Your Privacy Is Important to Us! – Restoring Human Dignity in Data-Driven Marketing

about & support

Foreword by Eric K. Clemons

Preface, Acknowledgements and Abbreviations



1. Why this book?
    (#methodology #delimitations #structure)

2. Data-Driven Business Models
    (#surveillancecapitalism #valueextraction #harm)


3. Regulating Markets
    (#law #markets #architecture #consumerprotection)

4. Data Protection Law
    (#gdpr #personaldata #lawfulprocessing #legitimatebasis)

5. Marketing Law
    (#ucpd #professionaldiligence #averageconsumer)


6. Human Decision-Making
    (#agency #psychology #boundedrationality #willpower)

7. Persuasive Technology
    (#technology #choicearchitecture #friction #prompts)

8. Manipulation
    (#coercion #deception #subliminalmarketing #paternalism)

9. Transparency
    (#information #communication #complexity #asymmetry)


10. Human Dignity and Democracy
      (#humanwellbeing #privacy #discrimination #proportionality)


11. Conclusions
      (#humandignity #datadrivenmarketing #beinghuman)

12. Next Steps
      (#action #conversations #future)


Regulating Markets

#law  #markets  #architecture  #consumer protection

1. Law

In Montesquieu’s theory concerning the separation of powers—which is reflected in constitutions across the European Union—the main institutions of law include the legislature (representative parliaments), the executive (an accountable government) and the judiciary (independent courts).

Even though there is no single true definition of ‘law’, law can be said to regulate behaviour in society, in a broad sense, including through interpersonal rights and corresponding obligations. Legal persons (e.g. companies with limited liability and organisations) and natural persons are expected to comply with the law.

In contrast to, e.g., social norms and market forces, law is characterised by its (legal) sanctions, which can be enforced through the judiciary on the initiative of either the executive (on behalf of ‘the people’) or a private plaintiff.

Written laws (‘legislation’ or ‘statutory law’) may be adopted by the legislature on the basis of a constitution (‘primary law’) prescribing limits and procedures for the adoption of such ‘secondary law’, which force is derived from the constitution. To use a computer metaphor, constitutions may be perceived as the operating system on which secondary legislation runs.

Judge-made law—in the guise of precedents—is also accepted in various degrees; most pronounced in ‘common law’ countries.1 EU legislation is primarily based on written law, even though the CJEU may be perceived as being more progressive than some national courts.

It follows from Article 19(1) TEU that the CJEU must ensure that in the interpretation and application of the EU Treaties, the law is observed, and that Member States must provide remedies sufficient to ensure effective legal protection in the fields covered by Union law.2

1.1. Regulating human behaviour

Human behaviour is guided by many rules, including probabilities for various gains and losses in society. In addition to legal norms, which are adopted through a process nested in a constitution, humans are subject to social norms (social incentives), markets (economic incentives) and architecture,3 all of which may also influence or be influenced by legal norms.

As social norms and markets are likely to influence our behaviour, the ‘layout of society’ (architecture, including computer code) is also likely to influence our behaviour in the sense that it may physically restrain our behaviour4 or psychologically lead (‘nudge’) us in a particular direction.5 Thus, law must be understood in a broader regulatory context that also reflects on human nature and society as such.

In Part III (psychology and technology), we take a closer look at the role of human behaviour and architectures that affect human decision-making.

1.2. Interpretation and assessment

Whenever a court of law is presented with a case, it needs to find a solution by interpreting the law and applying it to a particular set of facts. Even though law is not an exact science, it is—despite its plasticity—not ‘black magic’ just because its interpretation and application is not always clear or predictable. One must interpret the law by understanding both its letter (wording—literal interpretation) and spirit (purpose—teleological interpretation) by means of analysing the ‘sources of law’; i.e. the sources from which legal force is derived.

