Back to Legal Updates

New law on recommendation algorithms: impact on business and risk of blocking

legal updates
26 / 10 / 2023
With effect from 1 October 2023, the Federal Law “On Information, Information Technology and Data Protection” has been supplemented with a new article (article 10.2-2) concerning the provision of information to users through the use of recommendation algorithms (“Law on recommendation algorithms”). Now owners of websites, applications and other online resources using recommendation algorithms must meet a number of requirements. For example, they need to inform users of the work of the algorithms and publish the rules for the application of the technologies in Russian on their resources, making such rules freely available to the public on a free-of-charge basis.

Who does the new law apply to?

The Law on recommendation algorithms applies to the following persons:

  • website and/or webpage owners;
  • information system owners; and
  • computer program owners.

In all cases, it is necessary that algorithms are used to provide information based on the collection, systematisation and analysis of data on the preferences of Internet users located in Russia.

It is important that content or services should be personalised based exclusively on the preferences of a particular user rather than based on predetermined principles. For example, if recommendations in an online store are given based on a recommendation algorithm that is based on user preferences rather than on a predetermined logic, the new law will not apply in such case.

For example, if the algorithm in an online store suggests that together with a TV set you buy a game console and does so for all online store users (for instance, in the “Customers who bought this item also buy this” section), the Law on recommendation algorithms will not apply in this case. However, if the online store owner gathers information through cookies, carries out user profiling and offers an item to a particular user depending on his/her region, information on his/her previous purchases or the device from which he/she visited the website and so forth, such algorithm will fall within the scope of the new law.

The requirements of the Law on recommendation algorithms will not apply to IT resources where information is provided to users exclusively based on the results of processing search parameters set by users, including with the use of filters customised by the users themselves.

What requirements need to be met?

The Law on recommendation algorithms contains a basic rule that the owner of a website, webpage, information system or programme must comply with the requirements of Russian legislation. More specifically, the owner must:

  • prevent the use of the recommendation algorithms that infringe on the rights and legitimate interests of individuals and organisations and prevent the use of recommendation algorithms for the purpose of providing information in breach of Russian legislation;
  • prevent the use of recommendation algorithms on their resource without informing the internet users of the use of such recommendation algorithms;
  • publish a document establishing the rules for the application of recommendation algorithms; and
  • publish its email address for sending legally relevant communications, last name and initials (for a natural person) or name (for a legal entity).
The rules for the application of recommendation algorithms must contain:

  • a description of the processes and methods of collecting, systemising and analysing data on the preferences of Internet users, of the processes and methods of providing information based on this data as well as the ways of implementing such processes and methods; and
  • types of data relating to the preferences of Internet users which are used for providing information with the use of recommendation algorithms and sources of obtaining such data.

Roskomnadzor recommends publishing the following message on the website and in the application: “Recommendation technologies are used on this information resource”. This message may be published on any page of the website, including users’ personal pages.

There may be questions in practice concerning the depth of the disclosure of the description of processes and methods of collecting, systemising and analysing data on the preferences of Internet users and providing information based on this data.

For example, will it suffice to specify that the Internet resource owner carries out user profiling based on a number or criteria or is it necessary to disclose the specific groups of users that are being formed for personalised content? In the latter case, such disclosure may be quite sensitive from the perspective of disclosing commercial information to competitors.

Furthermore, recommendation algorithms are constantly being modified and improved, including through A/B tests for improving algorithms. In this case, it would be extremely difficult to constantly modify the rules for the application of recommendation algorithms, not to mention that the disclosed information on hypothesis testing in the area of user targeting is particularly valuable information for the company.

At least up until Roskomnadzor has adopted additional requirements, we recommend that you treat the rules of the work of recommendation algorithms with extreme caution and that the scope of the data disclosure be coordinated with the company’s technical and commercial departments. We are more inclined to believe that the formal requirement to disclose the processes and methods of systemising and analysing user data does not imply the disclosure of specific user groups. For the moment, you can give just a high-level description of methods and processes.

What are the consequences of failing to comply with the new requirements?

The Law on recommendation algorithms contains quite a detailed procedure for blocking a relevant Internet resource.

If Roskomnadzor identifies a violation, it will notify the Internet resource owner of this. As a rule, 10 days from the date of receipt of the notice are given to rectify the identified violations. If the Internet resource owner fails to rectify the violation, Roskomnadzor may request that the owner should stop using recommendation algorithms. If the Internet resource owner fails to comply with this request, Roskomnadzor may oblige the communications service provider to block this resource.

So far, there is no administrative liability for breaching the Law on recommendation algorithms. However, we believe that the issue of establishing such liability is just a matter of time.

If you have any questions regarding the new Law on recommendation algorithms and the practice of its application, we would be happy to answer them based on our experience in this area.