Skip to main content

Online retargeting behavioural targeting reloaded?

Phil Lee


United Kingdom

Online retargeting behavioural targeting reloaded?

This article was first published in Data Protection Law & Policy in February 2011

A post on the IAB Affiliate Marketing Council's website boasts that "2010 will be known as the 're' year; retargeting, re-engagement and remarketing. Backed up by strong technology the solutions offer advertisers an excellent second bite of the cherry to convert a potentially wavering customer."1

Whilst this boast may have been a little premature (given that we are now into 2011), it does make a very valid point: advertisers are increasingly turning to online retargeting technologies to build on the commercial (if not the legal) successes of online behavioural advertising ("OBA") and to further improve advertising conversion rates.

What is retargeting?

In simple terms, retargeting can be thought of as a focussed subset of traditional online behavioural advertising. It operates on the premise that individuals are more likely to buy products and services from websites they have already visited than from websites they have not.

For example, an individual who visits the website of a popular sports brand X will have demonstrated an interest in X's products and services. This information can then be used to serve advertising to him or her about X's products and services as he or she moves across other websites.

The difference between retargeting and standard OBA is that, rather than serving targeted advertising about any brand's sports products and services as the individual moves across different websites, retargeting prioritises advertising about brand X's sports products and services. By visiting brand X's website, the individual had displayed an interest in brand X's products and services over those of its competitors, brands Y and Z.

As the quote above suggests, retargeting can prove particularly effective to help convert "wavering" customers. As an example, consider a hypothetical situation where an individual visits a popular online retailer with the intention of purchasing a TV, unaware that the retailer in question employs retargeting tracking technologies. He chooses a TV, places it in his online shopping basket and proceeds to the checkout process. However, at the last minute, he decides that the TV is too expensive and aborts the purchase. Over the next few days, he is served retargeted advertising from the retailer offering discounts against the TV he had very nearly purchased - with the result that he eventually decides to purchase the TV from the retailer after all, albeit at a discount.

As it happens, this example is particularly pertinent for a number of reasons. When visiting the online retailer, the individual was not aware that his behaviour would be tracked for retargeting purposes nor given an opportunity to accept or refuse this (raising issues of transparency and consumer choice). However, the subsequent advertising and purchase was clearly to his benefit (he received a discount) and also to the benefit of the retailer (who converted an otherwise 'lost' customer).

These issues demonstrate the key commercial and privacy tensions attracted by retargeting (and, indeed, any form of OBA) - namely, how tread the fine line necessary to balance individuals' right to privacy against advertisers' desire to serve advertising that has a clear commercial benefit to business and consumers alike.

How does retargeting work?

Just like any other form of OBA, retargeting typically operates through a complex interaction between publishers, advertisers and third party advertising networks ("ad networks").

An advertiser who wishes to retarget its products and services to visitors to its website will typically engage an ad network to help it achieve this. The ad network will place cookies on the computers of visitors to the advertiser's website and then track their behaviour as they browse the website (for example, recording information about the pages they visit and the items they put in their shopping basket).

If visitors leave the advertiser's website without making a purchase, the ad network can still continue to recognise those visitors when they visit third party websites from the cookie previously placed on their computer (assuming that those third party websites have also partnered with the ad network). It can then determine the products and services they had previously shown interest in on the advertiser’s site and serve retargeted advertising to those visitors about those products and services - often incentivising conversion by offering promotions or discounts.

Privacy concerns

Naturally, the tracking of individuals' behaviour as they move around and across websites raises a number of legitimate privacy concerns. What personal information is the ad network, advertiser and publisher each collecting? How are individuals told about this collection? What rights do they have to accept or refuse the use of their information for retargeting purposes? Who bears responsibility for ensuring that individuals’ information is processed lawfully?

