Skip to main content
Log in

Consent for targeted advertising: the case of Facebook

AI & SOCIETY Aims and scope Submit manuscript

Abstract

The EU General Data Protection Regulation (GDPR) recognizes the data subject’s consent as one of the legal grounds for data processing. Targeted advertising, based on personal data processing, is a central source of revenue for data controllers such as Google and Facebook. At present, the implementation of consent mechanisms for such advertisements are often not well developed in practice and their compliance with the GDPR requirements can be questioned. The absence of consent may mean an unlawful data processing and a lack of control of the user (data subject) on his personal data. However, consent mechanisms that do not fully satisfy GDPR requirements can give users a false sense of control, encouraging them to allow the processing of more personal data than they would have otherwise. In this paper, we identify the features, originating from GDPR requirements, of consent mechanisms. For example, the GDPR specifies that a consent must be informed and freely given, among other requirements. We then examine the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features. We discuss to what extent this consent mechanism respects these features. To the best of our knowledge, our evaluation of Facebook’s Ad Consent Mechanism is the first of its kind.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Notes

  1. Children’s Online Privacy Protection Act.

  2. https://www.acxiom.com/.

  3. https://www.experian.com/.

  4. Whether advertisers can be prevented from using such discriminatory targeting criteria is a different question altogether. Ad platforms like Facebook do not, in general, proactively prevent the use of such criteria.

References

  • Andreou A, Venkatadri G, Goga O, Gummadi KP, Loiseau P, Mislove A (2018) Investigating ad transparency mechanisms in social media: a case study of facebooks explanations. In: 25th annual network and distributed system security symposium, NDSS 2018, San Diego, California, USA, February 18-21

  • Article 29 Data Protection Working Party (2011) Opinion 15/2011 on the definition of consent

  • Article 29 Data Protection Working Party (2013) Opinion 03/2013 on purpose limitation

  • Article 29 Data Protection Working Party (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679

  • Article 29 Data Protection Working Party (2018a) Guidelines on consent under Regulation 2016/679. Text adopted by the Article 29 Data Protection Working Party on 10 April 2018

  • Article 29 Data Protection Working Party (2018b) Guidelines on Consent under Regulation 2016/679

  • Basin D, Debois S, Hildebrandt T (2018) On purpose and by necessity: compliance under the GDPR. FC Springer, Berlin

    Google Scholar 

  • BBC News (2018a) Bereaved mother criticises Facebook over Baby Ads. https://www.bbc.com/news/technology-46543324. Accessed 19 Dec 2018

  • BBC News (2018b) Facebook’s data-sharing deals exposed. https://www.bbc.com/news/technology-46618582. Accessed 19 Dec 2018

  • Beckett P (2017) Gdpr compliance: your tech department’s next big opportunity. Comput Fraud Secur 2017(5):9–13

    Article  Google Scholar 

  • Castelluccia C, Cunche M, Le Métayer D, Morel V (2018) Enhancing transparency and consent in the iot. In: 2018 IEEE European symposium on security and privacy workshops (EuroS&PW), IEEE. pp 116–119

  • Castelluccia C, Kaafar MA, Tran MD (2012) Betrayed by your ads. In: International symposium on privacy enhancing technologies symposium. Springer, pp 1–17

  • Cranor LF (2012) Necessary but not sufficient: standardized mechanisms for privacy notice and choice. J Telecommun High Tech L 10:273

    Google Scholar 

  • Dance Gabriel JX, La Forgia Michael, Confessore Nicholas (2018) As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants. https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html. Accessed 19 Dec 2018

  • Datta A, Tschantz MC, Datta A (2015) Automated experiments on Ad privacy settings. Proc Priv Enhanc Technol 1:92–112

    Article  Google Scholar 

  • Datta A, Datta A, Makagon J, Mulligan DK, Tschantz MC (2018) Discrimination in online advertising: a multidisciplinary inquiry. In: Proceedings of the 1st conference on fairness, accountability and transparency, PMLR, vol 81

  • Drake G (2017) Navigating the Atlantic: understanding EU data privacy compliance amidst a sea of uncertainty. S Cal L Rev 91:163

    Google Scholar 

  • Duncan B (2018) Can eu General Data Protection Regulation compliance be achieved when using cloud computing? In: Cloud computing 2018: the ninth international conference on cloud computing, GRIDs, and virtualization, IARIA, pp 1–6

  • European Commission (2016) General Data Protection Regulation

  • Facebook (2020) https://www.facebook.com/about/privacy/legal_bases. Accessed 17 Feb 2020

  • Fatema K, Hadziselimovic E, Pandit HJ, Debruyne C, Lewis D, O’Sullivan D (2017) Compliance through informed consent: semantic based consent permission and data management model. In: PrivOn@ISWC

  • Ferrara P, Spoto F (2018) Static analysis for gdpr compliance. In: ITASEC

  • Forbrukerradet (2018) Deceived by Design. https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf. Accessed 28 Nov 2018

  • Freitas M, Mira da Silva M (2018) GDPR compliance in SMEs: there is much to be done. J Inf Syst Eng Manag 3(4):30

    Google Scholar 

  • Garber J (2018) Gdpr-compliance nightmare or business opportunity? Comput Fraud Secur 2018(6):14–15

