27 Sep, 2022

Personal Data Protection in Online Behavioral Advertising

I. Introduction

davranissal-reklamcilik

Online behavioral advertising; We can define the advertisements presented on the websites you visit as making them suitable for you and your interests. Have you noticed that a product or service that you searched through search engines while surfing the Internet is then shown to you as an advertisement? Have you ever encountered situations where the thing you were chatting about was shown to you as an advertisement from the moment you started surfing the internet with your phone after chatting with your friend about a product or service next to your phone without making a call? Every individual who has access to the Internet has encountered the mentioned situations at least once in their life. How do these situations occur? How can they find out what we’re searching for and then present it to us as an advertisement? How should our data processed within the scope of online behavioral advertising be protected within the scope of personal data protection law? We have compiled the answers to all these questions for you.

Every individual who has access to the Internet has encountered the mentioned situations at least once in their life. How do these situations occur? How can they find out what we’re searching for and then present it to us as an advertisement? How should our data processed within the scope of online behavioral advertising be protected within the scope of personal data protection law? We have compiled the answers to all these questions for you.

II. Methods

In today’s world, in the globalizing economy, the advertising industry is also in a transformation. This transformation has turned into the display of specific advertisements specially prepared according to the profile created about each individual, instead of the advertisements generally given regardless of the subjective qualities of individuals such as interests, movements and characters in media tools such as classical newspapers and television.

The methods used in accordance with the transformation; These are cookies created during internet browsing with targeting applications such as contextual, behavioral, repetitive, real-time and demographic movements of individuals.

Contextual Targeting

As a result of analyzing the content of the website searched by the advertising company on a website that we personally search; It is the display of advertisements suitable for our research topic by matching various factors such as your preferred keywords, subject, language, location with the website we are searching for.

Behavioral Targeting

On the website we enter while researching a product or service; It is the display of advertisements suitable for our interest in the subject we search with findings such as which parts we look at, where we click, whether we search for the same topic on different days.

Retargeting

It is the display of advertisements related to the subject that the individual is searching for, based on previous searches or site visit history.

Real Time Targeting

It is a targeting method in which the advertiser can choose whether or not to show the advertisement to the relevant person as a result of instantaneously transmitting the data obtained from the cookies on the user’s computer/mobile device to the advertiser.

Demografik Hedefleme

According to the subject of the ad, in order to make it specific, it is selected in accordance with factors such as a certain age group, gender, parental status or household income, and showing the ad only to people who may be interested.

Cookies

Cookies with many types, such as advertising/marketing cookies, can be defined as low-size rich text-formatted text formats that allow some information about users to be stored on users’ terminal devices when a web page is visited. Advertisers offer personalized advertisements to individuals as a result of the findings obtained through cookies.

Advertisers, provided that they are not limited to the above-mentioned targeting applications and cookies, in order to offer personalized advertisements to individuals; They obtain their data such as their shopping habits, shopping frequency, profession, age, education level, gender, marital status, location by using various methods and algorithms. 

Behavioral advertising activities, regardless of the method used; As a result of the analysis of the data obtained, the profile of the individual is removed, and then the ads are matched with the ads that are suitable for the profile, and the ads are shown.

III. Investigation in terms of Data Protection Law

European General Data Protection Regulation

Behavioral advertising activities are based on the profiling title defined in Article 4 of the European Data Protection Regulation (“GDPR”) and the opinion of the Article 29 Working Group 2/2010. 

GDPR m. In 4/4, “Profiling consists of the use of personal data to evaluate characteristics, in particular to analyze or predict aspects of a natural person’s performance, economic situation, health, personal preferences, interests, reliability, behaviour, location and movements at work. all kinds of automatic personal data processing.” defined as. 

In addition to the definition of profiling, the criteria set for the application of behavioral advertising in the opinion of the Article 29 Working Group No. 2/2010;

  • Illumination and explicit consent,
  • Right of exit,
  • Anonymization and the inability to make the anonymized data reusable,
  • Limitation of purpose,
  • Privacy by design (Providing privacy in design)
  • Protection of special categories of personal data and personal data of children”.

Behavioral Advertising Under Turkish Data Protection Law

The main source for the protection of personal data in our law is the Law No. 6698 on the Protection of Personal Data (“Law”). Since there is no direct profiling definition in the Law as in the GDPR, the legal status of personal data processed for behavioral advertising activities should be evaluated in accordance with Article 5 of the Law, titled personal data processing conditions. 

5/1 of the Law. In the article, it is stated that personal data cannot be processed without the explicit consent of the person concerned, and in the second paragraph of the mentioned law article, situations in which personal data can be processed without the need for explicit consent are regulated. The definition of explicit consent is defined in Article 3/1-a of the Law as “consent related to a certain subject, based on information and expressed with free will”. 

In order to be able to carry out behavioral advertising activities, a data controller must first obtain an explicit consent from the data subject, based on the free will of the data subject, by informing about a certain subject in accordance with the Law.

The act of informing the data controller or the person authorized by the data controller in the process of obtaining explicit consent from the data subject is regulated in Article 10 of the Law titled as the obligation to inform the data controller;

  • “Identity of the data controller and its representative, if any,
  • For what purpose personal data will be processed,
  • To whom and for what purpose the processed personal data can be transferred,
  • Method and legal reason for collecting personal data,
  • It is obligatory to include information on “other rights listed in Article 11”.

Only in this way, detailed legal information can be provided to the person concerned, and if the person concerned gives explicit consent by understanding exactly which activity he has given his explicit consent to, without leaving any room for doubt, it can be accepted that consent has been obtained in accordance with the legislation.

