Switzerland: Retargeting In Personalised Ads: Balancing E-Commerce Strategies With Data Protection

In the digital space, e-commerce platforms are leveraging personalised advertising to enhance customer experiences and boost sales. Retargeting, a form of personalised advertising, has become a game changer, enabling businesses to re-engage potential customers by displaying ads based on their previous online activities. While this approach can significantly uplift conversion rates, it also entails critical considerations regarding data protection and privacy compliance, notably in the light of the General Data Protection Regulation (GDPR).

THE MECHANISM OF RETARGETING

Retargeting operates by utilising cookies or pixel tags to track the online behaviour of users and subsequently display relevant ads as they traverse different websites. For instance, a user visiting an e-commerce site might explore a particular product but leave without making a purchase. Retargeting enables the e-commerce platform to display ads for that specific product on different websites that the user visits subsequently, keeping the product in the user's purview and increasing the likelihood of conversion.

WHAT IS AT RISK?

A noteworthy instance that underscores the significance of compliance is the €40 million fine imposed on Criteo by the French data protection authority, CNIL. The authority highlighted that Criteo did not obtain valid consent for processing personal data for advertising purposes and failed to comply with the users' right to object to the processing of their data for such purposes, among others.

BEST PRACTICES FOR LEGAL COMPLIANCE

E-commerce platforms must ensure that their retargeting strategies are not only aligned with their marketing objectives but are also meticulously crafted to adhere to data protection regulations.

• Transparency:  ensure that users are fully informed about the data being collected, the purposes of its use, and the mechanisms of retargeting.
• Consent Management:  implement robust consent management systems to obtain, manage, and document user consents, ensuring that they are freely given, specific, informed, and unambiguous. Find more tips on consent in  this article.
• Data Subject Rights: provide users with clear, accessible mechanisms to exercise their rights under data protection laws, such as the right to access, rectify, and erase their data.
• Data Processing Agreements: establish robust data processing agreements with ad service providers, clearly defining data processing roles, responsibilities, scope and purpose of processing, security measures, protocols for data breaches, compliance with international data transfers, and provisions for auditing.

COLLECTIVE FACET OF DATA PROTECTION

Collective actions, where a group of individuals come together to address common complaints, are emerging as a potent force in holding organisations responsible for data protection violations. For instance, the Dutch consumers' association, Consumentenbond, together with the Privacy Protection Foundation, initiated legal proceedings against Google, representing a collective action aimed at safeguarding user privacy.

E-commerce platforms must be aware of the potential backlash, both financial and reputational, that may arise from collective actions, ensuring that their retargeting practices are legally compliant.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.