This post is authored by Rupa Veena S and Julia Anna Joseph, 4th year BBALLB students at School of Law, Christ University
INTRODUCTION
Adtech is advertising technology used by businesses to attract potential consumers to their websites. Adtech tools are used to track consumer preferences which are used for marketing products to potential consumers digitally. The Adtech industry has witnessed tremendous growth from the onset of the pandemic when a large proportion of consumers engaged in online shopping. However, the privacy concerns of adtech cannot go unaddressed. In light of the same, this article discusses various practices in the adtech industry that involve violation of privacy. It also makes a comparative analysis between the laws dealing with data protection and privacy concerns arising out of adtech in the United Kingdom (UK) and India.
Practices in the Adtech industry that violate Privacy
The entire adtech ecosystem relies on the personal data of consumers to display ads based on their preferences. Programmatic advertising is the most commonly used adtech and is automated in nature. It is used to buy or sell advertising space. Real-time bidding (“RTB”) is the most widely used programmatic advertising tool. RTB is used by publishers to sell ad space to advertisers who bid the highest in an auction. While advertisers make use of demand-side platforms (“DSPs”) to bid on advertising space, publishers use supply-side platforms (“SSPs”) to sell their ad space. The price for the purchase of ad space is agreed upon in online marketplaces called ad exchanges where publishers and advertisers are connected through DSPs and SSPs. The price while bidding is determined by the consumer’s information available to the advertisers. Cookies and other similar technologies are used to collect consumers’ personal data. The price paid for using websites which are “free” is the personal information collected and used to display ads. Now, what remains questionable is whether consumers’ personal data is collected or processed with their consent or not.
India’s privacy and data protection laws are still in their nascent stages. Laws must ensure that third parties do not collect or process personal data of consumers without their consent. The example of UK laws may be looked at for reference.
Laws in the UK
In the UK, the General Data Protection Regulation (UK GDPR) and the Data Protection Act, 2018 (Act) are the regulators of data privacy. The Privacy and Electronic Communications Regulations, 2003 also apply to the use of cookies and other technology which aid in targeted advertising. The Act gives effect to the provisions of the UK GDPR. Article 5 of The UK GDPR makes it clear that personal data shall only be processed transparently, fairly, and in a manner that is explicitly consented to, without allowing for any further processing. Article 6 (1) mentions the six legal bases for collection and processing of personal data including explicit consent of data subject, contractual performances, data controller’s legal obligations, protecting the data subject’s vital interest, public interest and legitimate interest pursued by data controller. Article 7also allows for a data subject to revoke consent at any time. This blocks all loopholes in making use of consumer data in the adtech industry. Neither can a big tech company procure data without permission, nor can they sell it in a way that its further processing can take place without the knowledge of the data subject.
Regulation 6 of The Privacy and Electronic Communications Regulations, 2003 states that a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless they are provided with clear and comprehensive information about the purposes of the storage of, or access to, that information is given the opportunity to refuse the storage of or access to that information.
Furthermore, the Information Commissioner’s Office (ICO) of UK, a government-sponsored body, upholds data privacy rights of individuals. It allows individuals to file complaints if their personal data is mishandled by any organisation. ICO released Adtech Market Research Report (Report) in 2019 on the use of cookies and similar technologies for processing of personal data in online advertising with a focus on RTB. The Report acknowledged and detailed various inadequate practices and privacy issues arising out of use of RTB. Following which in 2021, the Information Commissioner issued an opinion on data protection and privacy expectations for online advertising proposals. The said opinion calls on adtech companies which use various methods of online advertising to ensure compliance with data protection and eliminate privacy risks. The opinion gives recommendations with respect to data protection requirements, transparency, offering users the choice of receiving ads, mitigation of privacy risks, etc. for the adtech companies to consider before taking any new initiatives in the adtech segment. The Indian scenario in this regard, has significant differences.
Indian position
As per Article 19(1)(a) of the Constitution of India, the public at large has a right to receive commercial speech and protects the rights of an individual to listen, read and receive. Therefore, being at the receiving end of targeted advertising is per se no violation. However, the privacy concerns that emanate from targeted advertising must not be ignored.
