You’re browsing online, looking for those new running shoes that are going to make you fitter in 2022.  You close the browser and open a social media webpage and soon notice ads for those very joggers and similar products. Congratulations, you’re a subject of algorithmic profiling and online behavioural advertising.

You’ve probably already had similar experiences many times over. You’re likely aware that your online behaviour is tracked, and that there is a lucrative market in the advertising space for the purchase and sale of internet users’ profiles that are based on users’ online behaviour. What you may not understand is how your information is collected and behaviour is tracked, and the algorithmic profiling that occurs to serve you with this advertising.

At the same time, increasing public concern over the way in which technology is ever-creeping into – and tracking – our lives is seeing governments and some tech giants moving away from or limiting such tracking-based advertising.

In this article we look at how online behaviour is usually tracked and algorithmic profiles are compiled in online behavioural advertising, and the regulatory framework that applies in Australia, the EU and US – and how this may be changing, including under the recently introduced Digital Services Act in the European Union.

So, what is online behavioural advertising and algorithmic profiling, and how does it occur?

Online behavioural advertising is the presentation of ads to an internet user that are tailored to the user’s interests and attributes based on a “profile” of the user that has been built up over time through tracking of the user’s online activity. This “profile” of a user’s interests and their online activity can be compiled from a variety of sources, such as social media (to which users often publicly disclose their age, date of birth, location, hobbies and interests), search engines (which track users’ internet search history) and messaging services (through which users exchange information, including about hobbies, interests, family, friends and products).

Another common source through which information used for online behavioural information is obtained is through “cookies”; predominantly “third party cookies”.  Third party cookies – being data files from a provider that is not the webpage provider – can be “dropped” onto a users’ device and then track the users’ online activity as they browse the internet (see “A Guide to Internet Cookies” to better understand cookies). Advertising network providers (like Google’s AdX or AdSense) will use the information obtained from these third party cookies (and sometimes in conjunction with other information they already hold or source) to generate a profile of who the user likely is (for example, based on the websites the user visits and products they view, they are most likely to be a woman, of an approximate age, who is interested in x, y, z), and leverage that profile to sell advertising space to advertisers who push targeted content or advertising that aligns to that profile to the user’s device.

Taking Google’s AdSense to illustrate this further, AdSense will send a cookie to the user’s browser when they visit a website that is part of its AdSense network. As a spokesperson for Google has explained, devices are added to an anonymous database if certain cookies are present on a user’s device when visiting a website that is part of the Google Display Network.  Over time, this allows interest categories for each device to be created, resulting in a device “profile” which encapsulates all interest categories. Using Google’s example, if a device visits sports websites frequently, the device will be included in a relevant sports database.  The next time a user visits a different website that is part of the Google Display Network, they may get an ad for sports products.

An advertiser wishing to push targeted ads to particular kinds of online users, will usually engage an advertising network provider via a demand side platform (e.g. DV360, Google’s AdSense, Google’s AdManager).  To determine which advertiser’s ads are to be placed on a particular publisher’s website (e.g. smh.com.au), the advertising network provider runs a real-time bidding process when the user accesses the publisher’s website. The third party cookies running on the publisher website identifies the user (by their unique cookie ID), then the advertising network provider usually uses algorithmic decision-making to determine which ads are suitable based on the user’s profile. The highest advertiser bidder wins the ad position, and the ad is displayed to the user. This all typically occurs in a fraction of a second, as the web page is being loaded for you to view.

Regulation of online behavioural advertising

Some users may consider targeted or online behavioural advertising as a good thing, as they get greater exposure to products, services and other things they are interested in without having to trawl the internet. It is obviously great for advertisers because their ads are displayed to users who are more likely to purchase their products and services, and for advertising networks, as they’re able to provide measurable results to advertisers.

However, other users and stakeholders may view targeted or online behavioural advertising as predatory and harmful, particularly when used to profile and target children, vulnerable individuals, or where profiling is used to target differential pricing to different users.  What’s more, some users may not even be aware that their online activity is being tracked and used for profiling and targeted advertising.

Here in Australia, online behavioural advertising is primarily regulated through:

  • the prohibitions against misleading and deceptive conduct, false and misleading claims, and unfair business practices under the Australian Consumer Law, which forms part of the Competition and Consumer Act 2010 (Cth); and
  • the obligations under the Privacy Act 1988 (Cth) (Privacy Act) where the online behavioural advertising or algorithmic profiling involves the collection or use of personal information (being information or an opinion about an identified individual or an individual who is reasonably identifiable).  Importantly, using cookies to collect information about users does not necessarily involve the collection of personal information. 

However, discussion surrounding potential changes to the regulatory approach in the EU appears to have triggered debate in Australia and the US as to whether online behavioural advertising should be banned entirely or limited in certain circumstances.

