Data-Broker Governance In Targeted Advertising
1. Overview
Data brokers are entities that collect, aggregate, and sell personal information about individuals, often without direct interaction with the individuals themselves. In targeted advertising, data brokers provide granular consumer profiles to advertisers to deliver personalized ads.
Key concerns in this domain include:
Transparency: Users are often unaware that their data is collected and sold.
Consent: Legal frameworks increasingly require explicit consent for collection, processing, and sale of personal data.
Data Accuracy: Incorrect profiles can lead to misleading or harmful targeting.
Security: Large data repositories held by brokers are attractive targets for breaches.
Cross-Border Compliance: Many data brokers operate internationally, triggering multiple regulatory obligations.
2. Regulatory Principles
a. Transparency and Disclosure
Data brokers must disclose the categories of data collected and third parties with whom they share it.
Laws like California’s CCPA/CPRA require clear opt-out mechanisms for sale of personal information.
b. Consent and Opt-Out
Explicit consent may be required for sensitive data (e.g., financial, health, or children’s data).
Opt-out rights are mandatory under regulations such as the GDPR (Art. 21) and CPRA.
c. Accountability and Risk Management
Brokers must maintain security measures, conduct risk assessments, and ensure third-party compliance.
They may be jointly liable with advertisers if misused data leads to privacy violations.
d. Profiling and Targeting Restrictions
Automated profiling for targeted ads must respect privacy rights and non-discrimination principles.
GDPR requires data subjects to have the right not to be subject to automated decision-making that significantly affects them.
3. Case Laws Demonstrating Principles
In re Facebook, Inc. Consumer Privacy User Profile Litigation (2019, US)
Court: US District Court
Principle: Facebook’s sharing of user data with advertisers without explicit consent highlighted accountability of platforms using brokered data.
Lloyd v Google LLC (2021, UK)
Court: UK Supreme Court
Principle: Users may claim damages for unlawful tracking and profiling, even if harm is “non-material”; emphasizes personal data rights against profiling for ads.
Schrems II (Data Protection Commissioner v Facebook Ireland and Maximilian Schrems, 2020)
Court: CJEU
Principle: International transfer of personal data to third-party ad services requires adequate safeguards; affects brokers supplying cross-border advertising data.
California v. Clearview AI (2020, US)
Principle: Biometric data collected without consent for advertising/profiling purposes violates privacy laws; illustrates consent requirements for sensitive brokered data.
FTC v. Exactis LLC (2018, US)
Court: Federal Trade Commission
Principle: Massive unsecured consumer database exposed; demonstrates broker accountability in data security for targeted marketing.
Ryanair DAC v. Commission for Aviation Regulation (Ireland, 2017)
Principle: Data collected for regulatory purposes cannot be repurposed for commercial targeting; supports purpose limitation in data brokerage.
Reed Elsevier Inc. v. Muchnick (2010, US)
Principle: Aggregation and sale of personal content without consent can violate IP and privacy rights; underscores contractual and legal limits on brokered data use in ads.
4. Governance Best Practices for Data Brokers
Data Mapping: Track the type of data collected, sources, and recipients.
Robust Contracts: Include clauses ensuring advertisers comply with privacy laws and do not misuse data.
Security Measures: Encryption, access control, and regular audits.
Transparency Portals: Allow consumers to see what data is collected and request deletion/opt-out.
Compliance Monitoring: Regularly review laws such as GDPR, CPRA, and sectoral regulations.
Risk Assessments: Evaluate potential harms from profiling or automated decision-making.
5. Key Takeaways
Data brokers play a central role in the targeted advertising ecosystem but are under increasing regulatory scrutiny.
Consent, transparency, and security are core pillars of governance.
Both brokers and advertisers can be held liable for misuse or breach of personal data.
Case laws illustrate that courts are recognizing non-material harms and emphasizing purpose limitation and cross-border compliance.
RELATED Blog
comments