Online Price Discrimination and EU Data Privacy Law external link

Journal of Consumer Policy, vol. 2017, 2017

Abstract

Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.

behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination

Bibtex

Article{Borgesius2017b, title = {Online Price Discrimination and EU Data Privacy Law}, author = {Zuiderveen Borgesius, F. and Poort, J.}, url = {https://www.ivir.nl/publicaties/download/JCP_2017.pdf}, doi = {https://doi.org/DOI 10.1007/s10603-017-9354-z}, year = {0725}, date = {2017-07-25}, journal = {Journal of Consumer Policy}, volume = {2017}, pages = {}, abstract = {Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.}, keywords = {behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination}, }

Should we worry about filter bubbles? external link

Zuiderveen Borgesius, F., Trilling, D., Trilling, D., Bodó, B., Vreese, C.H. de & Helberger, N.
Internet Policy Review, vol. 5, num: 1, 2016

Abstract

Some fear that personalised communication can lead to information cocoons or filter bubbles. For instance, a personalised news website could give more prominence to conservative or liberal media items, based on the (assumed) political interests of the user. As a result, users may encounter only a limited range of political ideas. We synthesise empirical research on the extent and effects of self-selected personalisation, where people actively choose which content they receive, and pre-selected personalisation, where algorithms personalise content for users without any deliberate user choice. We conclude that at present there is little empirical evidence that warrants any worries about filter bubbles.

behavioural targeting, Big data, frontpage, Personal data, profiling

Bibtex

Article{Borgesius2016, title = {Should we worry about filter bubbles?}, author = {Zuiderveen Borgesius, F. and Trilling, D. and Bodó, B. and Vreese, C.H. de and Helberger, N.}, url = {http://policyreview.info/node/401/pdf}, doi = {https://doi.org/10.14763/2016.1.401}, year = {0401}, date = {2016-04-01}, journal = {Internet Policy Review}, volume = {5}, number = {1}, pages = {}, abstract = {Some fear that personalised communication can lead to information cocoons or filter bubbles. For instance, a personalised news website could give more prominence to conservative or liberal media items, based on the (assumed) political interests of the user. As a result, users may encounter only a limited range of political ideas. We synthesise empirical research on the extent and effects of self-selected personalisation, where people actively choose which content they receive, and pre-selected personalisation, where algorithms personalise content for users without any deliberate user choice. We conclude that at present there is little empirical evidence that warrants any worries about filter bubbles.}, keywords = {behavioural targeting, Big data, frontpage, Personal data, profiling}, }

Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation external link

Computer Law & Security Review, num: 2, pp: 256-271., 2016

Abstract

Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.

behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking

Bibtex

Article{nokey, title = {Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733115}, year = {0223}, date = {2016-02-23}, journal = {Computer Law & Security Review}, number = {2}, abstract = {Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.}, keywords = {behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking}, }

Personal data processing for behavioural targeting: which legal basis? external link

International Data Privacy Law, 2015

Abstract

Key Points:
The European Union Charter of Fundamental Rights only allows personal data processing if a data controller has a legal basis for the processing.
This paper argues that, in most circumstances, the only available legal basis for the processing of personal data for behavioural targeting is the data subject's unambiguous consent.
Furthermore, the paper argues that the cookie consent requirement from the e-Privacy Directive does not provide a legal basis for the processing of personal data.
Therefore, even if companies could use an opt-out system to comply with the e-Privacy Directive's consent requirement for using a tracking cookie, they would generally have to obtain the data subject's unambiguous consent if they process personal data for behavioural targeting.

behavioural targeting, Grondrechten, Personal data, Privacy

Bibtex

Article{nokey, title = {Personal data processing for behavioural targeting: which legal basis?}, author = {Zuiderveen Borgesius, F.}, url = {http://idpl.oxfordjournals.org/content/early/2015/06/23/idpl.ipv011.abstract?keytype=ref&ijkey=vlrPCGCUMXW8kAz}, year = {0625}, date = {2015-06-25}, journal = {International Data Privacy Law}, abstract = {Key Points: The European Union Charter of Fundamental Rights only allows personal data processing if a data controller has a legal basis for the processing. This paper argues that, in most circumstances, the only available legal basis for the processing of personal data for behavioural targeting is the data subject's unambiguous consent. Furthermore, the paper argues that the cookie consent requirement from the e-Privacy Directive does not provide a legal basis for the processing of personal data. Therefore, even if companies could use an opt-out system to comply with the e-Privacy Directive's consent requirement for using a tracking cookie, they would generally have to obtain the data subject's unambiguous consent if they process personal data for behavioural targeting.}, keywords = {behavioural targeting, Grondrechten, Personal data, Privacy}, }

Behavioural Sciences and the Regulation of Privacy on the Internet external link

Abstract

This chapter examines the policy implications of behavioural sciences insights for the regulation of privacy on the Internet, by focusing in particular on behavioural targeting. This marketing technique involves tracking people’s online behaviour to use the collected information to show people individually targeted advertisements. Enforcing data protection law may not be enough to protect privacy in this area. I argue that, if society is better off when certain behavioural targeting practices do not happen, policymakers should consider banning them.

behavioural economics, behavioural targeting, cookies, Data protection, e-Privacy Directive, Grondrechten, nudge, nudging, Privacy, profiling, tracking

Bibtex

Other{nokey, title = {Behavioural Sciences and the Regulation of Privacy on the Internet}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2513771}, year = {1030}, date = {2014-10-30}, abstract = {This chapter examines the policy implications of behavioural sciences insights for the regulation of privacy on the Internet, by focusing in particular on behavioural targeting. This marketing technique involves tracking people’s online behaviour to use the collected information to show people individually targeted advertisements. Enforcing data protection law may not be enough to protect privacy in this area. I argue that, if society is better off when certain behavioural targeting practices do not happen, policymakers should consider banning them.}, keywords = {behavioural economics, behavioural targeting, cookies, Data protection, e-Privacy Directive, Grondrechten, nudge, nudging, Privacy, profiling, tracking}, }