Teleological interpretation necessitates that ‘every provision of [EU] law must be placed in its context and interpreted in the light of the provisions of [EU] law as a whole, regard being had to the objectives thereof and to its state of evolution at the date on which the provision in question is to be applied’.6 As noted by the CJEU in the context of data protection law, the interpretation of a provision of EU law must take account of:7

  • its wording,

  • the objectives it pursues,

  • its legislative context,

  • the provisions of EU law as a whole, and

  • possibly its origins.8

Unless there is an express reference to national law, EU law must normally be given an autonomous and uniform interpretation throughout the European Union.9 In this vein, it is important to distinguish between ‘interpretation’ and ‘assessments’. Roughly speaking, interpretation—eventually carried out by the CJEU—provides the content of a rule, whereas assessment is the evaluation of facts necessary to enter a judgment.

The CJEU may give guidance on assessments that are left to national courts to determine. The margin of discretion left to national courts varies, and the demarcation is not always razor sharp. This is particular relevant in the context of legal standards used in the GDPR and the UCPD that we discuss in Chapter 4 (data protection law) and Chapter 5 (marketing law), respectively.

In many situations law is ultimately a matter of balancing interests. And to do so properly, we must identify and understand these interests. This is further pursued in Chapter 10 (human dignity and democracy) in our discussions of proportionality.

2. Markets

The overarching idea behind market economies like the European Union is that efficient competition guided by price signals affected by supply and demand yields better economic outcomes.

One of the particular interesting assumptions underpinning the market economy is that rational choice theory assumes that consumers make efficient (informed and rational) choices based on goals, values and preferences. It is assumed that these ‘revealed preferences’ maximises their welfare.10 This assumption is pursued and challenged in Chapter 6 (human decision-making).

There are instances where markets cannot in themselves ensure efficiency. ‘Market failures’ are situations in which the allocation of goods and services is not efficient such as when traders’ pursuit of pure self-interest lead to results that are not efficient. An important example in this context is the asymmetric power between traders and consumers in the market.

Market failures may be corrected by means of market regulation. The field of consumer protection law, as discussed immediately below, seeks to correct the market failure stemming from this asymmetry in power, as further discussed in Chapter 9 (transparency).

The market regulation of the European single market (the internal market), including consumer protection law (to ensure a high level of consumer protection), usually has as an additional purpose of ensuring efficiency in the market by (a) only disturbing it to the extent necessary and (b) removing barriers to inter-state trade created by differences in law (harmonisation).

3. Consumer protection law

In 1962 U.S. President John F. Kennedy presented the following ‘four basic consumer rights’ in a ‘special message’ to the U.S. Congress:11

  1. The right to safety—to be protected against the marketing of goods which are hazardous to health or life.

  2. The right to be informed—to be protected against fraudulent, deceitful, or grossly misleading information, advertising, labeling, or other practices, and to be given the facts he needs to make an informed choice.

  3. The right to choose—to be assured, wherever possible, access to a variety of products and services at competitive prices; and in those industries in which competition is not workable and Government regulation is substituted, an assurance of satisfactory quality and service at fair prices.

  4. The right to be heard—to be assured that consumer interests will receive full and sympathetic consideration in the formulation of Government policy, and fair expeditious treatment in its administrative tribunals.

The foundation for EU consumer protection policies was laid out in a resolution from 197512 that followed up on a meeting between Heads of State/Governments held in Paris on 19–20 October 1972. It follows that ‘the improvement of the quality of life is one of the tasks of the Community [‘European Union’] and as such implies protecting the health, safety and economic interests of the consumer’, and it is stated that this task ‘requires a consumer protection and information policy to be implemented at Community level’ with a view to ‘strengthen and coordinate measures for consumer protection’.13

In the annex to the resolution, consumer interests were summed up by the statement of ‘five basic rights’ (Paragraph 3):

  1. the right to protection of health and safety,

  2. the right to protection of economic interests,

  3. the right of redress,

  4. the right to information and education,

  5. the right of representation (the right to be heard).

