Facebook. In: Proceedings of the conference on fairness, accountability, and transparency, ACM, pp 140–149
Sloan RH, Warner R (2014) Beyond notice and choice: privacy, norms, and consent. J High Tech L 14:370
Solove DJ (2012) Introduction: privacy self-management and the consent dilemma. Harv L Rev 126:1880
Speicher T, Ali M, Venkatadri G, Ribeiro FN, Arvanitakis G, Benevenuto F, Gummadi KP, Loiseau P, Mislove A (2018) Potential for discrimination in online targeted advertising. In: Conference on fairness, accountability and transparency, FAT 2018, 23–24 February 2018. NY, USA, New York, pp 5–19
Utz C, Degeling M, Fahl S, Schaub F, Holz T (2019) (un) informed consent: studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 973–990
Van Alsenoy B, Verdoodt V, Heyman R, Wauters E, Ausloos J, Acar G (2015) From social media service to advertising network: a critical analysis of Facebook’s Revised Policies and Terms
Venkatadri G, Lucherini E, Sapiezynski P, Mislove A (2019) Investigating sources of PII used in Facebook’s targeted advertising. Proc Priv Enhanc Technol 1:18
Venkatadri G, Mislove A, Gummadi KP (2018) Treads: transparency-enhancing ads. In: HotNets, pp 169–175
Wirth C, Kolain M (2018) Privacy by blockchain design: a blockchain-enabled gdpr-compliant approach for handling personal data. In: Proceedings of 1st ERCIM Blockchain Workshop 2018, European Society for Socially Embedded Technologies (EUSSET)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
De, S.J., Imine, A. Consent for targeted advertising: the case of Facebook. AI & Soc 35, 1055–1064 (2020). https://doi.org/10.1007/s00146-020-00981-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00146-020-00981-5