Argentina: Online behavioural advertising and the protection of minors' personal data
As almost everyone around the world uses the internet, online behavioural advertising ('OBA') has a substantial importance in any marketing effort, and targeted behavioural marketing has become central to the internet business model. Mariano Peruzzotti, Partner at Ojam Bullrich Flanzbaum, provides an analysis of the current regulatory landscape in Argentina, specifically in regards to OBA and the protection of minors' personal data.
Globalisation, innovation, and the advances of technology have dramatically changed many aspects of our life. The digital revolution constitutes one of the most paradigmatic worldwide developments that have strongly and transversely impacted all activities within society.
Personal data has become the fuel that powers the digital age. The current significant value of personal information is undeniable, and personal data is one of the main sources of value in many modern commercial activities. Indeed, most businesses use consumers' personal information for revenue gain. The processing of huge amount of personal data allows companies to determine the consumers' habits, their needs and interests, and, consequently, to improve and customise their own services according to the consumers' preferences.
As a consequence of the extensive use of technology and the internet, marketing practices have changed over the last few years, and efforts are focused on obtaining more revenue with each marketing campaign. To that end, knowing the consumer is key in determining its preferences and in reaching the potential client in a more effective way.
What is OBA?
OBA entails the tracking of users when they surf the internet and the building of profiles over time, which are later used to provide them with advertising matching their interests1. OBA constitutes the technique of using information collected about the behaviour of individuals online in order to show advertisements to them that are believed to be relevant to their preferences and interests. Relevant tools used for these purposes include tracking technologies, such as cookies, web beacons, and tracking pixels, which allow companies to gain information on individuals users' activities, sometimes also without their knowledge.
The solutions that rely on OBA addressed to minors may involve potential conflicts between the economic interests of advertisers and the interest of the children, namely having adequate safeguards concerning the lawful use of their personal data. Advertising aimed at children is problematic, since children are usually unable to critically evaluate the messages that they receive and to understand that they are being marketed through persuasive tactics2.
Legal landscape and general rules
Personal data protection is recognised by Article 43 of the Argentine Constitution and in Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') as restated by Decree No. 1558/2001 Regulating Law No. 25.326 ('the Regulatory Decree') and further complemented by the regulations issued by the Argentinian data protection authority ('AAIP'). Personal data protection as a right is also recognised by Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') to which Argentina adhered in 2019. Argentina has also signed the Convention 108+ for the Protection of Individuals with Regard to Processing of Personal Data ('Convention 108+'), but its ratification by the Congress is still pending.
The Act rules the conditions to treat and process personal data, which is defined as any kind of information referring to individuals or legal entities, whether identified or identifiable.
The Act has its roots in some foreign legislation precedents, such as Spain's Organic Law 5/1992, Organic Law 15/1999 of 13 December on the Protection of Personal Data, and the Data Protection Directive (Directive 95/46/EC). Thus, the legal statute in Argentina is remarkably similar to the provisions of the former EU Directive, as well as to laws enacted by the EU Member States before the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') was enacted. Even more so, much of the interpretative criteria taken by the local data protection authorities have followed the considerations of European regulators, for instance, the Spanish data protection authority ('AEPD').
The Argentinian legal framework relies on explicit consent as the legal basis for the processing of personal data. Neither legitimate interest nor implied consent are recognised by Argentinian law. Pursuant to Section 5 of the Act, data subjects' consent must be obtained before personal data is collected or processed, unless an exception applies to the case. Although the Act sets forth specific and limited exceptions to the consent rule, the application of such exceptions to a case shall be construed restrictively.
The Act contains no specific references to OBA or profiling. Nevertheless, Section 27 of the Act and the Regulatory Decree sets forth basic and general rules on the processing of personal data for marketing purposes without distinguishing the means used to carry out the advertising activities. Thus, said general rules shall apply regardless of the means used to carry out the marketing activities.
Pursuant to Section 27 of the Act, companies may use gathered information connected to addresses, delivery of documents, advertising, or direct sales and other similar activities to determine consumers' profiles for commercial, promotional, or advertising purposes, provided that (i) such data is accessible to the public; and (ii) the data subject supplied the information voluntarily or gave their consent. In practice, this is given by a written consent or through a clicking box.
Section 27 of the Regulatory Decree provides that, in the context of marketing campaigns, the data subject's consent shall not be necessary for the collection, treatment, and transfer of personal data provided that: (i) the purpose of such collection, treatment, and transfer of data is to define certain profiles, categorising preferences and behaviour similarities among persons; and (ii) the data subject can only be identified by their belonging to generic groups.
In other words, under the Regulatory Decree the data controller can treat limited personal data for marketing purposes without obtaining prior data subject's consent. This legal statute seems to rely on an opt-out consent when dealing with the processing of information for marketing purposes. Nevertheless, in two precedents Argentinian courts have considered that the data subject must give their explicit consent in relation to the different aspects of the data processing, including the use of the information for promotional purposes. In one of these cases, the court ruled that the use of personal data for direct marketing would exceed the aim originally agreed for the data collection.
Thus, the most conservative approach would be obtaining the explicit consent to avoid any risk related to an unlawful treatment of individuals' personal data for marketing purposes, such as in the case of OBA.
Additionally, the AAIP's Resolution 4/2009 requires the use of specific language informing the data subject's right to opt out in all marketing messages.
Minors' personal data
Argentina signed the United Nation's Convention on the Rights of the Child, which guarantees the right to privacy of the child. Indeed, Article 16 provides that 'no child shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence, nor to unlawful attacks on their honour and reputation'. Moreover, 'the child has the right to the protection of the law against such interference or attacks'.
