This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Update: consumer

Feature
Share:
Update: consumer

By

Laurie Heizler considers the risks that online advertisers take with personal data and the privacy implications of 'behavioural advertising'

Consumers are rightly sensitive to exploitative online advertising techniques that sacrifice their privacy and data security in the interests of getting the 'message' across. Those who interact with businesses on the internet are justifiably concerned about their privacy. So, for example, anyone making active contact with a retailer '“ by way of a general enquiry or an offer to buy goods or services '“ would expect to find a privacy policy which would govern the way in which personal data about him is treated. This would usually be done by a mechanism which attempts to solicit a consumer's informed consent.

Current legislation relevant to the processing of data includes in the UK the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which are intended to implement respectively the European Directives on data protection (95/46/EC) and privacy and electronic communications (2002/58/EC). Data protection legislation is promoted and enforced in the UK by the Information Commissioner's Office (ICO).

The existence of the legislation is well known. However, problems have arisen with its interpretation against a background of fast-developing data collection and storage technologies such as 'behavioural advertising', social networking and the government's proposed communications database, in particular with regard to what constitutes consent to use any personal data.

Processing personal data

In the UK, the DPA regulates the processing of personal data. Such processing is carried out by almost any treatment of personal data which is information about living persons ('data subjects') who can be identified. The processing of personal data must be carried out with the specific and informed consent of data subjects.

Often, visitors to websites are asked to signify consent to the use of personal data by ticking an 'opt-in' box. This is intended to signify express acceptance of a particular treatment of the data, such as sending it to third parties to enable them to send marketing communications. It is a common misconception that effective consent can be presumed. The need for any consent to be specific and informed means that there must be an effective means by which consumers can give explicit consent to the use of their data for marketing purposes. In a relevant context, an opt-in box is a satisfactory device through which consent can be indicated.

The Kaleidoscope case

The opt-in/opt-out distinction was underlined in last year's adjudication by the Advertising Standards Authority (ASA) against Direct Home Shopping Brands t/a Kaleidoscope. Kaleidoscope ran a sales promotion advertisement which stated that any response to it would entitle Kaleidoscope to share the responder's information with third parties for direct marketing purposes.

Because this was a purported 'opt-out', the ASA found this to be a clear breach of the CAP Code which, in common with the data protection legislation, requires that explicit consent is obtained before a party can disclose information identifying consumers to third parties.

The Code is the self-regulatory code of the Committee of Advertising Practice and is enforced by the ASA. Their rulings are not law of course, but the Kaleidoscope case is of interest because it highlights a well-established data protection prerequisite which must be adhered to.

Behavioural advertising

Less well understood are the privacy implications of 'behavioural advertising', which targets pre-determined advertising to personal interests by tracking consumer habits and preferences revealed by the websites they visit and the content they view. This is effectively carried out without the consumer's consent. In effect, the use of cookies, applets and spyware creates a unique personality profile which is of enormous value to advertisers.

The information obtained is shared with advertisers to promote more targeted advertising. This can be viewed as a covert invasion of privacy and an interception of online communications because such information will frequently contain personal data but consumers will not necessarily know that it has been harvested from them at all.

The Phorm case

There have always been issues as to whether the UK has implemented European data protection legislation correctly. The latest episode followed complaints from internet users (the cause of some of them having been taken up by British members of the European Parliament) concerning the use of the 'Phorm' behavioural advertising technology by Internet Service Providers (ISPs).

Phorm examines patterns of web surfing activity from which it detects the preferences and interests of users. This enables advertising which has been chosen and tailored to match the surfer's interests. Bespoke advertising therefore appears when he next visits his preferred websites.

The technology adds information about consumer interests to other data which is capable of identifying the consumer as an individual. Taken together, such information is personal data which is being processed. Moreover, the Privacy Directive prevents the intentional interception and surveillance of communication data, except with permission of the data subject or with other specific legal justification.