It is regulated that in cases where there are legal reasons listed as limited in paragraph 2 of Article 5 of the Law, it will be possible to process personal data in accordance with the law without the need for explicit consent.

In Article 5/2-c of the Law, there is no explicit consent requirement for processing personal data in case of “Processing the processing of personal data belonging to the parties of the contract is necessary, provided that it is directly related to the establishment or performance of a contract”. In this case, when behavioral advertising activities are evaluated; Considering that the main subject of the contracts between data controllers and the persons whose personal data is processed, behavioral advertising activities do not constitute, and the issue of behavioral advertising activities is included in the contract articles without being noticed, it is fixed that the data controller who wants to perform behavioral advertising activities cannot rely on the aforementioned article of law.

Another legal reason that does not require explicit consent is regulated as 5/2-f of the Law, “It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject”. When this legal reason is examined in the behavioral advertising activity; In order to apply the aforementioned legal reason to the concrete case, first of all, a balance test should be made between the legitimate interests of the data controller and the fundamental rights and freedoms of the person concerned. In case of balance test; It is clear that the nature and intensity of the follow-up to be carried out within the scope of behavioral advertising activities may harm the fundamental rights and freedoms of the data controller, and the data controller cannot rely on the aforementioned law.

As explained in detail above, in order to carry out behavioral advertising activities in Turkish Law, data controllers need an explicit consent obtained from the relevant persons in a legal form.

Comparison of European and Turkish Law

As explained in detail above, behavioral advertising activity is handled within the scope of the concept of profiling in the GDPR and the criteria set by the Article 29 Working Group in its opinion numbered 2/2010, whereas in Turkish law, behavioral advertising activity can be based on explicit consent in a lawful form.

Although there is no definition of direct profiling in the Law, obtaining explicit consent by enlightening, telling the relevant person what his/her rights are while making the disclosure, performing the processing activity in accordance with the principle of limitation with the purpose, which is one of the general principles of the Law, and other situations with different names, but the same actions, although not with the same name Article 29 It shows that the criteria determined by the Working Group are also applicable in Turkish law.

IV. Important Court/Authority Decisions on Behavioral Advertising

Regarding behavioral advertising, the European Court of Justice has given its decision dated 29.07.2019 and numbered C-40/17. The subject of the decision is that Fashion ID, a German online clothing retail operator, placed a “Facebook Like” button on its website, and as a result of this button placed, every user who visits Fashion ID’s website, regardless of whether they are a Facebook member or not, regardless of whether they click the ‘Like’ button or not. is the transmission of personal data to Facebook without any clarification or express consent.

As a result of transmitting the personal data of all users visiting the website to Facebook, Fashion ID, which is the website operator, provides a more visible advertisement and promotion of Fashion ID’s products on Facebook through small cookies placed on users’ devices.

In the concrete incident that came before the European Court of Justice, it has decided that Fashion ID company is the joint data controller for the first transfer of personal data transferred to Facebook, and Fashion ID cannot be considered as the data controller when the personal data obtained by Facebook is transferred to different buyer groups.

The Court also decided that Fashion ID, as joint data controller and website operator, is required to obtain prior consent regarding the collection and transmission of data, by notifying users at the time of data collection certain information such as the identity of the data controller and the purposes of data processing.

In its decision explained in detail above, the Court decided on behavioral advertising in accordance with the GDPR and the criteria set by the Article 29 Working Group.

The Personal Data Protection Board (“Board”) has decided on Amazon dated 27.02.2020 and numbered 2020/173. The subject of the decision is, briefly, regarding the existence of a processing reason other than express consent, where no explicit consent is obtained in order to send electronic commercial messages for advertising, campaign or promotion purposes, neither when creating a membership account nor when shopping for the services offered through the Amazon.com.tr website and connected applications. that no explanation is given.

Briefly, in the decision of the Board; The data controller does not duly obtain the explicit consent of the data subjects in order to send commercial electronic messages by processing the contact information of the data subjects, does not rely on a processing reason other than the express consent, on the other hand, the e-mail addresses of the contact persons of the member are processed without the express consent of these persons, In addition, it should be taken into account that the data controller acts in violation of the general principles in Article 4 of the Law and that the “Confidentiality Statement” published on the website does not mean that the relevant persons are informed about the processing of personal data, since it contains a lot of information and is a general information about data processing. Although personal data starts to be processed through cookies with the login to the notified website, cookies and membership login, etc. It has decided to impose an administrative fine because it is believed that it has not been fulfilled in accordance with the procedures and principles set forth in the Communiqué on the Procedures and Principles to be Followed.

In order for the data controller in the event to be the subject of the decision to carry out behavioral advertising activities through cookies, explicit consents based on legal information obtained from the relevant persons are required.

V. Conclusion

In today’s world, since the internet is accessible to every individual, methods related to the internet have started to be used in order to reach more individuals instead of classical methods in every sector. The advertising sector also provides personalized advertising activities through the use of various targeting tools and cookies on the internet instead of classical methods, enabling companies to use resources more effectively.

Although online behavioral advertising activities are an effective and profitable method for companies, it should be noted that the targeting practices and cookies used do not violate the privacy and fundamental rights and freedoms of individuals. In this context, consent should be obtained by submitting explicit consent texts based on informing individuals in a legal form, and the presence of the criteria determined by the Article 29 Working Group in these texts is of great importance in terms of not violating the privacy of individuals.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram