The online advertising industry collects and processes troves of personal data to deliver personalised ads and consequentially will be one of the most impacted by India’s Data Protection Bill (DPB), 2021, because when this Bill becomes law, profiling users will not be possible without getting free, specific, informed, and clear consent from users, which, if denied, attacks the very foundation of tailored advertising. But consent is just one of the numerous obligations to which companies will be subjected. In this post, we take a closer look at how the DPB impacts the online advertising industry.
You don’t have to be located in India to be affected by the DPB. If your advertising reaches Indian citizens, then your data practices need to adhere to the Bill.
How online advertising works and who are the major stakeholders?
The three main stakeholders:
- Publishers: Publishers are websites with ad spaces such as news websites and blogs. They use inventory management software called ad servers that helps them sell their ad inventory.
- Advertisers: These are companies that want to advertise. They use ad-buying tools to buy inventory from publishers.
- Ad marketplaces: The electronic marketplaces where publishers and advertisers are matched through a real-time bidding process. The bidding price of an advertiser is determined by how valuable that ad space is, which, in turn, is determined based on the data collected about the user seeing the space. For example, a car company will be willing to pay a high price for an ad space appearing to a user who has recently been browsing cars.
For more on how the online advertising market works, read our explainer here.
Role of Google and Facebook: Google and Facebook are the largest players in the online advertising industry because not only do they manage ad marketplaces, they also sell ad servers and ad-buying tools that publishers and advertisers rely on to sell and buy ad spaces. Because of their duopoly of this industry, we will use them as examples throughout the post, but the provisions of the Bill apply to other companies that offer similar services as well such as Amazon and Apple.
They are all data fiduciaries: The process through which these various stakeholders come together to deliver the ads is complex and multi-layered, but since all these stakeholders—publishers, advertisers, Google and Facebook—play a part in determining the purpose and means of processing of personal data, they are all considered data fiduciaries. Because the roles of Google and Facebook are not consumer-facing, it might appear that they are data processors, but Google clarifies that it’s a data controller (the GDPR equivalent to data fiduciary) for the following reason:
“We operate as a controller for our publisher products because we regularly make decisions on the data to deliver and improve the product. For example, if you’re an AdSense publisher, we’ll serve ads to your visitors. If your site is about, say, gardening, then we might infer that your visitors are gardening enthusiasts. We’ll use that data to benefit advertisers: a maker of lawnmowers might want its ads served to gardening enthusiasts, even when they’re visiting sites that have nothing to do with gardening. Our uses of that data, to benefit different parties, mean that we are data controllers, not processors.”
What personal data is collected in online advertising?
According to the DPB, personal data includes any data by which an individual is directly or indirectly identifiable such as a characteristic, trait, or attribute, including any inference drawn from such data for the purpose of profiling, which is to analyse or predict aspects concerning the behaviour, attributes or interests of a data principal. The explicit inclusion of profiling brings much of the data collected by the online advertising industry under personal data.
In advertising, all data collection happens in the name of cookies, which are small text files that websites place on the device viewing them. While functional cookies like language preference and log-in details are not considered personal data, there are other cookies used for tracking users and profiling them, which qualify as personal data.
Data collected as cookies include a website visited by a user, the time it was visited, IP address, general location, user authentication details, etc. Websites that show ads generally use Google’s products to help them process this data and create user profiles such that Google knows a user’s interests just by having a log of the sites that they visited, and then uses this knowledge to allow advertisers to target ads. To give you a better sense of this, here’s a snapshot of a Google user’s ad personalisation dashboard, which shows what Google believes are interests of that user:
Is sensitive personal data collected? Google makes certain inferences about users that might be considered sensitive personal data. For example, collecting personal data that reveals a user’s religious and political interests.
“The gamut of changes that the Personal Data Protection Bill is set to usher in is bound to have tremendous impact on how online advertising has been conducted so far, most importantly the crackdown on profiling and thereby on targeted advertisements. It provides for additional safeguards or restrictions to be specified by the Data Protection Authority for repeated, continuous, or systematic collection of sensitive personal data for the purpose of profiling. Such curtailment is bound to have a direct impact on the scale of advertisement, and incidentally on the revenues generated through such advertisement as well.” – Nikhil Varma, Managing Partner, Miglani Varma & Co – Advocates, Solicitors and Consultants
Consent: The biggest change for the online advertising industry
Since cookies used for ads are personal data, all the players in this industry who collect and process this data—the websites that show ads, the advertisers that want these ads shown, and intermediate players like Google and Facebook—are allowed to collect and process data only after they get consent from users. While there are some exceptions that allow data fiduciaries to process data without consent, none of these grounds applies to personalised advertising.
The consent has to be obtained before collecting the data and has to be:
- Free: As laid out in Section 14 in The Indian Contract Act, 1872, consent should not be caused by coercion, fraud, misrepresentation, mistake, and undue influence.
