Rolf H. Weber and Florent Thouvenin
3.2The Legal and Ethical Aspects of Collecting and Using Information about the Consumer
Abstract: On the Internet, consumers and citizens are increasingly monitored and tracked. The collection and use of information about consumers serves different goals, has various legal implications and raises important ethical questions. From a legal perspective, the most important issue is the compliance of such activities with data protection law. Today, such compliance is often doubtful given that the collection and use of information about consumers often lacks the transparency required by law and fails to meet the relatively high standard of informed consent. From an ethical perspective, transparency seems to be key as well. Given that the long-term success of Internet businesses will depend on their compliance with the applicable law and on consumers’ trust, providing full transparency with regard to the entire process of collecting and using information about consumers seems to be crucial.
1Introduction
In recent years, the Internet has evolved from a communication platform to a place of work, leisure and consumption that encompasses almost all kinds of everyday activity. While the function of a communication platform is still a key issue, many activities that go beyond that of mere communication can be conducted online, e.g. shopping1 and mobile banking. With the increasing mobile use of the Internet, it is possible to write or read e-mails,2 visit websites,3 or use social media4 almost anywhere and at any given time. With the use of mobile wearable or ingestible devices that we will carry on or in our bodies, we may even reach the point where we have only one connection left to the outside world: our personal connection to the Internet.
Although such a pervasive Internet scenario may still sound somewhat futuristic, and although one can think of many ways how people would try to avoid living in such a world, many aspects of our everyday activities, both as citizens and consumers, have already changed fundamentally. The migration of these activities into an online environment has created a broad range of opportunities for commercial activities: first, businesses can collect vast amounts of information about consumers given that their online activities can be easily tracked, stored and analysed in order to better understand the needs and wishes of every individual consumer. Second, electronic communication allows the tailoring of products and services as well as prices to every individual consumer based on previously collected information. Against this background, we will outline some of the most important ways of collecting and using information about consumers and assess the legal and ethical implications of such activities.
2The Reality of Consumers’ Online Activities
2.1Collecting Information about Consumers
Surfing on the Internet is far from being an activity devoid of consequences; anyone who uses the Internet leaves data tracks both intentionally and unintentionally.
2.1.1Self-published Data
Internet users, particularly social network users, voluntarily disclose a plethora of personal information on the Internet.5 This information, which is often almost as good as publicly available, typically relates to information about the users’ public but also private life (e.g. addresses, dates of birth, credit card numbers, phone numbers, etc.) and to pictures disclosing further personal elements about the user.
2.1.2Monitoring Online Behaviour
The monitoring of consumers’ online activity primarily aims at collecting consumer data in order to improve existing online processes, deliver better services and provide a better user experience. Additionally, online monitoring is used for security reasons to protect consumers and service providers against malicious online activity. The activity of Internet users can be monitored by observing their digital footprints. Such footprints result e.g. from information voluntarily disclosed by users on websites, the Internet Protocol (IP) addresses of the devices used and further information gathered through the use of cookies and other tracking methods.
IP addresses: To be present online, individuals’ and businesses’ electronic devices need to have a specific, non-physical IP address, which is a numerical label assigned to each device that is connected to the Internet. IP addresses cannot be directly controlled by the users themselves since the allocation of such addresses is (directly or indirectly) derived from the Internet Address Registries. Online electronic devices “communicate” through the use of a traceable IP address, thereby leaving data tracks on visited websites. Monitoring mechanisms record the IP addresses used to automatically analyse the users’ origin, the nature of their requests and the average time spent on the Internet in general and on certain websites in particular6. In addition, these addresses enable the (at least temporary) assignment of data to certain users which can help to identify potentially illegal activities. The advertising industry, however, uses IP addresses to track individual users and to rate the value of an advertisement.7
Cookies and Other Applications: When a user requests a website, quite often, so-called “Internet cookies” are downloaded on the user’s electronic device. These small pieces of information can be used either by the website’s operator or the provider of an advertising banner implemented in such a website and may contain an identifier, typically a string of random letters and numbers.8 Cookies enable servers to identify users by assigning information logged on the server to individual users, thereby enabling advertisers to track users so that they can target them with personalised advertising.9 Further, so-called “web beacons” are used. Web beacons are graphics that are embedded in websites or e-mails pursuing the purpose of online tracking. They enable the originator to determine who accessed a website or read an e-mail, at what time and from which computer such activity took place, etc. In addition to Internet cookies and web beacons, so-called “device fingerprinting” is gaining in importance. For this fingerprinting process, various information about the user’s browser, operating system, system colours, installed plug-ins and typefaces is gathered which, combined, ultimately produces a digital fingerprint of a specific device. This process can be used to identify the user’s device when cookies are not available. In combination with other data, conclusions about the type of device used and the respective Internet user may be drawn.
