Improving Privacy Protection in the area of Behavioural Targeting

This PhD thesis discusses how European law could improve privacy protection in the area of behavioural targeting. Behavioural targeting, also referred to as online profiling, involves monitoring people’s online behaviour, and using the collected information to show people individually targeted advertisements. To protect privacy in the area of behavioural targeting, the EU lawmaker mainly relies on the consent requirement for the use of tracking technologies in the e-Privacy Directive, and on general data protection law. With informed consent requirements, the law aims to empower people to make choices in their best interests. But behavioural studies cast doubt on the effectiveness of the empowerment approach as a privacy protection measure. Many people click “I agree” to any statement that is presented to them. Therefore, to mitigate privacy problems such as chilling effects, this study argues for a combined approach of protecting and empowering the individual. Compared to the current approach, the lawmaker should focus more on protecting people. The PhD thesis is a legal study, but it also incorporates insights from other disciplines, such as computer science, behavioural economics, and media studies. This study is among the first to discuss the implications of behavioural research for European data protection policy. The topic of whether data protection law should apply to pseudonymous data is discussed in depth. The study contains a detailed analysis of the role of informed consent in data protection law, and gives much attention to the tension between protecting and empowering the individual within data protection law.

💡 Research Summary

This doctoral thesis, “Improving Privacy Protection in the area of Behavioural Targeting,” presents a comprehensive legal analysis of how European data protection law should evolve to address the privacy challenges posed by behavioural targeting (online profiling). The study argues that the current regulatory framework, which heavily relies on obtaining user “consent,” is insufficient and should be complemented by stronger protective measures.

The thesis begins by deconstructing the technological process of behavioural targeting into five phases: data collection, storage, analysis, disclosure, and the final targeting of advertisements. It highlights the complex ecosystem involving tracking technologies (like cookies and fingerprinting), data brokers, and advertising networks that compile detailed profiles of individuals’ online behavior.

A core contribution of the work is its interdisciplinary critique of the “informed consent” model, a cornerstone of data protection law. The author integrates insights from behavioural economics to demonstrate that this model is built on flawed assumptions of user rationality. In practice, consent mechanisms are undermined by cognitive biases, information overload, default settings, and the “privacy paradox” (where expressed concerns do not translate into protective actions). Therefore, merely empowering users through notice and choice often fails to provide meaningful privacy protection.

The legal analysis delves into key debates, such as whether data protection law should apply to pseudonymous data. The thesis compellingly argues that behavioural profiles, even when not directly linked to a name, can single out individuals and affect them, thus warranting legal protection. It also provides a detailed examination of the principles of European data protection law, including transparency, fairness, and purpose limitation.

The final part of the thesis proposes a two-pronged approach for legal reform. First, to improve empowerment, it suggests making consent more meaningful through simplified privacy notices, standardized icons, robust “Do Not Track” standards, and stronger enforcement. Second, and crucially, it argues for improving protection by advocating for more mandatory, paternalistic rules that apply regardless of consent. These include stricter application of the data minimization principle, limitations on the processing of sensitive inferences drawn from profiles, and greater user control over automated decision-making.

In conclusion, the study posits that effective privacy protection in the age of behavioural targeting requires moving beyond a naive reliance on individual consent. Instead, it calls for a balanced legal framework that synergistically combines tools for empowering individuals with substantive rules designed to protect them from inherent power imbalances and manipulative practices in the digital advertising landscape.