- Informed: The fiduciary must disclose to the user the following information to the user in a”clear, concise and easily comprehensible” and in multiple languages to the extent necessary and practicable:
- the purposes for which the personal data will be processed
- the nature and categories of personal data being collected
- the contact details of the data fiduciary and the data protection officer
- the right of the data principal to withdraw his consent, and the procedure for such withdrawal
- the source of collection, if it is not collected from the data principal
- the other entities with whom the personal data may be shared
- the information regarding any cross-border transfer that the data fiduciary intends to carry out
- the period for which the personal data shall be retained
- the existence of and procedure for users to exercise the rights granted to them by the Bill
- the procedure for grievance redressal
- the existence of a right to file complaints to the Authority
- any rating in the form of a data trust score that may be assigned to the data fiduciary
- Specific: The user should be able to determine the scope of consent in respect of the purpose of processing, which means broad statements such as “we collect data to improve user experience” will not suffice.
- Clear: The consent must be indicated through an affirmative action that is meaningful in a given context, which means pre-ticked boxes or treating the pop-up close button as consent are not allowed.
- Capable of being withdrawn: The user should also be able to withdraw consent with the same ease as it is to give consent.
- Explicit and separate for sensitive personal data: Additionally if the data that is collected falls under sensitive data, consent must be separately and explicitly obtained for the same after the user is clearly informed of the purpose of processing which is likely to cause significant harm to him or her.
Cannot deny service because user exercised their choice: The provision of any goods or services and the quality of the same cannot be made conditional on the consent to the processing of any personal data not necessary for that purpose and be denied based on the exercise of choice. This means if a user only wants to give consent to the cookies that are necessary for the functioning of the site, he should be able to do so while opting out of other cookies that are not required for this functioning such as ad cookies.
Who should get the consent? The entities involved in the collecting and processing of cookies do not have to get consent separately. Google and Facebook have delegated the task of getting consent to the websites and advertisers that use their products and services, which means you can expect pop-ups on Indian websites similar to the sites that serve the EU region. These pop-ups, however, will have to contain details about all those with whom the data is shared. Google and Facebook will themselves seek consent for data collected on their own products and services.
Example of a good consent form: Here are screenshots of the consent flow of The Wall Street Journal site served in the EU. Not only does the initial pop-up clearly specify the purposes for which cookies are collected, but the site also allows you to click on Manage Settings and explore the different types of cookies that are collected and who is collecting them. Users can turn off specific types of cookies, specific partners, or all settings related to personalised advertising without it affecting the news articles that they are served.
What are the other compliance burdens to the online advertising industry?
While everything under the Bill will apply to data fiduciaries in the online ad industry, here are some key provisions that affect the industry:
- Purpose limitation: Data can only be processed by companies for the purpose to which a user has consented. For example, if a company collects an email address of a user for delivering a service, the same cannot be used to send marketing emails or for ads if the company doesn’t have the consent of the user for the same.
- Maintaining the quality of personal data: Data fiduciaries are expected to make sure that the personal data is complete, accurate, not misleading, and updated. This will be a tricky one for advertisers because if they use outdated data to profile users and deliver targeted ads based on that profile, they are theoretically in violation of this provision.
- Restrictions on cross-border data transfer: Since some of the data collected by fiduciaries can be used to determine aspects like a person’s religious or political beliefs, fiduciaries will be subject to restrictions on cross-border transfer of sensitive data. Either they will have to get the necessary approval through adequacy or intra-group contracts or not use data that may reveal, be related to, or constitute sensitive personal data as defined by the Bill. But regardless of whether the data is transferred out or not, a copy of it needs to be stored in India.
“A requirement imposed by the Bill is that sensitive personal data shall always be stored in India, however transferring such data outside is permitted. In order to store such data, companies including advertisers, especially significant data fiduciaries, will have to set up adequate data infrastructure, incurring additional costs. The increased compliance requirements coupled with the cost implications may prima facie appear onerous, but are surely beneficial to the people and in the interest of protecting their privacy, a valued fundamental right.” – Nikhil Varma, Managing Partner, Miglani Varma & Co – Advocates, Solicitors and Consultants
- Restrictions on transferring data to other businesses: A data fiduciary is allowed to transfer or transmit personal data to any person as part of any business transaction in such a manner as may be prescribed. The manner is yet to be prescribed, but since the players in the online ad industry exchange data between themselves all the time, this provision will be a hurdle to them.
- Guaranteeing users rights:
- Data access: Users have the right to ask fiduciaries for access to the data collected on them and a summary of what processing was done.
- Data portability: Users have the right to take their processed data to another fiduciary. For example, a user should be allowed to take the profile Google created of them to Facebook. This will disincentivize players in the market from developing detailed profiles and could also raise intellectual property concerns.
- Data correction and erasure: Users have the right to ask fiduciaries to correct or erase personal data about them, which can affect the profiles built by companies.
