Personal Data Processing for Behavioural Targeting: Which Legal Basis?
Frederik Zuiderveen Borgesius
TL;DR
This paper analyzes the legal basis for personal data processing in behavioral targeting within the EU, emphasizing that unambiguous consent is generally required, and clarifying the role of the ePrivacy Directive.
Contribution
It clarifies the legal requirements for data processing in behavioral targeting under EU law, highlighting that consent is typically the only valid legal basis.
Findings
Unambiguous consent is the primary legal basis for behavioral targeting.
The ePrivacy Directive's cookie consent does not suffice as a legal basis.
Companies must obtain explicit consent for behavioral data processing.
Abstract
The European Union Charter of Fundamental Rights only allows personal data processing if a data controller has a legal basis for the processing. This paper argues that in most circumstances the only available legal basis for the processing of personal data for behavioural targeting is the data subject's unambiguous consent. Furthermore, the paper argues that the cookie consent requirement from the ePrivacy Directive does not provide a legal basis for the processing of personal data. Therefore: even if companies could use an opt-out system to comply with the e-Privacy Directive's consent requirement for using a tracking cookie, they would generally have to obtain the data subject's unambiguous consent if they process personal data for behavioural targeting.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCognitive Functions and Memory