Nevertheless, neither the Act nor any other legal statute contain any specific provision concerning the protection of minors' personal data. Consequently, there are no rules or guidelines related to OBA addressed to children and teenagers.
In recent years, a Personal Data Protection Bill introduced by the former administration in Congress set out further conditions for the lawfulness of the processing of personal data in relation to information society services offered directly to minors. According to that initiative, data controllers were obliged to obtain verifiable parental consent prior to collecting, using, or disclosing personal data from children under 13 years of age. Pursuant to the accountability principle, the controller was also required to make reasonable efforts to ensure it obtains verifiable consent. Unfortunately, this Bill has never been discussed in Congress so it is no longer valid.
Considering the lack of a specific provision in the Act, it could be construed that, as any other civil act, the processing of personal data of children under the age of 18 requires their legal representatives' (parents or custodians) prior consent (i.e. the same rules governing the capacity to enter into a contract govern the capacity to consent to data processing operations as well).
However, Resolution 4/2019, by recognising the progressive legal capacity principle set forth by the Argentinian Civil and Commercial Code, states that the following should be taken into consideration when processing minor's personal data:
- depending on the minor's physiological characteristics, skills, and development, they can give their informed consent for the processing of the personal data; and
- if the minor does not have enough capacity to provide their informed consent, then the minor's legal representative (parents or custodian) should give the consent on their behalf - in this case, the data controller must take reasonable steps to verify the identity of the legal representative.
The practical challenges that these rules impose to companies relates to the fact that there are no general guidelines to determine whether a minor has enough maturity to provide their free consent. Therefore, although in certain cases a minor could be in a position to provide a valid consent, it is not possible to draw general rules; hence, a conservative approach would suggest obtaining the consent of the minors' legal representatives for the processing of their personal data.
There is no guidelines or court precedent that has analysed the issue related to the need of obtaining the data subjects' consent to engage in OBA yet. In so far as minors are concerned, it seems that the approach that will be in line with the general principles set forth in the Argentinian legal system, including human rights treaties, will be the one that relies on a previous authorisation.
In order for the consent to be valid, it must be given by the relevant minor when they have reached the necessary maturity to understand their acts, or by the parent or other legal representative in the remaining cases. Again, as determining whether a minor has reached enough maturity could be troublesome, companies may take the conservative alternative of requesting the parental consent.
Organisations will need to provide conspicuous notice about the collection and use of minors' personal data pursuant to Article 6 of the Act.
Consequences of non-compliance
The AAIP may impose the following administrative sanctions in case of breach to the provisions of the Act: (i) written warnings; (ii) suspension of the database from one to 365 days; (iii) cancellation of the database; and/or (iv) fines ranging up to ARS 100,000 (approx. €778) per infringement.
Any affected data subject may also request compensation for damages if they consider that privacy rights have been violated.
The provisions of the Act have not been rigorously enforced and there have been relatively few enforcement actions alleging violations of the Act since the enactment of the law. Nevertheless, there has been an increase number of investigations and sanctions imposed by the AAIP. This seems to be a trend towards a greater governmental oversight over controllers and processors.
DPA's guidelines and suggested best practices
In the absence of specific regulations, it is deemed important to consider the AAIP's previous opinions and regulations related to data processing aspects when dealing with minors' information.
The AAIP released some recommendations on the use of minors' personal data in the context of the COVID-19 pandemic. In that publication, the AAIP highlighted the importance of the responsible use of technology, the role of parents, and the children's privacy. The AAIP stated that 'through the websites, video games, social networks or online advertising that children and teenagers usually use, they can be exposed to content that is not appropriate for their age. As a consequence, they may suffer emotionally and psychologically'. Therefore, the AAIP promoted the education of minors on personal data protection rights from an early age. Moreover, the AAIP recommended the implementation of specific mechanisms to limit access to inappropriate content, such as pornography, gambling services, addictions, misinformation, etc. to limit access to inappropriate content and control the use of the devices by children and adolescents.
This document is in line with previous AAIP's Resolution 18/2015, which provided a set of privacy guidelines to be considered when developing applications. This document stated that in case the application is used by children or teenagers, the developer should take special care to properly protect their privacy rights. Resolution 18/2015 further provided that 'although this is a group that makes intensive use of technology, they may lack of critical thinking skills which are necessary to identify the dangers that the misuse of personal information may entail'.
As minors are considered to be a vulnerable group, the AAIP deemed that it will be necessary to implement special protection safeguards, such as the following:
- limit as much as possible the kind and amount of information collected;
- adopt strict security measures;
- avoid sharing minors' personal information with third parties;
- provide appropriate information about the responsible use of their data and warn them about the dangers related to its misuse; and
- whenever appropriate, obtain parental consent, as well as establish safeguards to keep them informed about the uses of the personal information of minors.
The current regulations in Argentina do not provide clear and specific rules on the use of OBA. In the case of minors, this represents a real challenge for companies using this kind of technology for commercial purposes. Bearing in mind the principles recognised by human rights treaties and the spirit of the Act, it is understood that an advisable approach would be the one that relies on the prior and explicit consent. Companies should implement reliable methods of parent verification when consent is sought.
Moreover, complete information about the data processing activities shall be provided in a transparent, intelligible, and easily accessible form, using clear and plain language. Particularly in the case of minor, they should be able to fully understand all the terms avoiding the use of legal jargon. Simple expressions, short sentences, images, graphics, videos, or audios explaining these issues specially addressed to children may facilitate the comprehension of the content.
Mariano Peruzzotti Partner
Ojam Bullrich Flanzbaum, Buenos Aires
1. See: The Article 29 Working Party Opinion 2/2010 on online behavioural advertising.
2. See: http://www.europarl.europa.eu/supporting-analyses