This chapter examines the policy implications of behavioural sciences insights for the regulation of privacy on the Internet, by focusing in particular on behavioural targeting. This marketing technique involves tracking people’s online behaviour to use the collected information to show people individually targeted advertisements.

This chapter distinguishes two ways in which policymakers can defend privacy in the area of behavioural targeting. Policymakers can aim to empower, or to protect the individual. First, policymakers can aim to empower the individual, for instance by enabling her to make choices in her own interests. In other words, policymakers can try to put people in control over their personal information. The European legal regime regarding privacy in the area of behavioural targeting largely aims at individual empowerment. For example, the e-Privacy Directive requires firms to obtain the individual’s consent for the use of tracking cookies for behavioural targeting.

Under the empowerment model, policymakers could also try to nudge Internet users towards disclosing less information. For instance, while marketers tend to argue that somebody gives implied consent if she does not opt out of behavioural targeting, policymakers could require firms to obtain the individual’s opt-in consent. But behavioural sciences casts doubt on the potential of opt-in consent as a privacy protection measure. People tend to click OK to almost any request they see pop up on their screens. This is all the more true when firms make the use of a service conditional on the user’s consent.

A second approach focuses on protection of the individual. This protective approach can also be recognised in current law regarding privacy. The Data Protection Directive has elements that aim to protect the individual. For example, even after a firm obtains an individual’s consent, data protection law does not allow excessive personal data processing. And data protection law always requires firms to secure the data they process. But enforcing data protection law may not be enough to protect privacy in this area. I argue that, if society is better off when certain behavioural targeting practices do not happen, policymakers should consider banning them.

The chapter is structured as follows. Section 2 introduces the practice of behavioural targeting and related privacy problems. Section 3 discusses the current regulatory regime to protect privacy in this area, and shows informed consent plays a central role in the regime. Section 4 analyses problems with informed consent through the lens of behavioural sciences. The section discusses information asymmetry, transaction costs, and biases that influence people’s privacy decisions. Taking the behavioural economic insights into account, section 5 discusses two ways to improve privacy protection in the area of behavioural targeting: empowerment and protection of the individual. Section 6 concludes.