Protection of personal data in the process of using targeted advertising

Vasileva Yana Valeryevna ORCID: 0000-0001-9434-7563 PhD in Law Associate Professor of the Department of administrative and financial law, North-West Institute (branch) of the Kutafin Moscow State Law University (MSAL) 160000, Russia, Vologda region, Vologda, Maria Ulyanova str., 18, office 203 yana.vasileva@list.ru Other publications by this author

SHalegin Stepan Pavlovich ORCID: 0000-0002-6452-6306 Student; Northwestern Institute (branch) O.E. Kutafin Moscow State Law University (MGUA) 160000, Russia, Vologda region, Vologda, Maria Ulyanova str., 18 yana.vasileva@list.ru

In the modern digital era of economic development, the latest ways and means of promoting goods and services on the Internet are regularly introduced. Advertising is a key source of attracting customers for successful business activities and plays an important role in the implementation of economic, social, educational and other functions. Online advertising plays a key role in online platforms and user interaction. The growth in the number of Internet users has increased the importance of regulating advertising on the communication network. The balance between effective advertising and a positive user experience is important for both consumers and advertisers. Regulatory measures promote socially responsible advertising and protect user privacy. Respect for privacy helps build trust and use online services. Regulations and emerging practices for protecting user data ensure their confidentiality.

Protecting privacy is an important part of democracy and civil liberties. Users must control their data and be protected from unreasonable monitoring and interference. Privacy is related to cybersecurity, and a breach can lead to fraud and cybercrime. The rules and regulations must ensure the security of user data.

The content of online commerce, its role, place and importance in the economic system were revealed by well-known domestic authors such as E. M. Azaryan, D. V. Valko, A. N. Germanchuk, A. N. Sokolova, O. A. Tretyak, V. V. Tsarev and other scientists. Various approaches to the concept of targeted advertising have been described by researchers: I. V. Ermakova, A.V. Zdornova, E. A. Kozhemyakin, V. G. Lovyagina, E. I. Nemchinova, N. A. Soshneva and others. The issues of legal regulation of the processing and protection of personal data on the Internet were raised in scientific works by the authors: I. Z. Ayusheeva, K. V. Borodin, A. Yu. Burova, A. I. Gerashchenko, K. A. Zyubanov, L. L. Kosheleva, V. A. Perednya, A. I. Rybin, A. I. Saveliev, Yu. Sevastyanova, A.M. Turkiashvili, P. E. Chumakova, and others. The analysis of scientific papers revealed that, despite the large number of works related to the legal security of personal data processing on the Internet, the issues of personal data protection in the process of using targeted advertising have not been sufficiently studied, which determined the purpose and objectives of this study.

In the modern world, the institution of targeted advertising is considered economically profitable. This non-standard method of advertising positioning allows you to place the necessary information in the immediate vicinity of the point of sale. As for the concept of targeted advertising, the issue has not been resolved in the legislation. Scientists and practitioners reveal only some of the signs and elements of this type of advertising activity. So, according to I. V. Ermakova, the essence of targeted advertising is to function through the use of "cookies" technologies, which allow you to send personalized offers to a specific user, taking into account information about their search queries, their browsing of certain sites and others ^{[1, pp. 29-47.]}. From the position of E. I. Nemchinova and A.V. Zdornova, targeted advertising allows you to show ads to certain Internet users ^{[2, pp. 129-131]}. In the framework of research by other authors ^{[3, pp. 3-28]}, a key feature of targeted advertising is also noted – the personalized nature of its content: the target audience receives and finds in targeted advertising offers what corresponds to its socio-demographic, socio-economic, geolocation and cultural characteristics, as well as its previous Internet searches, affiliation with communities, social media responses, and more. In addition, researchers A. I. Gerashchenko, A. I. Rybin, K. A. Zyubanov indicate that despite the absence of the term "targeted advertising" in Russian legislation, it is widely used in judicial practice ^{[4, pp. 87-102.]}. The authors also consider the concept of this type of advertising through the concept of targeting (from the English target – goal) in advertising is a mechanism that allows online platforms, through the use of cookies and other technologies, to analyze the digital footprint (search queries, browsing certain sites) of the user ^{[5, pp. 108-113]}. Accordingly, having analyzed the individual signs of targeted advertising proposed in the scientific literature, within the framework of this study, the authors propose the following definition of the concept of "targeted advertising" - information distributed in the information and telecommunications network "Internet", in the form of personalized and targeted messages, using computer technology, addressed to a certain circle of potential consumers, taking into account their interests and needs and aimed at attracting attention to the advertised object, forming or maintaining interest in it and its promotion on the market. Taking into account the author's definition of the concept, it can be concluded that targeted advertising is a key tool for the digital promotion of goods and services.

Currently, the issue of confidentiality of information is being actively raised when an advertiser uses targeted advertising. The current Federal Law "On Personal Data" does not cover this point well. With regard to user interaction, the law obliges any data operator only to indicate in a separate document the privacy policy (personal data processing), inclusion on all forms where users enter their personal data, a checkbox requiring active consent to data processing, as well as notifying site users about the use of cookies. Processing of personal data without the consent of the personal data subject entails the imposition of an administrative fine in the amount of three hundred thousand to seven hundred thousand rubles for legal entities (part 2 of Article 13.11 of the Administrative Code of the Russian Federation), the absence of a description of the conditions for processing cookies - from sixty thousand to one hundred thousand rubles (part 1 of Article 13.11 of the Administrative Code of the Russian Federation).

