The Legislation We Need Right Now To Protect Our Online Privacy

Internet privacy is obviously an important topic today. It is something that needs to be thoroughly discussed and dealt with, and what we do (or don’t do) today is going to have ongoing repercussions for many years to come.

In fact, we are probably several years late to this conversation. It is something that should have been discussed years back. The consequences of not having had that conversation is that the value of our privacy has fundamentally changed in a very short time, and for the most part without our explicit consent (the Cycle of Dispossession). We have normalized the sharing of personal details of our lives and the use by third parties of personal data that most people would have been extremely weary of sharing even 15 years back.

One of the problems in this conversation is where to start. In this article, I suggest what I believe is a pretty good starting point, especially from a legislative perspective. And from an implementation perspective, it appears to be a very feasible and effective starting point.

In this article, I am primarily going to deal with the issue of online targeted advertising with a focus on user privacy. The objective of this article is twofold:

  • Suggest a legislative course of action that hopefully will be considered by respective authorities.
  • Start a conversation – We are late to the conversation. Once you are done reading this article, go ahead and discuss it, share it, comment on it, argue it, praise it, abuse it, come up with your own suggestions – but let’s start an essential conversation and keep it going.

Advertisement is essential for almost any form of information disseminating media to provide the services they provide. Advertisements have been a major source of revenue for newspapers, for television, and today they are a major source of revenue for many Internet companies including the primary revenue source for most of the social media companies.

The issue has been that while advertisers on newspapers and televisions have been subject to tight scrutiny and regulations by regulatory bodies, Internet advertising is subjected to negligible regulations by comparison. And this is a highly counterintuitive result in that the potential for abuse with Internet advertising is far higher. For the most part, the regulation is effected by the Internet companies themselves. And I am not making any value judgements here, but structurally the objective of companies is to provide profits for shareholders – not to look after the people, that is structurally the job of Governments and regulatory bodies.

Should we just ban targeted advertisements?

Of course not! Suppose you are a restaurant in London looking to get more customers – you could advertise offline by putting up billboards around the city. But if you are looking to advertise online and there is no targeting you could end up showing the advertisement to some kid in Tokyo.

Clearly, some level of targeting is essential.

Now suppose you are a group that promotes various conspiracy theories. The technology today makes it perfectly possible for you to advertise videos claiming the Earth is flat to people who are more likely to believe it, and this includes kids too.

Should something like that be allowed? Maybe, maybe not – but that is a decision that needs to be taken.

Now, I am going to propose the outline of a law that I suggest Governments around the world should enact.

The point of this article is not to suggest what to allow or disallow – but to ensure that any form of data that is used for targeting goes through the filter of formally being allowed by the authorities for the purpose. Anyone actually implementing the law and more importantly, the regulations, can customize the nitty-gritties to his/her own liking.

The following is going to be an outline in simple language that hopefully anyone can easily understand. I am going to avoid any legal terminologies. I am also going to leave scope for adding/modifying details.

New Legislation

Any information used by a large online company to target users for advertising purposes must be explicitly approved by the Government/relevant regulatory authority of the country.

First, let’s define what we mean by the following:

information to target – If the content being shown to the user varies depending on the user, information is being used to target the user. If a user in USA sees prices in dollars for a given product and a user in Spain sees the corresponding price in Euros, the user is being targeted based on their geographic location.

advertising purposes – the content being displayed leads directly or indirectly to some financial benefit for the company. If a third party is paying the company to put that content there, it is advertising. If the user can buy something being displayed, it is advertising. If there is an option to refer the website to other users, and the company can profit from those users, it is advertising.

Another important point to mention is that this would apply to the source advertiser. What does this mean? Take a look at the following screenshot of the homepage of the Worldometer website.

You can notice 3 large banner advertisements on the screenshot. But these websites are not placed there by Worldometer themselves. They are provided by a 3rd party, in this case, Google (notice the Ads by Google description on the upper banner that crops up when you hover over the (i) symbol). Here, Google is the source provider. The vast majority of online publishers use such third party advertisement providers such as Google Adsense,, Taboola, RevenueHits, etc. The responsibility of complying with the necessary regulations would lie with the source providers, since they are the ones actually implementing the algorithm.

large online company – A company with a revenue of at least X per year.

