Of late, the tech industry has been at odds over how much data can be collected to enable targeted advertising.

Apple had announced last year that it wanted to introduce the App Tracking Transparency feature in its latest iOS 14.5 update, which was eventually released this April. This feature allows users to decide how apps and websites collect their data.

“Your information is for sale and you have become a product,” said Apple in a promotional video. It made the point that companies have been collecting users’ data and selling it to third parties, who then target users with personalised advertisements or attempt to shape their behaviour.

Naturally, not all the other big tech companies agreed with Apple. Facebook, for one, argued that personalised advertising allows users to see content they care about. It also enables small businesses with small budgets to effectively connect with customers and grow. There are steps one can take to limit data sharing on its platform.

Interestingly, these tech giants are not the only ones that have announced their stance on data collection. In March, Google said it planned to ban third-party cookies on Google Chrome by 2022, a deadline delayed to 2023 recently. This means advertising companies that rely on cookies to track user behaviour across the web cannot do so any more.

In place of third-party cookies, Google has proposed the use of the Federated Learning of Cohorts (FLoC) technology. FLoC will track users’ browsing habits across the internet, put them into cohorts based on those habits, and then allow advertisers to target their ads to the cohorts instead of individual users.

While all these may seem irrelevant to many of us, we should be aware of how the changes will affect us.

It is unsettling to immediately see an ad on Facebook, for instance, about the skincare product you were just talking to your friend about. It can also be difficult to know who has received your data and what they are using it for.

Reuben Ch’ng, head of marketing at LEAD, a tech training institute, finds himself on the side of companies that want to protect user privacy. But he is not doing this without acknowledging their motivations.

“Apple is doing it to appear as a first-market mover, and it ties in well with its products. One of its strongest selling points is that it has privacy-enabled devices. Google has a monopoly, so it doesn’t really need third-party cookies. It already has a lot of first-party data. As for Facebook, it wants to track behaviours beyond its own platform,” says Ch’ng, who teaches digital marketing.

“The whole idea is that if I searched for laptop bags on Google, when I go to Facebook, I will see ads from 10 different advertisers selling laptop bags.”

To a certain extent, Facebook is right that targeted advertising may not be as effective if it does not have the relevant data, says Steven Yap, head of digital and operations at Kingdom Digital, a digital advertising agency.

Businesses with a good understanding of their target audience can craft more effective marketing messages. Consumers, on the other hand, will reap the benefit of seeing only relevant content.

“Personalised experiences have been proven to boost both customer loyalty and also distinguish oneself from competitors. Hence, brands cannot afford to not be personalised in today’s day and age,” says Yap.

But although big companies can leverage their first-party data, small businesses may not have the resources to build their own database. “Many still struggle with fragmentation of data, which will affect the effectiveness of their campaigns as they are unable to capture the right audience pool,” Yap notes.

Who said targeted advertising has to be done this way?

It is really all about how it is done. If companies communicate better with their users and get their consent for the collecting and sharing of data, it could be better all around, say the interviewees.

“Consumers should be given the choice of enabling or disabling the ad tracking on their own terms. However, the current situation makes it very difficult for them to make that choice, as the process is too complicated and sometimes lack transparency,” Yap points out.

He suggests that tech companies make the terms and conditions of data privacy statements easier to understand through educational videos, for instance.

Data collection can also be done without being too intrusive. “It can be based on affinity or interest. You have to first ask for permission from users. People are fine with sharing their data sometimes. What they are not fine with is being shocked by what they see advertised,” says Ch’ng.

Yap has a similar view. Instead of tracking users’ behaviours across apps and websites, tech companies can provide personalised ads based on historical lookalike audiences with similar interests or purchase behaviours.

“Look at Agoda or Airbnb and the way they have successfully leveraged customers’ past booking history to provide personalised offers,” he says.

On the other hand, targeted advertising as it is currently done may not be the only way to do it. Ch’ng, for one, does not think that is the best method of advertising.

“For instance, the reason you buy a pair of Nike shoes or an Apple computer is due to their branding, built over many years. You buy into the story of what they have to sell,” says Ch’ng.

Undeniably, trying to sell a brand to consumers still requires some form of targeted advertising so you are not selling running shoes to the wrong audience. But “instead of targeting ads all the time, businesses should build communities around their products. Like a running club for Nike”, Ch’ng says.

Meanwhile, Kingdom Digital relies on consumer insights from audience research platforms like the Global Web Index to understand consumer behaviour. “These are captured from online surveys based on anonymous consumer groups, which allow us to understand their behaviour without capturing personal data,” says Yap.

Another idea that has come up is to reward users who share their data. Yap is intrigued by this. The Gener8 browser, which allows users to limit companies in tracking their data and earn rewards when they share their data with Gener8, is an example.

Mritunjay Kumar, co-founder of ­marketing technology platform InsightzClub, is implementing this business model in Malaysia. His platform gives financial rewards to users who download the app and allow it to collect data. According to him, this data is anonymised, then analysed on an aggregate level, and the insight is sold to companies.