As a reaction to these developments, numerous networking techniques have been developed in recent years that help avoid any kind of data recording and protect individuals’ privacy in the online world. These techniques include, e.g., privacy enhancing technologies (PET) and anonymizing networking techniques.10
2.1.3Data Theft
In addition to the personal information that users voluntarily disclose online and the information that is gathered through legally permissible monitoring techniques, personal data can also be obtained and gathered through illegal means. Recently, an increase of data theft has been reported as a result of intruders hacking into e-mail accounts, social media accounts or online bank accounts11.
In practice, there are many reasons why hackers choose to engage in data theft. Data, particularly personal data, is a source of great value12. This value is appealing for hackers who seek to gain financial advantages through illegal means13. Further, Internet activists, such as the “Chaos Computer Club” may seek to show technical vulnerabilities. Other activists, such as “Anonymous” or “the Impact Team” may use their technical knowhow for political goals, such as exposing alleged misconduct. One case in point was the breach of the commercial website Ashley Madison, which enabled extramarital affairs.14 In this highly publicised case, hackers penetrated the servers of the company, stole sensitive client information and published the information online15.
2.2Using Information about Consumers
Data collected online can be used in multiple ways. Apart from e-mail marketing and personalised advertising (especially within social media), data vending also comes into consideration.
2.2.1E-Mail Marketing
Internet users disclose their personal information online with little hesitation, for instance when purchasing products online, in order to obtain a company’s newsletter or to participate in an online contest. Such information typically includes names, dates of birth, postal addresses, credit card numbers and e-mail addresses. Companies gather and store such information and use it to provide users with “traditional” as well as personalised advertisements.
2.2.2Personalised Advertising
The collected data is analysed in order to identify the interests of the Internet users. The knowledge thus acquired enables companies to anticipate which goods each individual customer might need or want. Thus, when such customers visit other websites, they are delivered advertisements that are tailored to their previously identified interests. Such personalised advertising is becoming exceedingly prevalent. In a sense, personalised advertising can be seen as an evolved technique of “retargeting”, whereby users are shown advertisements of products they previously viewed on a website but did not end up buying16, with an added personalisation/customisation dimension.17 The idea behind personalised advertising is that, by indirectly reminding customers of items they considered buying, companies increase the purchase likelihood of the respective customer.
2.2.3Data Vending
Given the nearly infinite possibilities of using personal information for business purposes, businesses consider and use personal data as tradable goods. In recent years, an independent business branch has emerged around the trading of Internet users’ personal information (data vending). Personal data vending, i.e. the sale by commercial data vendors of personal data as a commodity, has become a multibillion-dollar industry.18
3Legal Aspects
3.1Preliminary Remarks
The collection and use of information about consumers raises a number of legal issues, above all with regard to data protection law. Other relevant legal areas include unfair competition law and criminal law, the latter namely with regard to data theft. Unfair competition law may apply as a consequence of data misappropriation or the misleading use of information. However, since EU law has hardly been harmonised with regard to criminal law and only partially so with regard to unfair competition law and since legal issues in these areas are to date relatively sparse, the following considerations will focus exclusively on data protection law.
With regard to the law applicable on the Internet, it should be noted that most often, the laws of more than one country may apply. Which law must be applied to a specific legal issue is determined by a complex body of legal rules, namely the so-called “private international law” and other “conflict of laws” rules. As a general rule, one can say that Internet service providers that offer their services in a given national market must comply with the national laws of said market. Accordingly, multi-national businesses will have to tailor their services to the requirements of potentially very numerous national laws.
3.2Legal Framework for Data Protection
Data protection law has been (and currently still is) a matter of national legislation throughout the EU and has only been partially harmonised by the Data Protection Directive 95/4619. As a consequence, advertising campaigns that use information about consumers in different member states must comply with all applicable national data protection laws. This requirement has led to significant obstacles for transnational businesses and hindered the full establishment of a Digital Single Market.
