Online Advertising & Tracking
Background
Massive troves of personal data are collected and transferred within the targeted advertising ecosystem. This ubiquitous tracking of everything we do online poses threats to consumers’ privacy, autonomy, and security.
Documents
Massive troves of personal data are collected and transferred within the targeted advertising ecosystem. Due to the failure of policymakers in the United States to establish adequate privacy laws and regulations, online firms have been allowed to deploy commercial surveillance systems that collect and commodify every bit of our personal data. The platforms and data brokers that track us across the internet and build detailed profiles to target us with ads also expose us to ever-increasing risks of breaches, data misuse, manipulation, and discrimination.
Online trackers collect millions of data points about us each day that are sold or transferred to data brokers, who then combine them with other personal data sources to build invasive profiles, largely to target people with “personalized” advertisements that stalk them across the web. Ads designed to follow users across the Internet can be exhausting and annoying; Americans are inundated with an estimated 5,000 ads daily, up from 500 a day in the 1970s.
Some targeted ads aren’t just annoying — they can be predatory and harmful, using people’s online behavioral data to reach vulnerable consumers that meet specific parameters. People searching terms like “need money help” on Google have been served ads for predatory loans with staggering interest rates over 1,700%. An online casino targeted ads to problem gamblers offering free spins on its site. In another example, a precious metals scheme used Facebook users’ ages and political affiliations to target ads to get users to spend their retirement savings on grossly overpriced gold and silver coins. In 2019, the Department of Housing and Urban Development sued Facebook for engaging in housing discrimination by allowing advertisers to control which users saw housing ads based on characteristics like race, religion, and national origin.
This ubiquitous tracking of everything we do online, and the entities that aggregate and monetize it, poses threats to consumers’ privacy, autonomy, and security. And it shouldn’t be allowed to continue unregulated. Much of the pervasive tracking that drives targeted ads is not necessary. EPIC has long advocated for strong data minimization rules that limit data collection and use to what is necessary to provide the product or service the consumer has requested. A strong data minimization rule would allow companies to continue advertising to their intended customers but in a way that doesn’t involve ubiquitous tracking of our every movement online.
Online tracking and Mass Data Collection Happen Mostly Outside of Consumers’ View
Much of the collection of personal data happens so routinely and automatically in the online ecosystem that consumers have little to no knowledge of its scope. Tracking systems are embedded in most websites, apps, and services and begin to collect information as soon as a consumer connects to a service. Indeed, with the increasing proliferation of “smart” devices in homes, offices, and other locations, the collection of personal data frequently happens even when customers aren’t intending to interact with an online service at all. And other activities like credit card purchases and even physical movements can be logged and tracked without the consumer’s awareness or control.
Personal Data Collected from Across the Web is Linked and Aggregated
These pieces of personal data about us are then linked through identifiers used to track, profile, or target us across the online ecosystem. Data about what consumers do online can be linked to them automatically if they are browsing a site or using an app or service that already knows them through an established login or known credential (e.g., e-mail address, phone number, or username), but there are many other ways that data can be linked even by unknown third parties. When data is collected about activities of a consumer using a computer or mobile device, a device ID can be used to link that data with other data sets or profiles about the consumer. Web browsers use small files called “cookies” to store information about a user’s interactions with the sites they visit, and many firms engaged in commercial surveillance have used versions of these files commonly referred to as “third party tracking cookies” to collect information about what sites users are visiting. And even when a user’s browser or device is configured to block these tracking cookies or to not broadcast unique identifiers, online entities can use information about the consumer’s computer configuration (e.g., operating system, browser, versions, etc.) as a sort of “fingerprint” to link their data across apps, sites, and services.
For example:
Personal Data is Used to Create Intimate Profiles and Sold
This aggregated personal data is then used to create intimate profiles about us in order to target us with “personalized” advertisements that stalk us across the web.
Some of the companies operating in the online ad tech space specialize in building or “enriching” consumer profiles, while others merely buy, combine, and sell data sets from many different sources. Many of these services are used by companies engaged in targeted advertising and marketing to identify audiences that fit within specified demographics or to find “look alike” audiences based on existing customer or target lists. The FTC has found that these data brokers “combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences.” The largest companies, like Acxiom and Oracle, offer a panoply of targeting and profiling tools. And the advertising platforms themselves, including Facebook and Google, also offer their own audience analytics tools. These companies profit off data harvested from consumer activities and transactions in ways entirely outside the expectations of consumers in their interactions with the websites they visit. Using raw data, data brokers and ad tech companies often summarize people with tags such as “working-class mom,” “frequent alcohol drinker,” “financially challenged,” or “depression sufferer.”
For example:
The goal of these and other similar systems is to enable companies to track and target specific users based on what they watch, what they read, what they buy, who they know, and where they go. And data brokers are continually expanding their reach deeper and deeper into the private lives of individuals, especially as connected devices, services, and even audio and visual sensors become more prevalent on streets, in stores, in offices, and in homes. Commercial surveillance has become impossible to avoid.
