By John Weaver
Targeted advertising has emerged as one of the most important marketing tools of the last decade. It relies on data analysis of users or viewers in order to help the advertising company identify the most receptive audience and show advertising only to that demographic. In early forms, the advertising company selected a program or publication that was known to be popular among the desired audience: sports car ads went in Popular Mechanics to appeal to adult males; family wagon ads ran during Family Ties to appeal to adults with children; etc. This still exists, but online activity and mobile device usage has vastly improved the ability of marketers to identify and target key audiences in those mediums. Instead of appealing to broad demographics like adult males or adults with children, marketers can identify much more specific audiences: college-educated women between the ages of 39 and 50 with incomes between $50,000 and $100,000; males between the ages of 14 and 18 that have recently read The Ringer; etc.
Making these distinctions requires data analysis, and increasingly that data analysis is performed by algorithms and other forms of artificial intelligence, which may autonomously review the relevant user data and coordinate advertising on social media or other online outlets in response to that analysis. If your business does this and you have customers in the European Union, you should be aware of the requirements of the EU’s General Data Protection Regulation.
Article 22(1) of the GDPR grants EU residents “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” The automated processing the GDPR refers to can include targeted online advertising, if that advertising significantly affects an EU resident. When determining whether or not that occurs, you should consider:
- the intrusiveness of the profiling process;
- the expectations and wishes of the individuals concerned;
- the way the advertisement is delivered; and
- the particular vulnerabilities of the EU residents targeted.
Given that non-compliance with this requirement carries potential administrative fines up to the greater of 20 million euros or 4% of your total worldwide revenue from the preceding financial year, companies are incentivized to affirmatively show that they are using AI and autonomous technology in a way that complies with this requirement. Your privacy policy, or a separate AI policy, can be an appropriate platform to do that.
The first step is to perform an assessment of your marketing practices to (a) determine whether or not they rely on AI for profiling or automated decision making, and, if so, (b) isolate what decisions are made by AI and then classify them as either (i) decisions that produce legal effects or similarly significantly affect EU residents, or (ii) decisions that do not. Bear in mind that Article 4(4) of the GDPR defines profiling quite broadly as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
That’s the essence of online targeted marketing. So if you use that marketing tool, you likely are already on step (b) and should review specific AI decision making processes within your organization. We are able to help perform assessments of your AI and marketing practices, classify them for GDPR purposes, and prepare appropriate public-facing and internal policies under the GDPR. Our experience is that being proactive with assessments and policies like these improves your AI and marketing strategies, as the process forces a more thorough examination and helps ensure regulatory compliance going forward.
Privacy & Data Security Blog 