Against this background, the EU long envisaged full harmonisation of data protection law which ultimately resulted in the adoption of the General Data Protection Regulation (GDPR). In January 2012, the EU Commission presented its proposed draft regulation to the European Parliament and the European Council.20 An extensively amended version of this draft was adopted by the European Parliament in March 201421 and, after lengthy discussions, the European Council presented its General Approach in June 2015.22 On 17 December 2015, representatives of the European Parliament, the European Council and the European Commission finally agreed on a consolidated version of the GDPR.23 This version was adopted by the European Council and the European Parliament on 8 April and 14 April 2016. It entered into force on 24 May 2016 and will become effective from 25 May 2018.24
Contrary to today’s state of law, the GDPR will establish a single set of rules on data protection, which will be valid across the EU. This will, to a large extent, resolve the current fragmentation at national level. Further, the GDPR will leave little leeway for EU Member States to adopt stronger protection standards. The rules contained in the GDPR will apply to any company worldwide that provides its services in the EU, thereby enhancing fair competition in particular between US and European players in the advertising industry. The twin aims of the GDPR are to enhance the level of protection of personal data as well as to increase business opportunities in the Digital Single Market by providing a single set of rules for all businesses throughout the EU.25 Against this background the legal assessment of the collection and use of information about consumers is based on provisions of the GDPR.
3.3General Principles of Data Protection Law
3.3.1Processing of Personal Data
The application of data protection law is triggered by any processing of personal data. Both notions of “processing” and “personal data” are construed very broadly, which results in a very broad scope of application of data protection law.
The notion of personal data encompasses “any information relating to an identified or identifiable natural person”, the so called “data subject” (Art. 4 (1) GDPR). Processing refers to “any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Art. 4 (2) GDPR).
The compliance of the data processing with the requirements of data protection law must be ascertained by the data controller, i.e. “the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Art. 4 (7) GDPR).
3.3.2Substantive Guiding Principles
The processing of personal data is only legitimate if such processing complies with a number of general principles. According to the GDPR:
–personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”) (Art. 5 (1) (a) GDPR);
–personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes (“purpose limitation”) (Art. 5 (1) (b) GDPR);
–personal data must be adequate, relevant and limited to the minimum necessary in relation to the purpose for which they are processed (“data minimisation”) (Art. 5 (1) (c) GDPR);
–personal data must be accurate and, where necessary, kept up to date (“accuracy”) (Art. 5 (1) (d) GDPR);
–personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which such data are processed (“storage limitation”) (Art. 5 (1) (e) GDPR); and
–personal data must be processed in a way that ensures appropriate security of such data (“integrity and confidentiality”) (Art. 5 (1) (f) GDPR).
For the collection and use of information about consumers, the principles of transparency, purpose limitation and data minimisation are of utmost importance. Therefore, the use cases identified above will have to be assessed with regard to their compliance with these principles.
3.3.3Criteria for Making Data Processing Legitimate
Irrespective of whether or not it complies with the above general data protection principles, the processing of personal data is legitimate only if at least one out of six criteria is met. As such, the processing of personal data is legitimate if any of the below is given:
–the data subject has given consent to the processing of their personal data for one or more specific purposes (Art. 6 (1) (a) GDPR); consent thereby means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, either by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data (Art. 4 (11) GDPR);
–the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) (b) GDPR);
–the processing is necessary for compliance with a legal obligation to which the data controller is subject (Art. 6 (1) (c) GDPR);
–the processing is necessary in order to protect the vital interests of the data subject or of another natural person (Art. 6 (1) (d) GDPR);
–the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Art. 6 (1) (e) GDPR); or
–the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Art. 6 (1) (f) GDPR).
Both in general and with regard to the collection and use of information about consumers, the most important criterion for the legitimacy of data processing is that of consent. Given that advertising is usually just a first step on the sometimes long way to the conclusion of a contract, the criterion of necessity for the performance of a contract will hardly ever be met in the use cases that will be discussed below. The same holds true for the criterion of the legitimate interests pursued by the data controller since the interest of the consumers in the protection of their fundamental right to privacy will likely always be favoured over the interests of the data controller in targeting/customising its advertisements to an individual consumer.26 Accordingly, the following analysis of the use cases will focus on consent.