    Article  Google Scholar 

  • Hellwig O, Quirchmayr G, Hötzendorfer W, Tschohl C, Huber E, Vock F, Nentwich F, Pospisil B, Gusenbauer M, Langner G (2018) A gdpr compliance module for supporting the exchange of information between certs. In: Proceedings of the 13th international conference on availability, reliability and security, pp 1–7

  • Irfan F, Aleksandra K (2018) Facebook’s advertising platform: new attack vectors and the need for interventions. CoRR. arXiv:abs/1803.10099

  • Kerr, Anna England (2018) An Open Letter to Facebook. https://stillnothere.com/2018/10/09/the-journey-begins/. Accessed 19 Dec 2018

  • Kirrane S, Fernández JD, Dullaert W, Milosevic U, Polleres A, Bonatti PA, Wenning R, Drozd O, Raschke P (2018) A scalable consent, transparency and compliance architecture. In: European Semantic Web Conference. Springer, pp 131–136

  • Korolova A (2010) Privacy violations using microtargeted Ads: a case study. In: ICDMW 2010, The 10th IEEE international conference on data mining workshops, Sydney, Australia, 13 December 2010, pp 474–482

  • Kurtz C, Semmann M et al (2018) Privacy by design to comply with GDPR: a review on third-party data processors

  • Lee D (2018a) Facebook security breach: up to 50m accounts attacked. https://www.bbc.com/news/technology-45686890. Accessed 19 Dec 2018

  • Lee D (2018b) Facebook sued by top prosecutor over Cambridge Analytica. https://www.bbc.com/news/technology-46627133. Accessed 19 Dec 2018

  • Macenaite M, Kosta E (2017) Consent for processing children’s personal data in the eu: following in us footsteps? Inf Commun Technol Law 26(2):146–197

    Article  Google Scholar 

  • McDonald AM, Cranor LF (2008) The cost of reading privacy policies. ISJLP 4:543

    Google Scholar 

  • New York Times (2018) Mark Zuckerberg testimony: senators question Facebook’s commitment to privacy. https://www.nytimes.com/2018/04/10/us/politics/mark-zuckerberg-testimony.html. Accessed 19 Dec 2018

  • Palmirani M, Martoni M, Rossi A, Bartolini C, Robaldo L (2018) Pronto: Privacy ontology for legal compliance. In: ECDG 2018 18th European conference on digital government, academic conferences and publishing limited, pp 142

  • Parra-Arnau J, Achara JP, Castelluccia C (2017) MyAdChoices: bringing transparency and control to online advertising. ACM Trans Web (TWEB) 11(1):7

    Google Scholar 

  • Politou E, Alepis E, Patsakis C (2018) Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. J Cybersecur 4(1):tyy001

    Article  Google Scholar 

  • Reidenberg JR, Russell NC, Callen AJ, Qasir S, Norton TB (2015) Privacy harms and the effectiveness of the notice and choice framework. ISJLP 11:485

    Google Scholar 

  • Ribeiro FN, Saha K, Babaei M, Henrique L, Messias J, Benevenuto F, Goga O, Gummadi KP, Redmiles EM (2019) On microtargeting socially divisive ads: a case study of Russia-linked ad campaigns on Facebook. In: Proceedings of the conference on fairness, accountability, and transparency, ACM, pp 140–149

  • Sloan RH, Warner R (2014) Beyond notice and choice: privacy, norms, and consent. J High Tech L 14:370

    Google Scholar 

  • Solove DJ (2012) Introduction: privacy self-management and the consent dilemma. Harv L Rev 126:1880

    Google Scholar 

  • Speicher T, Ali M, Venkatadri G, Ribeiro FN, Arvanitakis G, Benevenuto F, Gummadi KP, Loiseau P, Mislove A (2018) Potential for discrimination in online targeted advertising. In: Conference on fairness, accountability and transparency, FAT 2018, 23–24 February 2018. NY, USA, New York, pp 5–19

  • Utz C, Degeling M, Fahl S, Schaub F, Holz T (2019) (un) informed consent: studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 973–990

  • Van Alsenoy B, Verdoodt V, Heyman R, Wauters E, Ausloos J, Acar G (2015) From social media service to advertising network: a critical analysis of Facebook’s Revised Policies and Terms

  • Venkatadri G, Lucherini E, Sapiezynski P, Mislove A (2019) Investigating sources of PII used in Facebook’s targeted advertising. Proc Priv Enhanc Technol 1:18

    Google Scholar 

  • Venkatadri G, Mislove A, Gummadi KP (2018) Treads: transparency-enhancing ads. In: HotNets, pp 169–175

  • Wirth C, Kolain M (2018) Privacy by blockchain design: a blockchain-enabled gdpr-compliant approach for handling personal data. In: Proceedings of 1st ERCIM Blockchain Workshop 2018, European Society for Socially Embedded Technologies (EUSSET)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Abdessamad Imine.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

De, S.J., Imine, A. Consent for targeted advertising: the case of Facebook. AI & Soc 35, 1055–1064 (2020). https://doi.org/10.1007/s00146-020-00981-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00146-020-00981-5

Keywords

Navigation