The Real-time Bidding Market: A Commercial Surveillance Machine
One of the largest systems of commercial surveillance, tracking, and profiling is the online advertising process known as real-time bidding (RTB), which is the engine that tracks and shares what people view online and their location in order to drive targeted advertising. The Interactive Advertising Bureau has explained how ubiquitous this process is: there is “not a single website publisher, mobile app, or advertising brand today that doesn’t participate in real-time systems for buying or delivering personalized ads to consumers.” RTB systems rapidly relay information about consumers to facilitate auctions that sell digital ad space in real time. “The hundreds of participants in these auctions receive sensitive information about the potential recipient of the ad—device identifiers and cookies, location data, IP addresses, and unique demographic and biometric information such as age and gender.” This “bidstream” data flows to hundreds of entities (including domestic and foreign entities that have no intention of actually serving ads) and are used to “compile exhaustive dossiers about” consumers that “include their web browsing, location, and other data, which are then sold by data brokers to hedge funds, political campaigns, and even to the government without court orders.” (source)
A recent study from the Irish Council for Civil Liberties (ICCL) found that the RTB market alone exposes the average American’s data 747 times per day. This means U.S. Internet users’ online activity and location is being tracked and disclosed 107 trillion times per year. ICCL cited some dangerous examples of the use of this data:
Consumers Should be Able to Use the Internet Without Surreptitious Monitoring
Consumers should be able to use their devices and apps and browse the internet without fear that every click will be added to a profile and used to push them towards buying something. Commercial surveillance entities surreptitiously monitor consumers’ browsing and purchasing habits, then use them to infer sensitive personal characteristics and modify consumer behavior. For example:
The average consumer cannot reasonably avoid this mass data collection and abuse. Participation in modern society requires being online. But it should not require sacrificing your privacy. As long as businesses are only collecting the data necessary to provide consumers with the goods and services they have requested, data processing is not generally a cause for concern. But the average consumer has no way to control what data businesses collect about them as they browse the web or use mobile apps, and they certainly do not have a way to prevent those businesses from selling that data once they have collected it or using it for out-of-context secondary purposes like profiling and targeting.
The Solution: Strong Data Minimization Rules
Most online transactions and interactions between businesses and consumers can be carried out without the customer’s personal data being sold, transferred, or stored to be used for an unrelated secondary purpose. Consumers reasonably expect that when they interact with a business online, that business will collect and use their personal data for the limited purpose and duration necessary to provide the goods or services they have requested. Data minimization sets limits on processing which requires data to be used specifically to deliver the goods and services that an individual has requested, consistent with the consumer’s expectations. Laws and regulations should incorporate a data minimization provision that prohibits businesses from collecting or using personal data beyond what is necessary to provide the products or services the consumer requests.
Human beings are more than data points to be sold to advertisers and data brokers. We all deserve privacy and autonomy with respect to our personal information. Individuals should be allowed to browse the internet or scroll through their favorite apps without worrying whether companies will use their own data in ways they do not anticipate. Data minimization offers a practical solution to a broken internet ecosystem by providing clear limits on how companies can collect and use data. Learn more on EPIC’s data minimization page.
Recent Documents on Online Advertising & Tracking
-
Amicus Briefs
Calhoun, et al. v. Google
US Court of Appeals for the Ninth Circuit
EPIC’s brief supports the Plaintiffs’ arguments that a jury could find that a reasonable user understood Google’s specific heightened privacy promises contained in the Chrome Privacy Notice to mean that Google would not collect the information it expressly promised not to and therefore that Google did not establish the affirmative defense of consent.
-
Complaints
EPIC CFPB Complaint: Rocket Money
EPIC and the NYU Tech Law and Policy Clinic filed a complaint with the CFPB against financial technology company Rocket Money, alleging unfair, deceptive, and abusive trade practices and violations of the the Fair Credit Reporting Act.
-
APA Comments
Disrupting Data Abuse: Protecting Consumers from Commercial Surveillance in the Online Ecosystem
Federal Trade Commission Proposed Trade Regulation Rule on Commercial Surveillance & Data Security
-
Testimony
Hearing on Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security
Testimony of Caitriona Fitzgerald, EPIC Deputy Director, on the American Data Privacy & Protection Act.
Top Updates
Resources
-
Are There Economic Grounds for Regulating Behavioral Ads?
Pegah Moradi, Cristobal Cheyre, Alessandro Acquist | 2024
-
Against Engagement
Neil Richards and Woodrow Hartzog | 2024
-
Privacy Nicks: How the Law Normalizes Surveillance
Woodrow Hartzog, Evan Selinger, Johanna Gunawan | 2023
-
The Biggest Data Breach
Irish Council for Civil Liberties | 2022
-
You are the Object of a Secret Extraction Operation
Shoshana Zuboff | 2021
-
Privacy Harms
Danielle Keats Citron & Daniel Solove | 2021
-
Privacy Rights Are Civil Rights. We Need to Protect Them.
David Brody & Gaurav Laroia | 2021
-
Out of Control: How consumers are exploited by the online advertising industry
Norweigian Consumer Council | 2020
-
Discrimination in Online Ad Delivery
Latanya Sweeney | 2013
EPIC's Experts on Online Advertising & Tracking
-
Sara Geoghegan
EPIC Senior Counsel
-
John Davisson
EPIC Senior Counsel and Director of Litigation
-
Caitriona Fitzgerald
Deputy Director
Support Our Work
EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.
Donate