Failure to comply with the GDPR has important consequences. First, everyone who has suffered material or immaterial damage as a result of an infringement of the GDPR has a right to receive a compensation from the data controller for the damage suffered (Art. 82 (1) GDPR). In addition, heavy administrative fines can be imposed by the national supervisory authority which is responsible for monitoring the application of the GDPR (Art. 83 GDPR). Such fines, which must be “effective, proportionate and dissuasive” must take into account a number of factors, including whether the infringement was intentional and what action, if any, was taken to mitigate the damage.
3.4Collecting Personal Information
3.4.1Self-published Data
The mere fact that data subjects voluntarily publish their personal information online, e.g. on a website or on social media platforms, does not release an advertiser from its duty to comply with the requirements of data protection law. Accordingly, the advertiser may only collect and use such personal information for advertising purposes if the consumer has given his or her consent. Such consent cannot be derived from the mere publication of the data by the consumer since, as mentioned above, consent must be “specific, informed and unambiguous”.27
Due to the consent requirement, it will hardly ever be lawful to use information published on a website by a consumer for advertising purposes. However, this assessment does not apply to the collection and use of information published on social media platforms, since the general Terms of Service (ToS) and the respective privacy policies of such platforms almost always contain provisions that authorise the social media platform providers to use the information published by their users for various purposes, including the display of personalised advertising.28 Plainly, particularly from an ethical perspective, the legitimacy of such behaviour appears to be at the very least doubtful.29 Even from a legal perspective, it is unclear to what extent the provisions of such platforms’ ToS and the respective privacy policies are valid, given that such ToS will be declared invalid in a trial if they cause a significant imbalance in the parties’ rights and obligations to the detriment of the consumer30.
3.4.2Monitoring Online Behaviour
As with the collection of self-published data, the collection of information about consumers through the monitoring of their online behaviour must comply with the requirements of data protection law. An important distinction to self-published data is that, in this scenario, consumers do not intentionally provide their personal information. Despite the public debate and the vast media coverage regarding the surveillance issue, particularly since the Snowden revelations, there are still consumers who appear to be unaware of the fact that their online behaviour is being monitored by Internet service providers, web publishers, social media operators and other online businesses. To make matters worse, even those who are aware of the ongoing monitoring activities do not have the means to know the exact extent to which data about them is being collected, what other data it will be combined with and for what purposes the data will be used.
Monitoring the online behaviour of consumers for advertising purposes is only lawful if the conditions of the GDPR are met. These conditions are twofold: First, the information must be collected in a transparent manner (i.e. an open and honest manner) and for specified, explicit and legitimate purposes and it must be limited to the minimum necessary in relation to these purposes.31 Second, the consumer must have given his or her informed consent to the processing of his or her personal data. As with self-published data, consumers are often required to consent by merely checking a box indicating their agreement with the ToS of a website or an Internet service provider and the respective privacy policy. However, the processing of data based on such consent is only lawful if the consumer has been informed about the collection and use of his or her personal data in a way that enables him or her to actually understand what the data is being collected and used for. Given that numerous privacy policies only provide very general and vague information about the use of personal data, the requirement of informed consent often fails to be fulfilled.
In addition to the general requirements of the GDPR, the EU Directive on Privacy and Electronic Communications 2002/58 (E-Privacy Directive)32 contains a specific provision regarding the use of cookies. According to this provision, the use of cookies is only allowed if the user concerned has given his or her consent after having been provided with clear and comprehensive information about the purpose of the processing of his or her personal data.33 Website providers most often attempt to fulfill this requirement through the use of a pop-up window that informs the Internet user about the intended use of cookies and requires the user to agree to such use by checking a box embedded in the pop-up window. In principle, if the user does not check the box, he or she is deemed not having given his or her consent to the use of cookies. However, even if the user does not, in effect, check the box accepting cookies, to the extent he or she is given a clear and unavoidable notice that cookies will be used and, on that basis, chooses to nevertheless access the website, website providers could, under certain circumstances, rely on so called “implied consent” in order to serve such user with cookies.
3.4.3Data and Identity Theft
The term data theft describes the illegal transfer and storage of any personal and confidential information such as passwords, social security numbers or credit card information from a business or an individual. Identity theft is the use of someone else’s identity by using another person’s personal data. Data and identity theft may constitute criminal offenses. In addition, such acts will often fail to comply with the requirements of data protection law, namely if stolen data is disclosed to third persons and/or used for commercial purposes.