Advertising Standards Council of India regulates the advertising sector in India. Being a self-regulatory organisation, it released a code for self-regulation that applies to all advertisements in India irrespective of the medium they are published in or the place of origin if the target consumers are in India. However, the said code does not regulate challenges arising out of violation of data protection and privacy by adtech. Further, there are several other legislations specific to advertising sector but none of them deal with privacy concerns arising out of advertising through adtech.
Privacy regulation in general is governed by the Information Technology Act, 2000 (“IT Act”). The IT Act, however, is not equipped to deal with privacy concerns that arise from consumer data because IT Act regulates data privacy only in relation to the following: firstly, under Section 66E- when a person’s bodily integrity is endangered due to the capture of images/videos when they reasonably expect a violation; and secondly, when there is a breach of confidentiality only in a case where the data was acquired for purposes of the IT Act. None of these provisions cater to the data protection of consumers in the adtech industry. Thirdly, Section 43A states that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Here, however, the liability arises only in case of negligence. In the case of adtech, however, the root cause for data transfers violating privacy is not negligence, but the sheer absence of obtaining consent when purposefully transferring consumer data to third parties. The penalty prescribed for the same in Section 45 is payment of a sum not exceeding Rs. 25,000, which is a paltry amount considering the economic benefits that are reaped by body corporates who sell personal data information to ad companies.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules) act as effective guidelines that supplement the IT Act, 2000. Rule 4 of the Rules requires body corporates to have a policy that clearly states relevant information about data disclosure. Rule 5(2) mentions the circumstances under which alone the body corporate shall obtain sensitive personal data wherein it states that such personal information can only be obtained for lawful purpose. However, neither the IT Act nor the Rules define what ‘lawful purpose’ is. Therefore, companies can interpret the term ‘lawful purpose’ in a wider sense and infringe privacy under the garb of ‘lawful purpose’. On the other hand, Article 6(1) of UK GDPR clearly mentions the bases for personal data collection and processing. The UK GDPR and Data Protection Act also unambiguously define what can fall under each of the six legal bases. Taking this into consideration, the authors contend that the Rules must clearly define ‘lawful purpose’ of personal data collection and processing. Nevertheless, Rule 6 also makes it clear that a body corporate will have to take prior permission from the person who provides the information in order to disclose it to third parties. Such transfer is also to be made only if the recipient has sufficiently secure data protection safeguards.
These Rules are the closest laws in place that aim to somehow significantly govern data protection. However, the data protection regulations that are currently in place govern these matters very generically. A separate law for adtech regulation would ensure specific punitive actions for different kinds of privacy violations, such as video-tracking, financial data transfer, health data transfer, etc., all of which have different levels of implications on privacy and thus some of them require progressively stricter sanctions.
A consumer may accept ‘cookies’ while using a website with the knowledge that their personal information will be used by websites but may not be entirely aware that their personal information so collected is likely to be shared and processed by different entities more than once. Therefore, in India too, like in the UK, laws must allow for subsequent revocation of consent, as well as prohibit further processing of any data which is already once processed. Also, in India, there is no equivalent body to ICO that upholds data privacy rights of individuals. Considering the mounting privacy concerns arising from not only adtech but also otherwise, the authors contend that India should have a separate government sponsored body like in the UK, designated to deal with data privacy and protection rights.
CONCLUSION
While the judgment in KS Puttaswamy v. Union of India broke new grounds in 2017 by upholding the right to privacy as a fundamental right, very little development can be seen in terms of data protection and privacy laws in India. The Data Protection Bill, 2019 has now been withdrawn, and the future possible developments in this regard are largely unknown. Considering how adtech has become an intrinsic part of the cyber world, it has become the need of the hour to regulate it. India should draw inspiration from UK’s laws and make consent necessary at every stage to process consumers’ personal data for adtech-related activities since the consent of customers is key in protection of data privacy of every individual. While the growth of adtech seems unstoppable, the larger issue of breach of data privacy of the Indian citizens must not be ignored by the government and must be adequately addressed at the earliest.