Target advertising raises some crucial legal issues

By Shubneet Panjete, Lall Lahiri & Salhotra

Traditional advertising – through media such as newspapers, magazines, radio, television and billboards – has focused on obtaining maximum viewership with the hope that the target audience will be among the viewers.

Shubneet Panjete Senior associate Lall Lahiri & Salhotra
Shubneet Panjete
Senior associate
Lall Lahiri & Salhotra

In our digital age, as advertisers continuously seek new modes of advertisement to keep up with advancements, the concept of target advertising has been introduced. This form of advertising aims to reach a product’s target audience and not the general public, through tracking and analysing a person’s computer usage to determine their characteristics, interests and preferences.

The object is to enable an advertiser to advertise its products or services only to people who would be interested in them, thereby saving costs as well as ensuring that members of the target audience are not left out in an advertising campaign.

An example of this is social networking pages that present ads along with a person’s profile. It is common practice to target advertisements at users based on their age, gender and the pages and information they view the most. Apart from social networking, advertisers also target customers at other websites based on their usage of the internet. For this to be done, internet users are being watched and analysed.

While targeted advertising benefits both businesses and customers, the legal issues arising from it cannot be ignored. In addition to tracking usage of news and information websites, internet searches, etc., a person’s online shopping purchases and visits to banking and financial websites may also be tracked. Notwithstanding the safeguards put in place by website owners, legal provisions regarding the collection, storage and access to such information are essential.

Approaches vary

The European Union has taken the initiative to regulate such tracking and also with respect to storage and dissemination of this information through its Directive on Data Protection and its recent proposal to formulate a Data Protection Regulation that would be legally binding on all 27 members of the EU. The directive and proposed regulation are highly detailed legal provisions controlling various aspects of data collection, manipulation, transmission and storage, and giving teeth to regulatory and enforcement bodies to ensure compliance.

In contrast, the US has no specific provisions pertaining to protection of online data, except for some that apply to limited circumstances and few parties. The field remains largely self-regulated.

India’s path

In India, the Information Technology Act, 2000, contains little in respect of data protection. Section 43 deals with intentionally accessing, without consent, a computer or computer system, and obtaining access to information from a computer without consent. This does not specifically address the issue of targeted advertising, where a large volume of information is collected from sources to which information has been voluntarily given (such as social networking websites), or the monitoring of internet usage such as through cookies.

In 2011, with the intention of plugging loopholes on data protection, the Ministry of Communications and Information Technology notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. These rules provide guidelines for data collection, storage, access and dissemination. However, they do not provide protection to internet users whose information is either watched or tracked without their knowledge.

The rules define “sensitive information” and “personal information”. Rule 4 provides for disclosure of the fact of collection of information through a “lawful contract” and a privacy policy. Rule 5 provides for obtaining the consent of a person in writing before collection of sensitive information and provides general guidelines for its storage and use. Rule 7 provides for the transfer of information with the condition that such transfer can take place only if the same level of data protection is ensured. Rule 8 leaves it to a body corporate to formulate its own security practices and procedures, providing ISO guidelines as the standard.

Targeted advertising usually employs mechanisms that easily circumvent these regulations. The monitoring of cookies or internet usage may be done not by the owner of a website but by outsiders who, without approaching the users of the website, transmit the information to advertising groups that use it. Such information may not even be personal or sensitive information.

The rules described above provide a reasonable safeguard in respect of data protection, but leave a lot to be desired. There are no enforcement mechanisms for the rules and no regulatory body to oversee their effectiveness or deal with their contravention. With the large amount of data generated, transferred and analysed, particularly by India’s IT sector, the law must provide greater control and protection of data along with the flexibility to adapt with changing technologies and online practices.

Shubneet Panjete is a senior associate at Lall Lahiri & Salhotra, which is an IP boutique based in Gurgaon.


LLS House, Plot No. B-28,

Sector – 32, Institutional Area,

Gurgaon – 122001, National Capital Region,


Tel: +91 12 4238 2202 / +91 12 4238 2203

Fax: +91 12 4403 6823 / +91 12 42384898