“We have a real-time dashboard in our app where users can see what data is being shared and how it’s being used. We are trying to bring efficiency to marketers so they have more information and can provide you with better services. For consumers, we’re empowering them to control their own data,” says Mritunjay (see “Insightz Club: Let users monetise their data”).

Of course, before using such services, users have to read the terms and conditions carefully to understand how these third-party platforms are using and sharing their data. They should ensure it is not intrusive or illegal, otherwise they are just giving away their data to another party.


Insightz Club: Let users monetise their data

Mritunjay Kumar, co-founder of marketing technology platform Insightz Club, launched the platform four years ago. He says it now has more than 22,000 users in Malaysia and works with over 40 brands, including Maxis Bhd, CIMB Bank Bhd and L’Oreal.

When users download the platform’s app, they are asked to allow access to individual apps for data collection. If the user allows access to YouTube, for instance, InsightzClub will collect data about how much content the user watched in the last month and how many ads they saw.

Mritunjay says Insightz Club does have some boundaries. For instance, it does not access the users’ contacts or read encrypted messages. At most, it will know how much time the user spends on a messaging app.

“We are a consumer insights company. We collect the data, do our own analysis and work with brands. We always analyse data at an aggregated level,” he says.

Depending on how much data the user shares, they could earn RM15 to RM20 a month, adds Mritunjay. “We make sure the data is not misused by having multi-layer data protection, validation and encryption.”


Deficiencies in privacy laws

Around the world, laws and regulations on data privacy have been passed to protect user privacy, with the European nations taking stricter actions against tech giants.

The General Data Protection Regulation (GDPR) presents a baseline set of standards for companies that handle the data of EU citizens. In Malaysia, similar protection is offered by the Personal Data Protection Act (PDPA) 2010.

Under both regulations, businesses are able to collect, record, store and process consumers’ personal data. Consent has to be provided by the consumers and the processing of personal data cannot be excessive, says Ian Liew, associate at Donovan and Ho.

Basically, users do have certain rights to limit the use of personal data for advertising purposes. The problem is how specifically the regulations address the latest technology developments involving data collection.

“The PDPA does not address targeted advertising directly, but it grants the right to users to object to the processing of their personal data for the purposes of direct marketing, which means the sending of advertising material directed at particular individuals,” says Liew.

The GDPR, meanwhile, addresses this directly. Users have a right to not be subject to a decision based solely on automated processing, which is free from human influence, and profiling, which categorises people based on predictions of their behaviours and interests. Targeted advertising falls under profiling.

Consent is also not clearly defined by the PDPA, Liew observes. But the GDPR defines consent as “being freely given, specific, informed, unambiguous and given by a clear affirmative action”.

Comparing the two, it could be possible for Malaysian businesses to presume that consent is given by consumers unless they actively withdraw consent (opt out), says Liew. “This would not be legal under the GDPR, which requires consumers to take positive action to provide consent, either by signing a form or clicking ‘I consent’ or ‘I agree’.”

Apart from consent, data management is another issue that consumers must be aware of, says Norhisham Abd Bahrin, partner at Azmi & Associates.

“The trouble with targeted advertising is that it is fraught with intrusive data practices. Personalisation requires disclosure of personal data, including preferences, purchase habits, browsing history and demographics,” says Norhisham.

“More often than not, this data is then subject to further analysis, including via machine learning using algorithms, which is at the disposal of the advertisers. On top of that, this data is usually stored, managed and utilised outside of the knowledge and control of users.”

A clear breach occurs when consent is not effectively given by users. However, “it’s difficult to establish privacy breach when our PDPA doesn’t define any minimum standard for consent, doesn’t regulate online privacy and has no provision on e-marketing, cookies or newer tracking and surveillance technology, including geotagging. It is not even applicable to personal data processed outside Malaysia”, says Norhisham.

“So, until our laws on data privacy are brought up to date to deal with the complexities of online digital technology, it’s quite a challenge to define a breach from the regulatory perspective since advertisers can easily find loopholes in the current data protection and management regime for digital platforms.”

How the laws should be updated 

Provisions should be inserted in the PDPA to specifically address the obligations of businesses that conduct targeted advertising, Liew says. Consumers should also be aware of what they are signing up for and make informed decisions regarding their data. “At the minimum, the choices that consumers should get need to be consistent with the rights of consumers and data subjects. This would include the right to withdraw their consent to the processing of their personal data,” says Liew.

On the bright side, the Personal Data Protection Commissioner is considering issuing a data protection guideline that covers digital marketing. Norhisham believes Malaysia can learn from the GDPR.

“The EU’s logic in attempting to regulate targeted advertising more strictly in favour of less intrusive, contextualised forms of advertising that require less user data can certainly be appreciated in this part of the world. The legal framework to regulate these issues must also be practical enough for businesses to comply with,” he says.

Some areas that can be tightened include introducing data breach notification requirements with penalty enforcement for data users, observes Norhisham.

Additionally, the PDPA should be complemented with new privacy provisions on cookies and tracking technologies in simple and user-friendly language. Data transferability abroad and the extraterritorial reach of the PDPA should also be considered, he adds.


About server_gqvm2786