Targeted Banner Advertising And Privacy
6 minutes read

As we all know, targeted banner advertising is the use of banner advertisements, served to particular site visitors or categories of visitors.

For example, if someone visits an ecommerce store without buying something, a targeted banner advertisement may appear for that visitor later on an affiliated website. 

While targeted banner advertising can be effective at reaching consumers, privacy considerations do still need to be taken into account. Internet users are becoming increasingly privacy-savvy and aware of their rights in this space, and may push back against businesses who track them without their knowledge to serve targeted advertisements. 

First we’ll take a brief look at how targeted advertising works behind the scenes, and then we’ll examine what the privacy concerns are, the regulations in this space, and how to alleviate any privacy issues.

How do Targeted Banner Ads Work?

Targeted banner ads are normally displayed to a website user through a process of remarketing.

Remarketing can be performed by using cookies or email lists, with cookie-based remarketing much more common.

Remarketing is used with visitors who visited your website, and did not make a purchase already, or those who visited and then abandoned their cart with items in it. It is also known as “conversion marketing” or “cart abandonment email marketing.”
Both Google AdWords and Google Analytics use cookies to track behaviour online. Google AdWords place a cookie on your website visitor’s computer when they fit the set of criteria you have determined for that person to be on your remarketing list.

What are the Privacy Concerns?

The main privacy concern with targeted banner advertising comes about because of a lack of information being provided to customers. For example, if users are not told that their data is being collected, or what the purpose of the collection is, this is the point at which the advertising may be unethical and may concern some users.  

When cookies are used for targeted banner advertising, the issue for consumers is that they may not have wanted cookies to be saved to their browser, particularly not to be used later to track them for advertising purposes.

This is where the law steps in.

The European Union (EU) is leading the way with regard to privacy law, and numerous other countries are following the EU’s lead. In contrast, the US is falling rather short of the EU’s high standards, with no general federal privacy law for protecting the online privacy of US citizens. Instead, US state laws such as the California Online Privacy Protection Act (CalOPPA) are in place to require businesses to keep to basic privacy standards. 

For the EU, the most recent law that has been brought into force is the EU General Data Protection Regulation (GDPR).

EU General Data Protection Regulation

The GDPR applies to anyone (even businesses not based in the EU) who processes or controls the personal data of EU citizens. 

IP addresses have been held in Swiss law to be “personal data”, which means that any user tracking such as the IP or location tracking that Google AdWords uses, can be collecting personal data from users. 

When personal data is collected, the data controller needs to ensure that the user has been notified that their data is being collected, and for what purpose. So if your banner advertisement targeting system uses an IP address (such as Google AdWords), you need to disclose this fact to your users.

For example, here’s the clause on remarketing from Wego in which they disclose how data is collected:


Wego Remarketing

With regard to cookies, the GDPR does not specifically contain provisions on this point; instead, the provisions of an older law (the e-Privacy Directive relating to cookies) will still be used for this issue, which states that the user needs to provide specific, informed consent to the use of cookies (Article 5(3)).  

This means that for something like targeted banner advertising (which is usually not strictly necessary for the user’s purpose of using the website), consent should be obtained from users before cookies are placed on their browsers. Under this directive consent can be obtained from users who are using browser settings relating to cookies, but only if the browser’s default setting is to not allow cookies (which means that the user is required to clearly and actively opt-in to receiving them). 

For example, Chrome displays the cookie settings under “Advanced Settings/Privacy/Content Settings” with the default option to allow cookies:

Cookies Chrome


Now let’s take a look at US law.


In the US, CalOPPA applies to operators of commercial websites or online services that collect information about California residents.

If you’re collecting the data of US citizens (such as their IP address or email address), it’s probably wise to assume that some of them may be California residents.  

The first requirement of CalOPPA is that your privacy policy must contain:

  • a disclosure about what information you are collecting
  • a disclosure of any third parties you are sharing the information with
  • an explanation of how users can changes the information you hold on them
  • how you will notify users of changes
  • what the effective date of the agreement is
  • an explanation of how you will respond to requests for opting-out from tracking
  • a statement of whether any third parties can collect information through your website or service (e.g. marketing firms)

CalOPPA also requires that your Privacy Policy must be posted clearly and conspicuously on your website.

Banner advertisements are also regulated alongside other internet advertisements in the US, under the realm of the Federal Trade Commission (FTC). The FTC notes that all online advertising should uphold four fair information practices: notice, choice, access and security. 

Furthermore, other organisations’ guidelines should be taken into account when considering how you disclose information about data collection and use, such as the Digital Advertising Alliance (DAA). Compliance with the DAA’s self-regulatory principles (such as transparency, data security, and accountability) can help to reassure customers that your advertising is conducted in an ethical way with consumer privacy concerns in mind.

How Can Privacy Concerns be Alleviated?

Privacy issues can be alleviated in a number of ways, first and foremost by ensuring that you are compliant with relevant laws in your jurisdiction.  

In most places the first step will be to ensure that you have a Privacy Policy set up. Make sure that the clauses in your Privacy Policy are in line with what your jurisdiction requires (e.g. the clauses required by CalOPPA above), and be sure to clearly set out what you collect, and for what purpose.

If you don’t already have a Privacy Policy, TermsFeed can help you to create one.

Second, allow customers to opt-out of banner advertising, and give them an opportunity to clearly opt-in to having cookies stored on their computer.

Here’s an example of how you can do this, from BBC Good Food:

BBC Good Food Cookies


For basic DAA compliance, you should:

  • Provide notice of online behavioural advertising (OBA) activities in your privacy policy
  • Provide notice of OBA activities on or near behavioral ads
  • Provide an opt-out choice on or near behavioral ads
  • Maintain data security for OBA data that is collected or used
  • Refrain from using sensitive personal information for OBA

You can also purchase the right to use the DAA Advertising Option Icon, which looks like this:

DAA Icon


The icon represents adherence to the DAA privacy principles for OBA, and can be displayed on all of your banner ads to show that you are in compliance. This can help to alleviate customer concerns about privacy when they see your banner ads.


While privacy issues are becoming increasingly relevant to advertisers and the content they create, there are a number of things you can do to cover your bases. 

First, set up a Privacy Policy that covers exactly what you collect in order for your targeted banner advertising process to function. Next, make sure you clearly disclose everything to your users, and clearly set out the purpose of the information collection.

Finally, allow customers to opt out of banner advertising, and be careful about allowing users to opt-in to your use of cookies.

Leah Hamilton
Leah Hamilton is a qualified Solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may also like