3.5Using Personal Information
The use of personal information relating to consumers is subject to the same data protection requirements as the collection of such information. Accordingly, the following use cases will have to be tested with regard to their compliance with the general data protection principles and with regard to the consumers’ informed consent:
3.5.1E-Mail Marketing
The e-mail addresses that advertisers require for the purpose of carrying out e-mail marketing can be collected from various sources.34 If the e-mail address consists of or contains the real name of an individual consumer or if the provider of the e-mail address otherwise allows the advertiser to identify the individual consumer, the acquiring of the e-mail address and the sending of an e-mail to this address qualifies as processing of personal data. If the e-mail address consists of a pseudonym, the sending of e-mails to such an address qualifies as processing of personal data only to the extent the owner of the email-account can be identified by other means, e.g. by using additional information that has been collected or is readily available. If a consumer can be identified, the sending of e-mails to this consumer must comply with the general requirements of the GDPR, namely the transparency principle and the requirement of informed consent. Accordingly, the consumer must be informed about the storing and use of his or her e-mail address for advertising purposes and he or she must consent to such use.
In addition to these general requirements, the E-Privacy Directive contains a specific provision to fight spam mail. According to this provision, the use of e-mail for the purpose of direct marketing is only allowed in respect of subscribers or users who have given their prior consent.35 If a business has obtained electronic contact details, such as an e-mail address of its customer, the business may use such contact details for the marketing of its similar products or services, provided the customer is given the opportunity to object to the use of his or her electronic contact details free of charge and easily.36 Accordingly, all e-mails sent to consumers for marketing purposes must include a button, a link, a reply-mechanism or the like that allows consumers to unsubscribe from the respective mailing list with only a few clicks.
3.5.2Personalised Advertising
In order to target consumers and carry out personalised advertisements, advertisers must be in a position to distinguish individual consumers and identify their needs. In the offline world, such practices would generally require advertisers to identify individual consumers by their real name, e.g. in order to send personalised advertisements to their physical address. In the online world, however, consumers can be targeted with personalised advertisements if the advertiser is able to recognize an individual consumer as being the same consumer who engaged in a specific behaviour and/or expressed an interest in a specific product or service at an earlier stage, e.g. when visiting a website, searching for a product, or clicking on the link to an advertisement. As a consequence, personalised advertising is possible in an online environment without knowing the actual identity of an individual consumer.
From the perspective of data protection law, the fact that consumers can be recognized and retargeted in the online environment without knowing their real name or their physical appearance raises the fundamental question of how the notion of an “identified or identifiable natural person” is to be understood. Does this notion require that the natural person can be identified as a physical being, ultimately by knowing his or her real name? Or is it sufficient if an individual Internet user with individual characteristics can be distinguished from other Internet users without being able to actually link the profile of this individual Internet user to a physical being? Since this question is still being debated and since authorities tend to favour a broad understanding of the notion of identified or identifiable natural person,37 advertisers should ensure that personalised advertisements consistently comply with the general data protection principles, particularly the principles of transparency, purpose limitation and data minimisation, and that personalised advertising campaigns are based on consumers’ informed consent.
3.5.3Data Vending
The sale of personal data consists of at least two aspects. First, a sales contract is concluded pursuant to which the seller undertakes to transfer personal data to the buyer and the buyer undertakes to pay the agreed sales price. Second, the seller transfers the personal data and the buyer pays the agreed sales price. While the conclusion of a sales contract is irrelevant from the perspective of data protection law, the actual transfer of personal data or the granting of access to such data qualifies as data processing. More specifically, such acts qualify as a “disclosure by transmission” or a “making available” of personal data.38
As a consequence, the sale of information regarding consumers must comply with the general data protection principles and be based on the consumers’ informed consent. Such consent is usually granted by way of having consumers agree to privacy policies that typically allow the data controller to transfer the data to third parties. If consumers have generally agreed to such transfer, the data controller is not required to obtain additional consent from the consumer when undertaking the actual sale and transfer of the data. In addition, since consumers do not “own” their personal data, they are not entitled to any share of the sales price that the buyer pays to the seller in consideration for the acquisition of the consumers’ personal data.