Over the past few years, personal data has gained new value for corporations. Almost any interaction with a large company leads to the collection of consumer data. This is partly because an increase in the amount of data leads to improved online tracking, behavior profiling, and data-driven targeted marketing. But there is another side. It is worth agreeing with I. Z. Ayusheeva, who points out that, for example, VKontakte LLC, like most other owners of technology platforms, is a commercial organization and profits from its activities. The ability to use the platform's services is "exchanged" for user data – the company gets at its disposal large user data that is necessary to make a profit when selling targeted advertising ^{[6, pp. 56-65]}. The authors are also attracted by the opinion of A. I. Savelyev, who considers personal data as a currency for paying for "free" Internet services, and they are also fuel for using technologies like artificial intelligence ^{[7, pp. 104-129]}. An excess of valuable data combined with minimal regulation increases the likelihood of misuse or improper handling of confidential information (A. S. Gillis, B. Lutkevich. What is customer experience management (CXM)? Ultimate guide // [Electronic resource] URL: https://www.techtarget.com/searchdatamanagement/definition/consumer-privacy (accessed 03/25/2024)).

The issue of ensuring a balance between advertising personalization and privacy requires a separate discussion. From a legal point of view, the following changes should be made to the federal law "On Personal Data":

1) To regulate in detail the procedure for users to express their consent to the processing of personal data for the purpose of targeting on the Internet. It is also necessary to prohibit the site administration from denying access to information to the user on the grounds of his refusal to receive targeted advertisements ^{[8, pp. 200-203]}. It should be noted that these norms should also be introduced into the Federal Law "On Advertising".

Without specific rules and procedures, users may not be aware of how their personal data is used for advertising. This may also lead to the disproportionate collection and use of personal data of these persons. This violates the principles of transparency and confidentiality. The ability to opt out of targeted advertising is an important user right that must be respected. If site owners can deny users access only on the basis of their refusal of this advertisement, this restricts the right to free access to information and services, which can also lead to monopolistic behavior and illegal control over information, especially if such conditions are violated by many sites.

2) The advertiser must immediately, at the time of consent or refusal, clearly explain what and how of the collected data will be used in advertising. This should include information about the types of data collected, the purposes for which it will be used, as well as any third parties who may have access to the data. By providing this information in advance, users can make informed decisions about whether they want to consent to data collection.

Without clear explanations about the methods of data collection and use, users have no idea how their data will be used for advertising purposes, and this undermines users' trust and violates their right to control their personal information.

3) Advertisers should prioritize data security to protect users' personal information from unauthorized access, use or disclosure. This includes implementing robust security measures such as encryption, access control, and regular data audits to protect user data from potential breaches.

In the absence of a regulatory obligation, advertisers may not prioritize the implementation of robust security measures to protect users' personal data. The lack of clear requirements for the application of appropriate security measures makes it difficult to hold advertisers accountable for possible data leaks or incidents related to their protection.

Paying attention to the institution of confidentiality arising from the security of personal data storage, it is necessary to focus on the possibility of its violation due to data leakage. As an understandable example, we can cite such a method, which occupies an important share in the distribution of online advertising, as online mailing by e-mail. The leakage of an email address alone can cause its owner problems such as sending spam or fraudulent emails to his address, compromising other accounts using this email address, and so on.

Analyzing the scientific literature, we can state a sufficient number of studies by domestic and foreign scientists devoted to the problem of protection against information leaks (D. P. Zegzhda, V. P. Los, E. Y. Pavlenko, D. Massey, A. R. Khakpour and others). However, it should be noted that there is no complete definition of the concept of the phenomenon in question in scientific works. In the opinion of the authors, A. A. Spirin gives a concise definition of the process in his dissertation research: information leakage is a violation of the security of protected information, namely, a violation of the confidentiality property (Protection against information leakage based on the separation of encrypted and compressed data: dissertation... Candidate of Technical Sciences: 05.13.19 / Spirin Andrey Andreevich. – Orel, 2022. – 131 p.). A similar idea was developed in the scientific work of I. O. Silantiev and I. V. Anikin, under the leakage of confidential information, the authors understand a negative event in which information containing valuable information becomes available to a person without the consent of the owner or a group of persons who do not have permission to access this information ^{[9, p. 15]}. In the studied problem, the analysis of trends in the field of confidential data leaks and the social foundations of this problem becomes central for the authors, so P. S. Shvyryaev considers the institute of confidential data leakage as a massive, complex and important problem in the world and especially in Russia, which has a direct impact on important aspects of society: the state of the business climate, the level of public confidence in digital products, the state of cybercrime, the nature of the development of scientific and technological progress, the economic well-being of citizens ^{[10, pp. 226-241]}. Researcher A. P. Ivanova also calls the leakage of personal data a "big problem in the digital age" in a scientific article ^{[11, pp. 100-107]}. It should be noted that some of the provisions expressed here are analytical in nature and do not exclude other points of view on the content of the concept of "leakage of personal data". Within the meaning of the norms of the federal law "On Personal Data", a leak can be called the fact of unlawful or accidental transfer (provision, distribution, access) of personal data, which resulted in violation of the rights of personal data subjects. Thus, for the present study, under data leakage, the authors propose to consider the failure of the personal data operator to comply with the conditions ensuring the safety of personal data, resulting in unlawful or accidental access to data, their destruction, modification, blocking, copying, provision, distribution or other illegal actions in relation to the specified data.

