Personal data: the storm rumbles

Part two: Services funded by targeted advertising

A powerful search engine, an email service with generous storage space, a social network that allows instant interaction with photos and videos from around the world: these are all kinds of services that Internet users have grown accustomed to enjoying without spending a cent. Behind the sleek interfaces offered by the Silicon Valley giants are hidden batteries of servers, lined up as far as the eye can see, and armies of engineers: consumers are confusedly aware of that. Someone has to pay for all this, and they know it. “There ain’t no such thing as a free lunch,” and “if it’s free, you’re the product,” they’ve heard it said. But after all, radio stations and most television channels have been financed by advertising for a long time. It’s easy to imagine that online, the same supposedly harmless mechanisms are at work, in a version that is just a little more modern, a little more efficient.

But traditional media have only been using “contextual” advertising: advertisers take into account the program in which their promotional content takes place. The Saturday night soccer audience is not the same as the Sunday morning cartoon audience, and the products that can be expected to sell to them must be tailored accordingly. The same mechanism does exist online, but it is in the minority. The dominant advertising model is, by far, personalized advertising, which is based on an intimate knowledge of each and every Internet user: their age, their socio-professional category, their family situation, their interests. This type of advertising is more effective and much more lucrative. In France, the television industry is in the process of converting to it: Internet boxes and connected screens now offer the technical means to do so. A new window will open on the enchanted world of personalized marketing.

The “free service vs. targeted advertising” business model thus appears at the height of its glory. However, it is possible that this is only an illusion. The very powerful processing of personal data that this business model requires is in conflict with the General Data Protection Regulations and the Electronic Communications Directive (e-privacy). Simple setback or real threat? The question must be asked.

In January 2019, in the “Android” case, the French National Commission on Informatics and Liberty (CNIL) imposed on Google an administrative fine of 50 million euros (our comment here). Two reproaches were mainly addressed to the company. The first was the insufficient clarity of its privacy policy. For Google, the injury was superficial: such a document can always be improved. The second criticism was that it had based its data processing for targeted advertising on the “consent” of users. When an Internet user would create an account, Google would postulate that the user had accepted the advertising tracking through a pre-ticked box, and it was the user’s responsibility to indicate his or her possible refusal with a click: this was an opt-out system. Heavily relying on the notion of consent defined in the GDPR as “a clear positive act”, the CNIL required an opt-in system be put in place. The giant of Moutain View was now supposed to leave the box empty. Therefore, if the Internet user, out of disinterest or out of genuine choice, would scroll through the phases of the registration process without asking to be watched, goodbye revenue from targeted advertising. This was a terrible blow. In this case, the company escaped further condemnation only because it managed to take refuge in Ireland, like many other large American corporations, as explained here.

In December 2020, the CNIL went back at it again. In the specific field of cookies, the CNIL mostly relied on the e-privacy directive rather than the GDPR. In this case, the CNIL did not need to cooperate with the Irish authorities and was able to act as a maverick. It imposed a fine of 100 million euros on Google. During a visit to Google Search, several shortcomings had been observed: the cookie banner was obscure, and one would search in vain for a button that would simply refuse to download files on the terminal. Even before the user had expressed his or her choice, some cookies had already been downloaded. Even if the user had managed to opt for refusal, it was not properly taken into account. This behavior probably owed nothing to chance: here again, the company did not seek to sincerely collect the opinion of Internet users, but to defend its business model.

At this point, a morally comfortable posture is to describe these decisions as a victory of good over evil. But is it really consistent to have allowed the “free service vs. targeted advertising” business model to develop, and then to suddenly assert that exposure to advertising must be a matter for the individual free will of each user? It is absurd to propose to customers to pay the price of a commercial service only if “this is their choice”. Whoever asks the question “will you pay me?” will inevitably cover their ears if someone tries to say “no”: hence the convoluted interfaces, the labyrinthine cookie strips, and the “dark patterns”.

Some then imagined basing the treatment not on the “consent” of the person but on the “necessity for the performance of the contract“. The idea, while controversial, is the following: a web user is indeed bound by a synallagmatic contract. The service is provided to the user in exchange for his or her exposure to targeted advertisements. The argument seems to have been raised by Facebook in its case against Max Schrems’ association None of Your Business.

Readers interested in this argument, and more generally in the issues discussed in this post, may wish to refer to the open access article “Free online service versus targeted advertising: the business model with feet of clay” (only in French for the time being).