Predatory strategies and techniques of social networks to capture the personal data of minors

Alessandro Fiorentino, Product Owner Adequacy, intervened during the Back to School Data Thursday to share with the members and partners of the As part of the AdPrivacy program, Alessandro Fiorentino published a research article on May 1, 2023: RGPD, a revelation of the surreptitious logic of platforms towards youth alongside David Bessot, associate director at TNP Consultants. the various predatory techniques put in place by digital platforms to capture the attention of younger generations.

4 hours per day. This is the average daily length of time that our children spend on digital platforms. 4 hours during which they are unwittingly confronted with the predatory techniques they develop to capture their attention. Platforms mainly use 4 levers to manipulate our behaviors and collect data without our knowledge: technical tips, legal tricks, deceptive ergonomics and cognitive manipulations.

Because becoming aware of these techniques already means protecting yourself from them, we summarize below the 7 main predatory techniques of platforms.

Technique 1: Extortion of Consent
This first technique consists in not respecting the properties of consent, which, according to the GDPR, must be “free, specific, informed and unequivocal.”
Here are some illustrations that we encounter on a daily basis:
• Free: the absence of consent does not allow us to access the platform
• Specific: a single check box to accept several purposes or recipients
• Enlightened: 90-page information mentions
• Unambiguous: thanks to ergonomic subtlety, the box is pre-ticked or on the contrary, you must check to refuse or to advance in browsing the site

Technique 2: the enslavement of consent
This technique consists in integrating purposes that are not necessary for the execution of the contract into the CGU.
To put it simply, we slip an empty purpose into the CGU, even if it is not strictly necessary for the execution of the contract. We think in particular of marketing cookies or solutions for doing AB testing, which are presented as functional in the Consent Management Platforms (CMP) when this is not the case.
But every purpose that is not strictly necessary should be based on consent...

Technique 3: the atomization of legal risk
The technique of atomizing legal risk consists in creating a legal framework in order to anticipate defense tactics in the face of future formal notices. In the end, it is “pre-litigation by design”.
Let's take the example of an online merchant. As part of its marketing activity, this organization carries out profiling operations based on the personal data of members of the loyalty program that it offers to e-commerce site customers for the purposes of analysis and distribution of targeted advertising.
In this case, the risk atomization technique will consist in implementing two distinct treatments. A first treatment aimed at customer knowledge. This first processing is then based on the legitimate interest present in article 6 of the RGPD, it allows the platform to collect all the information it considers necessary, giving it an unsuspected ability to profile. The purpose of the second treatment is the distribution of targeted advertising and is based on the ePrivacy Directive. This arrangement allows the data controller to argue a real legitimate interest in knowing its customers, which is effectively defensible, while collecting a set of personal data, and to broadcast targeted advertising by profiling previously collected data only to persons who have consented, thus reducing the risk of potential complaints.
Indeed, if you do not agree to the activation of targeted advertising, the platform will not send you any, but it still collects, stores and can resell all the information collected in the first processing.

Technique 4: synchro-acquisition
This technique consists in capitalizing and consolidating the personal data collected through updates to the privacy policies of the company and its subsidiaries.
This is the case, for example, when Facebook offers (and it does so regularly!) Synchronization with Instagram and Whatsapp. These are three distinct legal entities controlled by the same company, each of which can capitalize on the data collected by the others from the moment the person concerned consents without necessarily being aware of all that this may generate.
This technique makes it possible to increase data collection by relying solely on the consent of each user without studying the relevance of collecting the consent of their contacts, who were not informed and did not consent to this type of implicit enrollment.

Technique 5: Updating the operating system
This technique consists of adding a multitude of services, officially to optimize the user experience, and at the same time to collect data that should require consent.
Thus, for example, when the operating system is updated, the provider embeds new functionalities that are activated by default. However, these new functionalities involve a different use, which may lead to a modification or evolution in the processing of the personal data manipulated. If the user has already given their consent when installing the application, they are not asked to express their agreement again.

Technique #6: Shared Ownership
When registering on a social network, you must adhere to the site's terms and conditions.
And by accepting the terms and conditions of social networks, you accept the concept of “shared ownership”. In other words, with a single click and without being able to negotiate a contract determined by Twitter, Facebook or Linkedin. Contract whose rules will be imposed on you throughout your use of the platform.
However, the legal consequences they involve for users of the social network can be considerable, especially with regard to the ownership of the content (photos, text) that they post online.
So when you post a photo that you took yourself, these networks may decide to reuse it without warning you.
Imagine if this is the case with a photo of your children!

Techniques No. 7: phantom profiles
This technique consists in collecting data about you based on your browsing through third-party cookies and then synchronizing or consolidating all the information about you.
Thus, even if you do not yet have a Facebook account, for example, Facebook knows you thanks to the third-party cookies that it has placed on a large number of websites. So he knows that you love rugby, that you read Le Monde and that you are a fan of chocolate. The day you register on its platform, you will immediately receive a certain number of targeted advertisements. As soon as you are registered, Facebook already knows you wonderfully well.
And even if you never create a Facebook account, your ghost profile, which has retrieved and crossed all these third-party cookies, is part of a cohort and can therefore be sold and valued by Facebook customers.

In conclusion: we have a customs position
It is impossible to know all the strategies and techniques used to collect data.
Indeed, we discover new techniques once they are implemented and identified.
However, the more we identify, the more we can explain them and thus, hopefully, protect ourselves from them.

‍