4Ethical Aspects
4.1Preliminary Remarks
The legal system provides for a basic framework of rules regarding the collection and use of personal data. This system is supplemented by ethics and ethical considerations, which evidently play a vital role in this context. Internet service providers must engage in behaviour that is generally perceived by Internet users as being ethical in order to (re)gain the users’ trust and their acceptance regarding the collection and use of their data. This matters in particular for personalised advertising since the success of such an advertising method is considerably premised on the users’ trust and acceptance of the activities underlying such advertising. Trust, which is a key success factor in the online environment,39 is closely linked to ethical behaviour. Accordingly, the following sections will discuss the collection and use of consumer data from an ethical perspective.
4.2The Foundation of Ethics
Stemming from the Greek word “ethos” that enshrines two different meanings, i.e. habit/custom and character/morals,40 the term ethics is addressed in different contexts, for example: (i) in the context of reflecting the position of those affected by valid moral claims, (ii) with regard to the critical assessment of practical procedures and (iii) for highlighting issues of social responsibility and moral competences.41 By referring to the established conventions of social groups, the notion of ethics encompasses the “socially valid moral rights, duties and behavioural norms deriving from a culture-specific tradition”.42 In a nutshell, ethics is about acting morally43.
Ethics is also an academic discipline that evaluates normative claims from a transparent and unbiased perspective and thereby addresses principles or rules which discuss good human action.44 In that regard, literature identifies three types of ethics,45 namely (i) descriptive or empirical ethics which outlines the diverse appearances of existing morals and the customs of individuals, groups, institutions and cultures, (ii) normative ethics which analyses the existing attitudes towards morality and framing action-oriented norms, and (iii) meta-ethics which critically challenges existing ethical methods and develops more distinctive behavioural attitudes.
4.3Ethics in Internet Governance and Social Networks
Despite featuring in recent discussions about Internet governance46, the importance of ethics does not appear to be adequately reflected in the various materials relating to the issue of Internet governance. Indeed, only a small section of the examined declarations, guidelines, and frameworks refer to the necessity of implementing basic ethical rules with respect to the Internet and its use.47 In addition, principles regarding the ethical component appear to be somewhat vague and disparate.48 While some documents mention ethical issues in greater detail, others barely touch upon it.49 Therefore, a more in-depth assessment of the core relevant ethical principles in the digital environment appears necessary. It should be noted that the fact that the ethics issue has been increasingly discussed in the past few years can be interpreted as a sign of its growing importance.
Social networks, such as Facebook, Twitter and LinkedIn, offer users worldwide the possibility to share (personal) information and participate in public discourse. The rise and success of social media networks has been paralleled by the continuing growth of such networks’ members and/or users. As such, for instance, the number of active users of Facebook has tripled over the last five years.50
Given that ethical behaviour ultimately helps improve public perception, social networks have developed and published ToS that purport to protect their users’ rights, particularly in respect of users’ information privacy and intellectual property. Twitter, for instance, promotes tweeting in “real-time”51 on a network that supports free speech. In this context, the platform states its belief “that the open and free exchange of information has a positive global impact”.52 However, interestingly, this statement with a seemingly noble goal is followed by a “guide to growing your business with Twitter”53. This evidences the fact that ultimately any efforts to gain users’ trust and preserve their loyalty, as well as become more attractive to potential new users, are in fact guided entirely by businesses’ self-interest. In other words, ultimately, most companies follow the well-known formula: “There is one and only one social responsibility of business [. . .] (namely) to increase its profits.”54 This seems somewhat logical if one considers that social networks largely depend on advertising revenues. Attracting more users evidently increases such revenues. Accordingly, social networks’ ToS are generally overly social network-friendly; in particular, they typically provide for the right of social networks to engage in unrestricted commercial marketing activities. Consequently, any claims of purported ethical behaviour by social networks can be criticised as being (possibly) true in theory but not in practice.55 Hence, there is undoubtedly much room for improvement with regard to the ethical standards of social networks.