“A pertinent feature of the marketing related implications of the new data protection laws would be rights of individual with respect to personal data. The Bill enshrines the right to obtain confirmation on whether personal data has been processed; right to seek correction of personal data, right to have personal data transferred as well as the right to restrict continuation of disclosure of personal data by way withdrawing consent. In order to ensure that these rights are available to individuals, entities involved in data collection for the purpose of marketing, may have to incur additional costs to facilitate these options to individuals from technological standpoint.” – Kritika Seth, Founding Partner, Victoriam Legalis – Advocates & Solicitors
- Algorithmic transparency: Data fiduciaries are expected to take necessary steps to maintain transparency when it comes to the fairness of the algorithm or method used for processing personal data and make this information publicly available. This responsibility isn’t an easy task for the online ad industry because companies like Google and Facebook probably use numerous complicated processes to create users profiles and match advertisers and publishers.
- Grievance redressal: Data fiduciaries are expected to have in place a procedure and effective mechanisms to redress the grievances of users within 30 days. This will be particularly onerous if all websites that show ads need to facilitate a grievance redressal mechanism.
- Additional obligations for significant data fiduciaries: The Bill defines significant data fiduciaries and includes additional obligations for them. Both Google and Facebook and maybe a few large advertisers and publishers will be considered significant data fiduciaries due to the volume of personal data they process and their turnovers. Additional obligations for them include appointing a data protection officer, carrying out data protection impact assessment and audits, and maintaining records.
“The Bill has introduced several provisions in relation to inter alia non-personal data, explicit consent for processing of sensitive personal data, data localisation, impact assessment report filing, appointment of DPOs, certification of AI based technologies, and several other compliances which are likely to increase the compliance burden on companies in advertising sector. In order to comply with such compliances, organizations will have to re-look at their data governance structure as a whole and are recommended to have a separate budgetary allocation for the same.” – Rishi Anand, Partner, DSK Legal
No profiling and targeting ads at children
When it comes to data of children below the age of 18 years, the Bill makes it clear that data fiduciaries are:
barred from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.
The provision is straightforward in saying that children cannot be targeted with personalised ads.
Does psychological manipulation cover advertising?
Under the definition of harm, the Bill now includes “psychological manipulation which impairs the autonomy of the individual.” Speaking at a MediaNama event, multiple speakers said that the term is broad enough and might even cover advertising.
“This definition of harm could effectively mean all advertisements. […] And I guess it’s worth saying that not all advertising is bad, medium and small businesses will often use targeted ads to get access to customers. Customers sometimes would prefer potentially relevant ads or non relevant ones as well. […] Pessimistic lawyers could interpret this to mean all advertising.” – Uthara Ganesh, Head of Public Policy at Snap India
MediaNama’s Take: Will the Bill affect the bottom line of the online ad industry?
Consent fatigue: The Bill attempts to place the individual at the centre, but this will not necessarily have any financial impact on the online advertising industry or reduce the amount of data they collect because most users are likely to provide consent just to get rid of the pop-ups and go about browsing. The problem of consent fatigue is real.
Nudging users to “Accept”: Moreover, companies will design the pop-ups in such a way that they will nudge you to click accept, for example, by making the “Accept” button stand out while making all other options small or by taking you to a different page with a whole lot of instructions if you want to opt-out of cookies. Here’s BBC’s website served in the EU that does just that:
Redirecting users to external pages: Even though companies are required to provide a range of information to the user before getting their consent, there is nothing in the Bill that prevents companies from just linking out to another page rather than presenting all this information within the pop-up. And by chance, if the user happens to be curious and attempts to read the full notice, it will still be difficult for the user to understand all the different ways data is collected and used.
Financial benefits outweigh costs: While complying with the DPB does increase costs in terms of finance and manpower, most companies will find that the revenue benefits will outweigh the costs. The only companies that are likely to face significant costs are significant data fiduciaries like Google and Facebook or maybe a large website because of the additional obligations they have such as appointing a data protection officer, carrying out impact assessments, etc, but for them, the benefits will definitely outweigh the cost.
Enforcing the law: Another major issue is checking if sites are in fact obtaining free, specific, clear, and affirmative consent or complying with the numerous other obligations of the DPB. While Google has said that it will do periodic reviews of sites that use its products for compliance, this is unlikely to cover all sites because there are hundreds of thousands of web pages that use Google products to collect data used for personalised ads and it’s impossible to ensure compliance of all these sites.
Silver lining: Despite all the ways in which companies might continue profiling users just as much as before, the silver lining is that the Bill gives conscious and concerned users the ability to put an end to it by either declining consent or revoking it later. This autonomy isn’t there now. Secondly, the Bill might at least reduce the amount of sensitive personal data that is collected because of the additional compliance burden such as data localisation. And lastly, the Bill protects children from profiling and targeted ads, which is a much needed reform.
Update, February 16: The last sentence of the last paragraph was rephrased for clarity.
- Personal Data Protection Bill, 2019: Will It Rid Us Of Pesky And Creepy Ads?
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: What Are The Obligations Of Data Fiduciaries?
- Data Protection Bill 2021: What Rights Will Individuals Have On Their Data?
- Four-part series: Texas antitrust lawsuit against Google’s monopolisation of the online ad industry
Have something to add? Post your comment and gift someone a MediaNama subscription.