New Technologies

Online Behavioural Advertising: Balancing Privacy and User Experience

Monitoring internet surfing can give a detailed picture of a person’s online life.

In the context of a general public sensitivity to surveillance of activity and behaviour, there is much debate on legislation governing behavioural targeted advertising.

What is behavioural targeted advertising?

In principle, it is the kind of online advertising that is displayed differently to the user depending on his interests. So, unlike a newspaper ad, which is seen by all readers irrespective of their specific interests and profile, some ads displayed on a website may be seen only by certain users based on their online profile of interests and concerns.

Usually, the profile is drawn by using data collected from cookies. These data, in principle, do not offer information that allows identification of the user, but are useful to create a general profile of interests.

Most internet users have installed cookies, which primarily make web browsing easier and are used to display behavioural targeted advertising.

There are a number of rules on the use of cookies, including the user’s: (i) right to be clearly informed, (ii) right to choose whether his behavior is tracked online by offering an express consent and the possibility to withdraw it, and (iii) option to access and change his interest categories. If these rules are followed, the consumer should not be affected.

When does behaviourally targeted advertising become sensitive?

Typically, concerns come from the following three areas.

The level of detail and analysis of online behaviour

The more collected and processed information is detailed and individualised, the higher the anxiety level.

This category includes storage and processing by internet providers of (almost) all subscriber data traffic, and detailed analysis of these data to provide profiling and behavioural targeted advertising.

These techniques, known as “deep packet inspection”, are generally used in partnership with a company to which all user traffic is transmitted. The internet provider usually earns from the ultimate advertising beneficiary a certain sum per user.

Romanian legislation requires prior express and informed consent from the user and other additional obligations designed to protect him.

However, there is an intense debate at the European level on the impact of these services on privacy. Basically, both internet providers and the counterparty are given access to “inspect” the entire online activities of users who have agreed to it. Although it is not intended to find out the users’ personal identification, so much information is gathered that it is easy to identify the user.

Penalties for breaching laws related to data protection can reach 2% of the turnover of the internet provider.

However, a crucial question is how many users really understand, even after reading the information provided by suppliers, the implications to privacy from benefiting from the respective services.

The sensitivity level of the collected information 

Few users would be affected if a shoe manufacturer created an anonymous user to follow a forum discussion about beach sandals.

But the user’s comfort level would fall if, for example, a manufacturer of milk powder for children suffering from disease created a user to anonymously track a private forum of discussions between the parents of the children.

Labelling a user’s activity

A relevant example for this case is the assignment to smart phone users of a unique identification code and tracking their activity on websites, social media platforms, and application stores to provide behavioural targeted advertising.

The information collected via mobile phones is extremely valuable to advertising agencies, but it has stirred up so much debate among consumers the smart phones producers are looking for ways to give up this technology.


Given the above questions and concerns, the European Commission’s concern to monitor and restrict access opportunities to data users is understandable. With the adoption of the new European Regulation on the protection of individuals in the processing of personal data and on the free movement of such data, regulations and (especially) sanctions are likely to significantly increase.

At the same time, if correctly used and only for the declared purpose, these data are extremely useful for the advertising industry. Also, the technology is progressing so fast that, for any legal restriction of today, a new technology will come out tomorrow that will likely not be covered by the existing regulatory framework

The question remains: What is the right balance between regulation and ensuring freedom of movement in an industry that progresses very quickly?