Neuromarketing and Eye-Tracking Technologies Under the European Framework: Towards the GDPR and Beyond

Abstract

AbstractThe Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data (GDPR) is one of the key fundamental pieces of European legislation to protect human rights and freedoms. However, the development of AI systems that are capable of collecting and processing large amounts of data and predicting user habits and emotional states has affected traditional legal categories and tested their resilience. This paper assesses the limits of the current formulation of the GDPR which does not take expressly into account the category of inferred data as a special category of data. Furthermore, it questions whether the toolbox put in place by the GDPR is still effective in protecting data subjects from practices such as neuromarketing and eye-tracking systems. It shows that it is certainly the essential starting point, but that, on the other hand, cannot be spared criticism. For this, in the recent years, the European legislator has adopted further legislations including, in particular, the Digital Services Act (DSA) and the Artificial Intelligence Act (AIA). Although representing a step forward in protection against such technologies, they each have critical aspects that need to be considered.