These questions have been debated on both sides of the Atlantic in the context of wider regulatory discussions about the use of OBA technologies. In Europe, much of this debate has focussed on two key developments: firstly, amendments to the Privacy and Electronic Communications Directive ("PEC Directive")2 introduced at the end of 2009 that require "consent" before cookies may be placed on individuals' computers and, secondly, the Article 29 Working Party’s Opinion 2/2010 ("Opinion") on online behavioural advertising published in June 2010.3

Focusing on these issues specifically, these developments can broadly be summarised as follows:

  • Amendments to the PEC Directive: In November 2009, Article 5(3) of the PEC Directive was amended to move the European cookie compliance regime from one of ‘notice and opt-out’ to one of ‘notice and consent’. As previously drafted, Article 5(3) required only that data controllers must notify individuals about cookies placed on their computer and afford them the opportunity to refuse cookies. Website publishers typically addressed this requirement by way of a short privacy policy disclosure telling visitors about cookies used on the website being visited and giving instructions about how to refuse them (often by linking out to a third party informational resource like As amended, Article 5(3) now requires that data controllers must obtain individuals "consent" to cookie use having first provided them with clear and comprehensive information.4 This has sparked an impassioned debate between regulators and industry as to whether "consent" should mean 'opt-in' consent, a right to 'opt-out' or something in between.
  • Article 29 Working Party Opinion: The Article 29 Working Party waded into this debate when it published its Opinion in June 2010. It set forth its view that "consent" means just that - that individuals must consent, not opt-out, before they are served with cookies for OBA purposes. It also largely scotched arguments by industry that individuals' consent could be implied through the use of appropriate browser settings, noting that the current generation of browsers are typically set by default to accept cookies. Significantly, the Article 29 Working Party indicated that all players within an OBA ecosystem (advertiser, publisher and ad network) might potentially act as data controllers and therefore attract compliance responsibilities under the Data Protection Directive.5

Implications of the amended PEC Directive and Opinion

It would be difficult to overstate the alarm that the PEC Directive amendments and subsequent Article 29 Working Party Opinion generated. The advertising industry argued that advertisers and publishers would have little option but to meet the new cookie "consent" requirement by way of multiple pop-up windows displayed to individuals each time they visited a website asking them to agree to receive cookies (although it should be noted that the Opinion never proposed this, instead suggesting that "the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie.").

Thankfully, the position does not seem quite this bad. The EU Commissioner for the Digital Agenda, Neelia Kroes, appeared to be steering a middle course between consumer protection and commercial pragmatism when, in September 2010, she said that "We need a user-friendly solution. It would be prudent to avoid options such as recurring pop-up windows. On the other hand, it will not be sufficient to bury the necessary information deep in a website's privacy policies. We need to find a middle way." Meanwhile, the Article 29 Working Party has been engaging in discussions with industry stakeholders about potential ways that the new cookie consent requirements might be met - partially fuelling development by the three major browser developers (Microsoft, Mozilla and Google) of 'do not track' mechanisms in the next generations of their browser software.

However, the big unknown remains how Member States will implement the amended PEC Directive into national laws. The UK, for example, has currently indicated that it will broadly transcribe the amended requirements into national law without providing further clarity as to what they actually require in practice - leaving it up to the Information Commissioner's Office to decide how best to regulate the new "consent" requirement.6 If other Member States follow this 'leave it to the regulators' approach, businesses may find that national cookie "consent" requirements become determined solely by the attitudes and agendas of national regulators, with conservative regulators likely to take a tougher line than those in more business-friendly jurisdictions. This, in turn, might lead to a patchwork quilt of national consent requirements across Europe that achieves the worst of all possible outcomes: further European data protection disharmony that achieves little real protection for consumers in practice, but which imposes additional costs and burdens on business.

IAB retargeting guidance withdrawn

In a separate, somewhat curious, development, the Internet Advertising Bureau's ("IAB") Affiliate Marketing Council published self-regulatory guidance in September 2010 on the use of cookies to serve retargeted advertising. Amongst other things, this advised advertisers and ad networks that cookies used to serve retargeted advertising should expire within 48 hours after being served.

Yet, just one week after its publication, the IAB decided to retract the guidance citing "extensive" feedback from its members. To date, no further guidance specifically addressing the issue of retargeted advertising has been published by the IAB, although the IAB's "Good Practice Principles for Online Behavioural Advertising"7 provide self-regulatory guidance to advertisers in connection with OBA generally.

Where does this leave retargeting?

