Today, January 28th is International Data Protection Day. On that occasion, there is a reason to remind ourselves of this important subject that concerns all companies and institutions.
It has almost been four years since the new Data Protection Act came into force, and the knowledge of Icelandic companies and institutions in this field has increased significantly during that time. Thus, many companies and institutions have taken measures to ensure compliance with the law, however, companies must still always be vigilant and pay attention to data protection, e.g., when implementing new systems or adopting new marketing methods.
The Data Protection Authority supervises the enforcement of the Data Protection Act. Individuals who believe that their rights have been violated based on the law can complain to the Data Protection Authority, and in addition, the Authority can embark on cases on its initiative, in audits, and initiative analysis.
The Data Protection Authority has published a list of the issues it will focus on in its audits and initiative analysis in the year 2022. On the list is the issue of profiling used in so-called microtargeting.
It can be presumed that many Icelandic companies use profiling for marketing purposes without necessarily realizing it.
Profiling refers to the processing of personal data for the purpose of analyzing or predicting the behavior or well-being of individuals, e.g., interests, taste or financial status. With microtargeting, profiling is used to converge customized messages and advertisements directly to individuals.
To create profiles, tools such as cookies, pixels, and plug-ins are used to enable companies and institutions to track individuals’ browsing on the Internet and monitor their behavior, including what they are interested in. This technology creates a personalized profile that can be used to convert content and advertisement to the respectable individuals who are likely to be successful.
Most social medias offer services that allow companies to define groups on the relevant medium they want to reach, and such services are based on profiling. Facebook's so-called "Core Audience" service allows companies, e.g. to define the groups they want to reach based on demographic information, interests, and behavior. Thus, companies can, for example, select certain advertisements to be displayed to educated men aged 28-35 who live in Reykjavík and are interested in human rights, animals and organic coffee, and travel by public transport.
Companies can also share their customers' contact information with Facebook and request Facebook to display specified ads to this group (so-called "Custom Audience" services). In addition, Facebook can take this information about the company's customer group, analyze their profile, and subsequently find out which other social media users have similar personal profiles and could thus likely be new customers of the company in question (so-called "Lookalike Audience" service). In order to use this service, companies need to share their customers’ personal data with Facebook, which results in data processing which the company and Facebook are jointly responsible for.
Companies and institutions thus need to be aware of whether they are using profiling and microtargeting in their operations, as certain obligations arise based on the Data Protection Act in relation to such use.
Thus, for example, it is important to ensure that there is a legal basis for processing the users’ personal information, incl. for the transfer of the personal data to the social media platform in question. The users must also be informed that such processing takes place and that their data will be transferred. In addition, it is important to give the users the opportunity to object to the processing or withdraw their consent, and in that case, take precaution not to process the data for this purpose.
Considering the emphases of the Data Protection Authority for the year 2022, it is important that companies and institutions examine to what extent profiles and microtargeting are being used and take the necessary measures to ensure that such use is in accordance with data protection laws.