Similarly, the United Nations’ guidelines for consumer protection (2016; first version adopted on 16 April 1985) now recognise the following ‘legitimate needs’ which the guidelines are intended to meet:

  1. Access by consumers to essential goods and services;

  2. The protection of vulnerable and disadvantaged Consumers;

  3. The protection of consumers from hazards to their health and safety;

  4. The promotion and protection of the economic interests of consumers;

  5. Access by consumers to adequate information to enable them to make informed choices according to individual wishes and needs;

  6. Consumer education, including education on the environmental, social and economic consequences of consumer choice;

  7. Availability of effective consumer dispute resolution and redress;

  8. Freedom to form consumer and other relevant groups or organizations and the opportunity of such organizations to present their views in decision-making processes affecting them;

  9. The promotion of sustainable consumption patterns;

  10. A level of protection for consumers using electronic commerce that is not less than that afforded in other forms of commerce;

  11. The protection of consumer privacy and the global free flow of information.

Consumer protection is mentioned in Article 38 of the Charter of Fundamental right (the Charter) which provides that ‘Union policies shall ensure a high level of consumer protection’. It also follows from Article 12 TFEU that:

‘Consumer protection requirements shall be taken into account in defining and implementing other Union policies and activities.’

Basically, consumer protection law rests on an equation whereby consumers in general are to be protected without interfering too much with the competition that in the end also benefits consumers.

As mentioned in Chapter 1 (why this book?), we do not deal with competition (antitrust/monopoly) law. This field of law regulates traders’ abuse of market power. And some of the practices may also fall under competition law but, notably, only when the traders have sufficient market power. Competition law is also consumer protection law in the sense that the benefits of efficient markets accrue to consumers.14

3.1. Marketing and marketing law

From a trader’s perspective, marketing serves the legitimate purpose of influencing consumers’ preferences—by means of information and conducts—in order to increase profits. Individual traders may, however, have an incentive to present their products and offerings in a light as favourable as possible. Consumers, on the other hand, are interested in finding the products and deals that best suit their goals, values and preferences. In order to make ‘efficient decisions’, consumers must rely on their experience and knowledge, as well as available information, including, in particular, the trader’s marketing.

The basis for regulating marketing lies in the market’s need for truthful information. The role of marketing law is to ensure that marketing is not carried out in a way that distorts the consumer’s ability to make efficient choices, e.g. by means of misleading actions, misleading omissions or aggressive conduct, as we discuss in Chapter 5 (marketing law). Commercial practices that are unfair generate a market failure as competition is compromised by impairing the consumer’s ability to make informed choices; this also gives rise to distortion of competition because the trader acting unfairly wins business away from competitors who play by the rules.15

Under the assumption that consumers will read (and understand) all relevant information, and they will take that information into account when deciding among available products, it is straightforward to use information as a cornerstone of consumer protection policies. This approach is also known as the ‘information paradigm’, where information is recognised as the least intrusive, and thus, the preferred form of market intervention. The information paradigm is challenged in Chapter 9 (transparency), and goes hand in hand with the consumer’s ‘right to self-determination’, under which consumers have freedom to choose and also the right to ignore information that traders have provided. This is discussed in Chapter 8 (manipulation).

3.2. Privacy and data protection law

As data protection law is also important for business-to-consumer interaction, the GDPR must—in addition to providing democratic safeguards—be perceived as an important pillar of consumer protection law.16 The importance of privacy and personal data within consumer law is also recognised by the 2016 amendment of the above-mentioned United Nations’ Guidelines for Consumer Protection to include ‘consumer privacy’.17 Point (e) under ‘principles for good business practices’ provides that:

‘Businesses should protect consumers’ privacy through a combination of appropriate control, security, transparency and consent mechanisms relating to the collection and use of their personal data.’

Of the original five basic consumer rights in the European Union, the processing of personal data may in our context be most closely connected to the protection of ‘economic interests’, as the most common use of personal data in a business context relates to the marketing of products.

When considering development within data-driven business models and the above-mentioned harms identified by the Center for Humane Technology, more rights come into play: Issues concerning digital addiction and mental health may fall under ‘health and safety’, which together with superficiality may undermine the aim of ‘information and education’. The rights of ‘redress’ and ‘representation’ may be challenged by the market power of ‘big tech’, which exercises significant power when it comes to deciding which information is disseminated to whom. This broader perspective is pursued in Chapter 10 (human dignity and democracy).

