In a recent enforcement action, the Irish Data Protection Commission (DPC) ruled that businesses can’t rely on “contractual necessity” as a legal basis for using behavioral advertising. The DPC also mentioned the importance of transparency when explaining the purpose of processing data to users. The main takeaway here is that user consent is a must when engaging in behavioral advertising.
How can companies ensure compliance when delivering targeted ads?
1. Know what regulations apply to you
Have a comprehensive picture of what privacy and data protection laws apply to your business operations. For example, if your business has customers in the EU and California, you’ll have to look at the requirements the CPRA and GDPR have in place.
Conduct a mapping exercise to lay out which regulations apply, and which parts of these applicable regulations you need to take note of in your data processing policies.
2. Get user consent before delivering targeted ads
The GDPR and CPRA both mention that businesses have a legal basis to process personal data if the use case is “necessary” for the business to function, or is a “contractual necessity” for the business to fulfill to its consumers.
However, in the case of targeted advertising, showing personalized ads is usually not the core function of your business, as mentioned by the European Data Protection Board (EDPB) guidelines. This removes it from the scope of the “necessary to perform a contract” basis to process personal data, by the GDPR’s definition. E.g., using your shipping address to send you a product would be necessary data to complete the service, but providing you with targeted ads based on your interests would not.
Targeted ads are a way to help customers view products or services that appeal to their interests and allow them to have a more enjoyable user experience when navigating through your site. However, as they are not a “contractual necessity,” getting consent from your users to provide personalized ads is the way to go. Under the GDPR, consent must be obtained by opting in, while under the CPRA this can be achieved via an opt-out mechanism.
Apart from running targeted advertisements on your own platform, you may also have cases where you’re running these campaigns on other third-party platforms. You’ll also need to collect consent in this case, and ensure that your organization is clear on the policy requirements that third-party platforms have regarding user data. Your users’ privacy is ultimately your responsibility, so make sure to have the proper due diligence in place.
3. Use transparent communication = clear, concise, and comprehensive
Keep the language clear, concise, and easy to understand for consumers. Disclose what data you’re collecting, and what you’re using this for as well.
The CPRA also has certain clearly defined items that must be in place that include:
How can OneTrust help your business stay compliant?
OneTrust Consent and Preferences enables you to manage the consent of your digital properties across all regions, privacy regulations, and devices through one platform.
By providing brand-consistent notices and banners to your users throughout their interaction with your site, from accepting cookies to subscribing to a newsletter, we ensure that your customers get the best user experience and have their privacy honored at every touchpoint.
After obtaining consent from your users, keeping track of this data with up-to-date records is no small task. OneTrust makes this easy with integrations with all major sales, marketing, and data platforms, along with a real-time database that stores user consent and preference data, making sure you’re always providing your customers with an optimal, privacy-first experience.
Learn more about how OneTrust Consent and Preferences can help your organization build trusted relationships with your customers by keeping their privacy as your priority.
Request a demo today.