The Mismatch between GDPR and Behavioural Advertising: What Way Forward?

In this Chapter, the Authors explore the regulatory mismatch between the existing EU data protection law and online behavioural advertising (OBA) practices and address the way forward of data privacy regulation in this field. They will first describe the extent of the EU online behavioural advertising market (Section 1) and significant societal issues connected to OBA practices (Section 2). Then, the application of the GDPR in this context will be considered (Section 3) and a serious of mismatches will be discussed (Section 4). These include data protection principles, data controllership, consent-based protection, legitimate profiling practices and privacy-by-design and risk-based approach. After reflecting on the reasons for this mismatch, the Authors will present two regulatory options that may constitute the way forward in this field (Section 5). First, different techno-legal reforms will be considered to reinstate data protection in OBA and ensure that users can more effectively consent and control their personal data (Section 6). These include privacy-friendly interfaces, user-accessible options, and controlled browsers’ gate-keeping mechanisms. Second, a new approach to data regulation will be proposed, namely, to regulate data use in OBA (Section 7), dissecting different options: substantive prohibitions, the disclosure of ad selection criteria, and the regulatory attitudes necessary for effective oversight.