Political marketing does not fall under consumer protection law, but creating addictions and engagement to sustain a platform for both commercial and political marketing does. The service or platform that relies on third-party marketing is the relevant (commercial) product offered to consumers.

As we will explore in the following chapters, both data protection law and marketing law share the aim of empowering individuals, including through information that is meant to establish transparency. A significant difference between the two areas of law is that marketing law aims to protect consumers in commercial markets, and data protection law pursues the aim of protecting the privacy of citizens, including in their capacity as consumers. Privacy, including the protection of personal data, is a fundamental right (primary law) that reaches beyond mere market regulation.

Few EU laws have attracted as much popular and global attention as the GDPR, and it constitutes a significant strengthening of consumer protection law, as it also requires legitimacy and accountability as discussed in Chapter 4 (data protection law). When it was introduced a lot of attention was paid to the significant fines (up to 20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).18 A similar approach to penalties was introduced to EU marketing law with the New Consumer Deal Directive,19 but notably only for ‘enforcement measures in coordinated actions’. For penalties in general under the UCPD, Member States must lay down (national) penalties that are ‘effective, proportionate and dissuasive’. This is supplemented with ‘non-exhaustive and indicative criteria’ that must be taken into account for the imposition of penalties (where appropriate).20

As we deal with data protection law from a consumer protection-perspective, the terms ‘user’, ‘consumer’, ‘citizen’ and ‘data subject’ are used interchangeably. The same is true for ‘service provider’, ‘trader’ and ‘data controller’.

1. The ‘common law’ is the body of law that is derived from precedent (rather than legislation/statutes).

2. See in general about EU law in Catherine Barnard & Steve Peers (eds), European Union Law (3rd edition, Oxford University Press 2020).

3. See e.g. Lawrence Lessig, ‘The New Chicago School’, The Journal of Legal Studies, 1998, pp. 661–691; and Lawrence Lessig, ‘The Law of the Horse: What Cyberlaw Might Teach’, 113 Harvard Law Review, 1999, pp. 501–549.

4. See about code as law in Lawrence Lessig, Code and Other Laws of Cyberspace (Basic Books 1999).

5. See, e.g., Richard H. Thaler & Cass R. Sunstein, Nudge—The Final Edition (Yale University Press 2021, first published 2008).

6. Case C‑283/81, CILFIT v Ministero della Sanità, ECLI:EU:C:1982:335, paragraph 20.

7. Case C‑673/17, Planet49, ECLI:EU:C:2019:801, paragraph 48 with references.

8. Ibid.

9. Case C‑673/17, Planet49, ECLI:EU:C:2019:801, paragraph 47 with references.

10. George A. Akerlof & Robert J. Shiller, Phishing for Phools (Princeton University Press 2015), p. 170.

11. Special Message to the Congress on Protecting the Consumer Interest, 15 March 1962, <>.

12. See Council Resolution of 14 April 1975 on a preliminary programme of the European Economic Community for a consumer protection and information policy and Preliminary programme of the European Economic Community for a consumer protection and information policy, 25 April 1975, Official Journal, C 92, pp. 1–16.

13. See now Article 169(1) TFEU: ‘In order to promote the interests of consumers and to ensure a high level of consumer protection, the Union shall contribute to protecting the health, safety and economic interests of consumers, as well as to promoting their right to information, education and to organise themselves in order to safeguard their interests.’

14. See also Stephen Weatherill, EU Consumer Law and Policy (2nd edition, Elgar 2013), p. 4; and Norbert Reich, Hans-W. Micklitz, Peter Rott & Klaus Tonner, European Consumer Law (2nd edition, Intersentia 2014), p. 7.

15. Proposal for a directive concerning unfair business-to-consumer commercial practices in the internal market, COM (2003) 356, 2003/0134 (COD), paragraph 16.

16. See also EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’, paragraph 8.

17. UN General Assembly, Resolution 70/186 of 22 December 2015.

18. See Articles 83–84 GDPR.

19. Article 3. See also Regulation (EU) 2017/2394, Article 21.

20. Ibid. Inserted in Article 13(2) UCPD. See also Chapter 12 (next steps).