4.4Ethical Considerations Related to Collecting and Using Personal Data
4.4.1Collecting Personal Information
With regard to ethical or moral considerations, it is not possible to refer to specific regulations. At first glance, it could seem that the automatic collection of self-published data and the monitoring of Internet users’ online behaviour do not raise any ethical issues. This may be true in particular if the collection of (the intentionally/voluntarily and unintentionally provided) data serves a valid purpose, such as the protection of other Internet users or even the democratic order. But, the average consumer is not necessarily well-informed about the fact that any data that he or she provides or generates online, including his or her personal information such as physical addresses, pictures or IP-addresses, will potentially be stored “somewhere”. Therefore, the stance taken here is that entities collecting such data should be required to take measures to sufficiently protect such data against data breach and theft.
Where data is collected primarily for advertising purposes, transparency is particularly crucial. Transparency requires that Internet users be informed in advance about the fact that their data is being collected so that they may use the Internet with full awareness of the consequences. The collection of (personal) data without appropriate prior information/disclosure to Internet users and particularly the use of cookies and other tracking mechanisms allowing the establishment of a user’s profile (browsing and purchasing habits, demographic data, and statistical information, etc.) is ethically questionable.
4.4.2Using Personal Information
While the issues raised by the collection of personal data may appear to be relatively contained, the use of such data inevitably raises difficult questions. The establishment of data profiles allowing corporations to provide data subjects with personalised advertising serves no other goal than that of financial gain. The pursuit of financial gain does not in itself raise ethical problems as long as the Internet user is duly informed about both the collection and the processing of his or her data. In this context, ethical behaviour requires transparency during the entire process, from the provision of adequate information regarding the storage of (personal) data through the compliance with the right of Internet users to be informed about the storage of their data to their right to object to the storage and transfer of their data.
From an ethical point of view, data vending deserves special attention. Indeed, trading Internet users’ personal data inevitably raises numerous ethical questions, such as: Is the Internet user aware of the fact that his or her data is being traded, does he or she know what data is being traded, who obtains the data, is the data duly protected against data breaches, etc.? In addition, consent to store personal data does not automatically include the right to “sell” such data. More importantly, the largely uncontrolled proliferation of data to a large extent undermines the right of Internet users to decide how their data shall or shall not be published.
4.5Responsibility of Users
Given the fact that the Internet and all activities conducted online depend on the participation of users, it seems fair to demand that Internet users bear a certain responsibility while using the Internet. In this vein, Internet users should move from being passive to becoming active users by speaking out for their rights.56 Internet users should start acting as responsible human beings and create a more citizen-driven information environment.57
In addition, Internet users should hold the corporations behind the networks accountable for their regulatory decisions.58 To improve transparency, companies must in particular be required to regularly and automatically inform the general public on how the gathered information is being used.59 The more Internet users actively make use of their rights and freedoms, the more difficult it will be for governments and corporations to deprive them of such rights and freedoms.60 In contrast, as long as only a few users insist on the compliance of collecting and using their data with their fundamental rights, there is a risk that these (few) voices are not taken seriously and that the respective individuals are practically deprived of the use of such services due to their disagreement with the respective privacy policies. Such a development would be ethically undesirable.
5Outlook
The collection and use of information about consumers has become an essential tool of commercial communication. It is fair to assume that the techniques used to monitor and track consumer behaviour in order to serve consumers with personalised advertising will be further developed and increasingly used in the future. Arguably, the processing of information about consumers by advertisers is not inherently problematic, as long as such processing is done in accordance with the applicable legal requirements and generally accepted ethical principles.
The success of personalised advertising will largely depend on whether the collection and use of information about consumers’ behaviour is or is not accepted by Internet users. Such acceptance will require bringing back (user) trust in the Internet and particularly (re-)building trust between advertisers and consumers. Trust seems to have been broken as a result of users learning about the ongoing large-scale collection and use of their data by Internet service providers. It is now up to the providers to restore trust and to resolve at least in part the current disinformation of Internet users by providing complete and accurate information on the processing of personal data. For the (re-)building of trust, two elements seem to be key:
First, information about consumers should never be collected and used for advertising purposes without the informed consent of the consumers. Second, to enable a truly informed consent, advertisers will need to ensure full transparency with regard to the information they collect, the purpose(s) the information is used for, the time period during which the information is stored, and the identity of the third parties who may access the information or even receive a copy thereof. As such, transparency will be the decisive factor that enables users to make truly informed decisions. Today, the information provided to consumers hardly ever meets these criteria. Providing both more specific and more comprehensive information about the use of information about consumers would be a first and relatively easy step that advertisers could take in order to initiate the process of (re-)gaining the trust of consumers.