Ultimately, the future regulatory position of retargeted advertising at a national level remains uncertain. In the meantime, the current 'notice and opt-out' regime continues to apply until the new PEC Directive "consent" requirements are finally implemented into Member States' national laws - in whatever shape and form these eventually take.

Nevertheless, in the absence of clear regulatory guidance, there are various good practice measures that ad networks, advertisers and publishers can take to mitigate compliance risk and to best position themselves for the incoming cookie "consent" regime:

1. Ensure that your privacy policy clearly discloses any use of cookies for OBA / retargeting purposes.

In addition to simply informing consumers what cookies are and how they may refuse them, advertisers should disclose within their privacy policies that they use cookies for targeted advertising purposes and explain what this means.

2. Offer 'enhanced notice' around targeted adverts displayed to consumers.

Advertisers should, wherever possible, ensure that consumers are made aware that they may be tracked for the purpose of serving targeted (or retargeted) advertising. Recognising that consumers should be notified when they are tracked for targeted advertising purposes but that few, if any, actually read website privacy policies, the advertising industry is increasingly looking towards means of providing 'enhanced notice' to consumers about the use of OBA. In the US, the Digital Advertising Alliance has launched an 'advertising option icon' that advertisers can display around targeted adverts served to consumers. Consumers can click on this icon to learn more about how their information is used for OBA purposes, what OBA is, and their rights to refuse OBA.

3. Provide a simple, easily accessible means to accept or refuse OBA.

As a minimum, consumers should always have an easy means by which to refuse OBA. Ideally, this would form part of the 'enhanced notice' provided to consumers alongside OBA adverts, but other common practices include the provision of 'opt out' buttons on ad networks' websites and within publishers' privacy policies, as well as hypertext links through to sites that allow a 'global opt-out' across all participating ad networks offered by the IAB and the US Network Advertising Initiative.8

Better still, from a legal (but perhaps not a commercial) perspective, would also be to offer consumers a means by which they can choose whether or not to accept OBA in the first place. This might be, for example, through a website privacy preferences page clearly explaining the benefits and consequences of OBA, and how visitors may choose to 'turn on' targeted advertising (perhaps by clicking a button or a hypertext link to indicate acceptance).

It is particularly important that advertisers respect any OBA preferences expressed by consumers - it may seem obvious, but individuals who decline OBA should not continue to be tracked for OBA purposes, and the use of technologies to 're-spawn' cookies previously declined by a consumer should be avoided.

4. Apportion data privacy responsibilities within OBA service provision contracts.

Website publishers and ad networks should apportion data protection compliance responsibilities appropriately between themselves within their OBA service provision contracts. This is particularly important given the Article 29 Working Party's Opinion that publishers and ad networks may both act as controllers when serving OBA, and therefore both be subject to the requirements of the Data Protection Directive. Discussing how to apportion compliance responsibilities will not only ensure that consumers' rights are properly protected, but will also help to inform publishers and ad networks about their respective compliance responsibilities - helping to avoid the risk that responsibilities "fall between the cracks".

5. Proactively adopt "do not track" browser functionality.

Increasingly, the solution as to how to give individuals control over re-targeting and OBA technologies, whilst avoiding the dreaded scenario of multiple pop-up "consent" windows, looks to lie with browser manufacturers. Microsoft, Google and Mozilla have each announced that they intend to launch "do not track" functionality for OBA in the next incarnations of their respective browsers. In addition to the recommendations described above, publishers and ad networks would therefore be well advised to proactively ensure that their website and targeting platforms will be compatible with incoming "do not track" browser functionality. Those that do will undoubtedly better position themselves to mitigate potential risk exposure when the new cookie "consent" regime takes effect.


  2. Directive 2002/58/EC, as amended by Directive 2009/136/EC (the Citizens' Rights Directive)
  4. Limited exceptions to this requirement exist, but these do not apply in the context of OBA
  5. Directive 95/46/EC
  6. "Implementing the Revised EU Electronic Communications Framework: Overall approach and consultation on specific issues" published by the Department for Business, Innovation and Skills in September 2010
  7. See
  8. See and respectively

Sign up to our email digest

Click to subscribe or manage your email preferences.