In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation.

Background

The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived interests, preferences and socio-demographic characteristics.

 A typical example of this is when a brand (or ‘advertiser’) advertises their products or services on individuals’ social media platforms. Through programmatic advertising (the automated buying and selling of online advertising) and the process of ‘real-time bidding’ (the automated bidding of display advertising inventory in real-time) in particular, advertisers can place personalised adverts on individuals’ social media platforms (e.g. through content feeds or ‘stories’). This process usually involves processing personal data in bid requests, which can include individuals’ web browsing history, age, gender, location and network connections. Advertisers submit bids to have their adverts placed on individuals’ social media pages based on the perceived likelihood that the individual will be interested. Generally, the more detailed the bid request, the higher the bids are likely to be, so there is more incentive for the parties involved to collect as much personal data as possible through the use of tracking technologies or otherwise. Further, parties within the ad tech ecosystem (such as data brokers) may augment the data collected from the bid request with information from other sources (including offline sources), which they might sell to other stakeholders involved in the targeting process.

The Guidelines split the types of actors involved in the targeting process into four different groups, namely: (1) social media providers; (2) social media users; (3)  targeters (e.g. advertisers); and (4) ‘other actors’ which may be involved (e.g. supply side platforms (SSPs), demand side platforms (DSPs), data management platforms (DMPs), data brokers, ad networks and ad exchanges).

The Guidelines identify the potential risks of targeting for social media users, such as loss of control over personal data, potential discrimination and potential manipulation of individuals (as targeting mechanisms seek to influence individuals’ behaviour and choices).

The Guidelines also seek to clarify the roles, responsibilities and relationships between social media providers and targeters and explain the key data protection requirements and documentation that should be in place.

Continue Reading EDPB releases draft guidelines on the targeting of social media users

The Centre for Data Ethics and Innovation (CDEI) is inviting submissions to help inform its review of online targeting and bias in algorithmic decision making.

Online targeting

Online targeting refers to providing individuals with relevant and engaging content, products, and services. Typically users experience targeting in the form of online advertising or personalised social media

Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.

Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook,, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people.  The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes.  The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc).
Continue Reading Facebook Implements Additional Measures to Prevent Discriminatory Practices in Targeted Advertisements

The Federal Trade Commission is currently the most aggressive enforcement agency on privacy and data security. The agency kicked off 2016 with PrivacyCon on January 14, which put the spotlight on academic research on consumer privacy and security.

The conference, which drew 400 attendees to Southwest D.C. and 1,500 more streaming online, showcased 19 papers on topics ranging from mismatched consumer privacy expectations online to the costs and causes of cyber incidents, with many papers focusing on the technology of online tracking. While the papers presented do not necessarily reflect the view of the FTC, it is likely that they selected presenters and findings that are consistent with their enforcement priorities.
Continue Reading FTC’s PrivacyCon Highlights Consumer Privacy Perceptions and Targeting

On 22 December 2015, the European Commission announced its next steps towards completing the single market for cross-border parcel delivery. The Commission’s aim is to enhance price transparency and regulatory oversight of the parcel market over the coming year, thereby providing consumers and businesses with better access to digital goods and services across Europe.

Cross-border parcel delivery is considered to be one of the key drivers of e-commerce, and forms part of the Commission’s strategy on achieving a Digital Single Market (‘DSM’). The Commission believes that affordable and high-quality, cross-border delivery can build consumer trust in cross-border online sales, and can stimulate the growth of e-commerce. However, high prices and inefficient deliveries between Member States have deterred consumers and businesses from buying and selling online.
Continue Reading European Commission targets cross-border parcel delivery as part of its Digital Single Market Strategy

Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions.

Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach still ranks among the most high-profile data incidents to hit retailers in recent years.

The class-wide pact stems from a consolidated class action complaint filed in August 2014 to recover an estimated $200 million in losses stemming from the breach, including costs to reimburse fraudulent charges and issue new payment cards. The complaint alleges that Target failed to take precautions to protect consumer data and violated the Minnesota Plastic Card Security Act.
Continue Reading Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal.  The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified.  According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.

Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015.  According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.”  Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims

A proposed settlement has been reached in the multi-district consumer litigation Target faces following a data breach that compromised at least 40 million credit cards during the 2013 holiday shopping season. The settlement, which requires Target to pay $10 million into a settlement fund and adopt specific data security measures, still needs court approval.

If