So what is the process of approval?

The targeting data has to fall under one of the categories specified in either of 2 lists:

List 1: A Government defined list of pre-approved categories of data that can be used for targeting purposes without further approval.

List 2: A product specific list of categories, each of which has been individually approved by the Government or regulatory body for the specific company to use, made easily visible and accessible to every user of the website/app.

List 1: The Government or relevant regulatory body should compile and maintain a list containing a list of dimensions of data that internet companies are free to use to target customers with advertising content. Ideally, the Government should constantly monitor the validity and update the list to keep up with technological developments.

Each item on the list should contain at least the following details:

  • A short, easily understandable description of the category
  • A longer elaboration of exactly what is covered under the category. There should ideally be no room for ambiguity.
  • A specification of the minimum level of user consent required for implementation of this category – whether the product can use such data without explicit user content, whether it needs to specified in the overall Terms & Conditions of use of the product, whether the user needs to provide separate explicit informed consent, etc.
  • Third party data sourcing – Can a product use data of this category that has been provided by the user to some third-party service? For example, you search for a wrist watch on Amazon and the next time you visit Facebook you see a bunch of advertisements for wrist watches – should such third party data sharing be allowed for this category of data.

List 2: Any targeting data that a company uses that is not covered in List 1 must be explicitly approved by the Government. All such approved categories must be compiled into a file(preferably PDF) that is made easily visible and accessible to users for their reference.

I propose the following structure of the file to ensure that the most important information and implications are immediately clear and the most important points would not require any extensive searching from the user’s perspective:

1 line heading to be decided by the Government

[A description of the type of information contained in the file. Any information that the company might wish to communicate about its service. This section should not exceed a maximum of 5 sentences or 500 characters, whichever is less.]

This should be immediately followed by a table containing the list. The items in the list should follow the following structure:

1.A short, easily understandable, unambiguous description of the information usedLevel of user consent required
Click here for more details (link to further explanations later in the document)Third party data sourcing

The items in the list must refer to the actual data being processed. For example, suppose a Social Media company displays ads to users based on their interests. These interests are calculated based on the following 5 data points that they collect for each user – accounts interacted with, pages liked, posts clicked on, amount of time spent on each post and frequency of keywords used while commenting. The company cannot specify a single item, “User Interests”. That is what they are algorithmically processing. We are not concerned with the algorithm here, we are concerned about the data being used. Hence, it must separately have approved and list each of the 5 data points in the list. Furthermore, these descriptions should be clear and unambiguous. No attempts at obfuscation should be accepted by the regulators.

Further details about each of the items should be provided later on in the document – after each item has been listed in the above manner.

The third-party sourcing information should list exactly which third parties, if any, the corresponding data is being sourced from.

And that is it! Such a system provides an appropriate regulation and approval mechanism for Governments. Furthermore, it helps promote user awareness by making an easily readable list easily accessible to users. Also, it should prevent companies from using such data for targeting that it might consider ethically questionable since such information is now going to be clearly and unambiguously accessible to every user.

A debate worth having – Should we expand the scope of the above legislation to all targeted content instead of just targeted advertisements? There were 2 major reasons why I opted for just targeted advertisements. Firstly, expanding it to targeted content could hamper the speed of innovation. Companies would have to go through extensive procedures to test out new product features. Secondly, extending it to targeted content could give Governments too much control and the potential for abuse by more authoritarian Governments. For example, a Government could block essential features of a company it is not very friendly towards, and affect their very functioning and not just their monetization options. There is a valid argument that the primary currency of some of the largest Internet companies (Google, Facebook, Twitter, etc.) is targeting user behavior more than user consumption. And there is a need to regulate the behavioral surplus data that many tech giants accumulate. But perhaps we should tackle that issue separately.

Let’s continue the conversation!

Leave a Reply