The current legislation provides for several types of liability for the leakage of personal data: disciplinary, civil, administrative, criminal. Since this aspect is the subject of an independent study that goes beyond the scope of our work, we will limit ourselves to a brief consideration of the institution of administrative responsibility only. Thus, the Administrative Code of the Russian Federation provides for liability under Article 13.11. Violation of the legislation of the Russian Federation in the field of personal data: in part 1 for processing personal information in cases that are not provided for by law; in part 2 for processing personal information without written consent; in part 4 for failure to provide information to the owner concerning the procedure and purposes of processing, personal information provided by him; in Part 6 for leaking information and getting it to third parties.

It is necessary to pay attention to an important problem that examines one, but a significant reason for the connivance of large companies to massive leaks of personal data, which is the appointment of "soft" punishments. To understand the real nature of the problem, you can recall any example with major leaks of personal data. So, on October 19, 2023, Roskomnadzor confirmed the leak of personal data of MTS Bank customers (Roskomnadzor confirmed the leak of personal data of MTS Bank customers // [Electronic resource] URL: https://ria.ru/20231019/dannye-1903771403.html (accessed 03/25/2024)). 1 million lines with the surname, first name and patronymic, phone number, date of birth, gender, INN and citizenship of clients were freely available. In another file, 3 million lines were found with a partial bank card number, card issue and expiration dates, and card type. The third file contains 1.8 million unique phone numbers, 50,000 unique email addresses and numeric identifiers. The company was brought to administrative responsibility under part 1 of Article 13.11 of the Administrative Code of the Russian Federation, a penalty was imposed in the form of an administrative fine in the amount of 60 thousand rubles, this is the minimum possible fine under this article for a legal entity, the maximum could be 100 thousand rubles. Thus, the de facto company suffered only reputational damage, which, however, is also doubtful due to far from the first major leak of personal data and, accordingly, the habit of Russian users to frequent such phenomena and not properly punished.

Data collected by advertisers for contextual advertising is also subject to leaks, which users are much less likely to think about collecting, therefore, in addition to regulating the collection of information by advertisers, it is necessary to resolve the issue of punishment for negligence in processing and improper storage of data.

One of the incentives for companies to take a responsible approach to ensuring comprehensive measures to protect personal data is the introduction of reasonable penalties for leakage. At the moment, both the introduction of criminal liability and negotiable fines are proposed with various justifications. It is no less logical to provide compensation to victims in exchange for a reduction in the amount of the fine.

It is also worth noting certain steps in reforming this area. So, the banking lawyer Yu. Sevastyanova at the beginning of 2023 indicates a tendency to tighten responsibility for leakage and illegal processing of personal data ^{[12, pp. 104-109]}. The scientist A. Yu. Burova analyzes changes in the legislation on administrative offenses, suggesting differentiation of administrative responsibility depending on the number of subjects of personal data and identifiers in respect of which there was a leak ^{[13, pp. 143-155]}. According to Federal Law No. 588-FZ of 12.12.2023, administrative responsibility for processing personal data without the written consent of citizens has increased significantly, when such consent must be obtained in accordance with the law. Fines have also increased for processing personal data in violation of the requirements for the composition of information included in written consent.

Currently, with the increasing informatization of society, the development of advanced technologies and the digital environment, the process of using personal data on the Internet is inevitable. By ensuring the security of personal data, processes are ensured both to guarantee data security and to preserve the features of information while simultaneously ensuring its confidentiality, integrity and accessibility ^{[14, pp. 285-288]}.

In the digital world, online advertising has undoubtedly become a powerful force shaping our online experience. However, problems related to privacy come to the fore, which requires a comprehensive revision, and if necessary, a revision of the legal framework governing this area of advertising.

Thus, it is necessary to regulate the process of obtaining user consent for targeted advertising, which ensures transparency and privacy protection. In addition, it is necessary to prohibit site administrators from blocking access based on the user's refusal of targeted advertising. These amendments should be included in the current legislation on personal data and advertising.

Advertisers also need to explain in advance, at the time of obtaining consent, in an understandable form, the nature and purpose of using the collected data for advertising purposes. This will allow users to make informed decisions and maintain control over their personal information.

Data security should be one of the top priorities of advertisers, since it is the personal data operator who is responsible for protecting users' confidential information from unauthorized use.

This comprehensive approach will solve the pressing problems of privacy in the legal context of online advertising, contributing to the creation of a more secure and transparent digital ecosystem.