Winds of change: greater transparency and limitation of third-party cookies and online behavioural advertising

EU – Digital Services Act

The EU is leading the charge to tighten restrictions on online behavioural advertising through the European Commission's proposed Digital Services Act (DSA), which was initially proposed on 15 December 2020. The final text of the DSA was passed by the European Parliament on 20 January 2022, and is now ready for negotiation with member states. Included in the final DSA are:

  • prohibitions on online behavioural advertising that targets children, and individuals based on their race, religion, trade union membership, health and other sensitive identifiers;
  • a requirement that online platforms make it simple for individuals to refuse or withdraw their consent for targeted ads;
  • prohibitions on asking for consent for data processing (which would include processing for the purposes of forming an user profile or targeted advertising) where the user has rejected data processing “by automated means using technical specifications” (e.g. via their device settings);
  • prohibitions on repeatedly requesting consent for data processing, where consent has been previously refused;
  • rules requiring intermediary service providers to include information in their terms on policies, procedures, measures and tools used for algorithmic decision-making; and
  • rules requiring online platforms (excluding micro and small enterprises) who display ads to ensure that individuals can identify, in real time, that the content displayed is an ad, the source of the ad, and information on why the individual has been targeted for the ad.

The changes, if they make it into law, represent a significant step towards meeting the calls of the European Data Protection Supervisor in February 2021, and the European Data Protection Board (EPDB) in November 2021, to “phase-out leading to a prohibition of targeted advertising” and increase restrictions on the categories of data that can be processed for targeting purposes, and the Committee on Civil Liberties, Justice and Home Affairs’ recommendations to require that users be required to “opt-in” to receiving targeted advertising.

US AdTech reform

In the US, the Bill for the Banning Surveillance Advertising Act was introduced to Congress on 18 January 2022 and goes further than the Digital Services Act.  The Bill, if passed, would:

  • prohibit advertising facilitators from providing targeted ads; or knowingly enabling advertisers or a third party to provide targeted ads based on personal information or unique identifiers that may be used to identify an individual or device (e.g. cookies); and
  • prohibit advertisers from targeting ads, or causing an advertising facilitator or third party to target ads based on personal information that:
    • has been purchased or obtained from someone other than the individual; or
    • that identifies the person as a member of a protected class (e.g. actual or perceived sex, race, religion, disability).

However, advertising facilitators would not be prohibited from:

  • providing contextual advertising, where ads are delivered at the time of the user’s search that are directly related to the search (for example, general ads for running shoes at the time you search for those Nike running shoes); or
  • enabling targeted ads based on personal information where the information is provided by or on behalf of an advertiser, and the advertiser has provided an attestation that it is not in violation of the Banning Surveillance Advertising Act.

Also, advertising targeting individuals based on location would not be prohibited.

While the Bill has support from a number of academics, public interest organisations and some companies, the number of people who have already come out to criticise the Bill suggests that it is unlikely that the Bill will be passed in its current form.

Privacy reform Australia

Profiling and targeted advertising will likely attract further regulation in Australia when the Privacy Act is ultimately amended.  In its submission on the Privacy Act Review, the OAIC recommended that full or partial prohibitions to specified practices, including profiling, tracking and behavioural monitoring, be introduced to the Privacy Act.  In its October 2021 Discussion Paper, the Attorney-General’s Department appeared to adopt this, recommending that online targeted advertising on a large scale be classed a “restricted practice”, requiring businesses to take additional steps to mitigate privacy risks, and targeted advertising towards children be prohibited.

Tech companies

It is not simply legislative reform that is threatening to curtail online behavioural advertising. Even among tech giants, views differ on the use of online behavioural advertising and online tracking of individuals’ behaviour.

Popular internet browsers already block third-party cookies by default, preventing the user tracking necessary for online behavioural advertising to work.  This has been the case for Firefox since 2019, and Apple’s Safari since 2020, and Google’s Chrome is set to follow suit in 2023.  That said, Google has also announced a “privacy sandbox” as an alternative to third-party cookies, which would still allow for online behavioural advertising, but, rather than rely on building exclusive individual user profiles, instead work by placing users with similar browsing patterns into “cohorts” (numbering in the thousands).  However, a number of concerns have been raised about this proposal, including that since Google has not yet said that it will itself give up access to individual user web histories to promote ads, the move will reduce competition in the ad tech industry.

Apple has gone further than other tech providers to date, and has taken a stance against behavioural advertising altogether.  iPhone users can now turn off personalised ads altogether, preventing all third-party apps from tracking users and delivering targeted ads.

Despite these measures, the advertising industry has quickly pivoted to other techniques to deliver profiled advertising, including device ‘fingerprinting’ that can generate a unique profile for virtually any device connected to the internet without the use of cookies.

Algorithmic profiling & online behavioural advertising: Greater transparency is needed 

As further changes are introduced in relation to the use of third-party cookies and online advertising, including prohibitions of certain practices and requiring greater transparency where targeting does occur, online advertisers, platform owners, advertising network providers and publishers will have to keep up to date with these developments, and make changes and adapt their business models as necessary.


Authors: Tim Gole, Jen Bradley, Claire Arthur & Rishabh Khanna

Expertise Area