A European court ruling could result in ad tracking rules becoming much stricter in future. The court essentially set a precedent that inferred data is still personal data.
This means that if a company can work out things about you, then that information is protected every bit as much as personal data you provided directly …
Ad tracking rules
App Tracking on iPhones works by Apple assigning a unique identifier to your device. It doesn’t reveal any details about you, but does allow an advertising network to see (for example) that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 has visited gadget websites, and therefore would be a good target for gadget ads.
It also allows them to see that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 was shown an ad for a particular product on a particular website, then subsequently went to a particular retailer site to buy it – therefore that ad was (likely) successful.
Europe’s strict GDPR privacy law means that EU citizens must opt-in to use of their data (with a few exceptions), but it has so far been assumed that this only protects data directly supplied by an individual. The kind of inferred data used in ad tracking was not thought to be covered by GDPR.
Inferred data is also protected, says Europe’s top court
TechCrunch reports that the specific case relates to the Lithuanian government publishing the name of someone’s spouse – from which it might be inferred that they are gay. The court ruled that this kind of inferred data is also protected, and cannot be used without consent.
The relevant bit of the case referral to the Court of Justice of the EU (CJEU) related to whether the publication of the name of a spouse or partner amounted to the processing of sensitive data because it could reveal sexual orientation. The court decided that it does. And, by implication, that the same rule applies to inferences connected to other types of special category data.
Dr Gabriela Zanfir-Fortuna, VP for global privacy at the Washington-based thinktank, the Future of Privacy Forum, sums up the CJEU’s “binding interpretation” as a confirmation that data that are capable of revealing the sexual orientation of a natural person “by means of an intellectual operation involving comparison or deduction” are in fact sensitive data protected by Article 9 of the GDPR.
This could have huge implications on what type of data processing companies are allowed to do when it comes to profiling customers and ad targets.
“I think this might have broad implications moving forward, in all contexts where Article 9 is applicable, including online advertising, dating apps, location data indicating places of worship or clinics visited, food choices for airplane rides and others,” Zanfir-Fortuna predicted.”
Prior to this ruling, the consensus view among companies processing data was that they could combine whatever knowledge they had about someone in order to build a profile, and that any data which they inferred rather than directly collected was theirs to use as they wished. The ruling says that is not the case.
This impacts ad-tracking because companies make these kind of inferences all the time, and devise personalized ad targeting based on them.
For example, if someone buys products associated with pregnancy (like maternity wear), they will likely be profiled as an expectant parent, and targeted with ads for products made for pregnant women and parents of new-borns. Similarly, if you watch reviews of MacBooks on YouTube, you are likely to be targeted with ads for MacBook accessories, like sleeves, cases, docks, dongles, and so on.
Vindicates App Tracking Transparency approach
Apple’s App Tracking Transparency was designed to allow iPhone users to choose whether or not to permit this type of profiling. The court ruling could well mean that it is illegal to do this with EU citizens, even if they opt in to tracking.
Dr Lukasz Olejnik, an independent consultant and security and privacy researcher based in Europe, was unequivocal in predicting serious impacts — especially for adtech.
“This is the single, most important, unambiguous interpretation of GDPR so far,” he told us. “It backs up the approach of Apple.”
FTC: We use income earning auto affiliate links. More.
Comments