Phorm had been tested extensively by BT since 2006. Before 2008, BT did not see fit to inform consumers of the use of the technology, so in the main they were initially unaware of the collection of their personal data. The latest trials have however been carried out with consumer consent. These have revealed the scale of the problem and consumer concerns which have been reported to the ICO and even the police.

The European Commission challenges UK law

Last year, the European Commission made it known to the UK that it had concerns that there were 'structural problems' with the UK's implementation of the data protection legislation. It does not believe that UK law is adequate to protect the privacy and confidentiality of online communications. These deficiencies have been highlighted by Phorm.

On 14 April 2009, the Commission announced its intention to bring infringement proceedings against the UK in respect of the use of behavioural advertising technologies by ISPs, which it does not believe the UK can effectively control through the existing regulatory regime. A particular concern is that Phorm effectively intercepts communications. The Commission feels that UK law does not adequately respond to the different circumstances in which interception can take place (UK law only regulates intentional interception) and takes the view that the police are unlikely to be adequate enforcers. It is a separate matter as to whether in fact the ICO is an adequate regulator, given that, in the perception of the privacy pressure group Privacy International, the ICO has persistently rejected or played down complaints regarding personal data collection issues such as Google's Streetview, the National DNA Database and indeed Phorm. In any event, the Commission would like to see an independent supervising authority.

The arguable legal justification for users of behavioural advertising is that 'intentional' interception effected by tracking surfing preferences can be interpreted widely enough to allow the ISP to assume it has reasonable grounds for believing that the data subject has consented to the interception and further processing of his data. Because the argument rests on presumed consent, this is dubious at the very least.

If the UK does not provide an adequate initial response to the infringement action by mid-June this year, the Commission will issue a 'reasoned opinion'. If reforms are not implemented by the UK in accordance with the opinion, the following step will be the referral of the matter to the European Court of Justice.

In the wake (and even in anticipation) of the risk of illegality, Amazon has taken steps to deny access by its own Webwise web monitoring system to its websites. Webwise is Phorm-based behavioural advertising which monitors subscribers' use of the website to create a profile for targeted advertising. Wikipedia has also taken action to remove Phorm from its websites and domains.

New good practice principles from the IAB

Against this background, it is an interesting moment for the Internet Advertising Bureau (IAB) to issue new guidelines with respect to behavioural advertising. These are of course no more than good practice principles. Nevertheless, they are intended to address the all-important issue of compliance with the data protection legislation, so they have been examined with interest by the ICO.

The IAB is a UK-based trade association which does what its name suggests. It clarifies and mitigates the application to its members of general advertising and data protection law by creating benchmarks such as these new guidelines '“ which come into force on 4 September 2009. The IAB's members include Microsoft Advertising, Google, AOL and, interestingly, Phorm, who have all helped to develop the guidelines which the ICO has supported in principle.

The guidelines have concentrated on three main areas, which, if adhered to, may potentially result in legal compliance by ISPs:

  • ISPs will need to ensure that users aremade aware that their browsing and surfing activities are being monitored with a view to the provision of behavioural advertising.
  • ISPs using behavioural advertising technologies must provide information to ensure that active opt-outs can be indicated.
  • The presence of behavioural advertising must be transparent in all other respects, so that users know and understand its effects and are aware of what must be done to opt-out.

Particularly now in the light of the proposed action by the Commission, it may be that the proposed guidelines will have little effect. They have already been criticised by the Open Rights Group, which sees problems arising from the fact that the mechanism for legitimacy is based on acquiescence rather than truly active consent. Moreover, the guidelines only apply to IAB signatory parties who may not be the only actual or potential users of behavioural advertising.

It does seem that the legitimacy of behavioural advertising is, for the moment at least, fundamentally compromised while the UK's basic legal provisions remain under investigation by the Commission. There will be no legal clarity as to whether they can be used until changes in UK law are made.

How can you be a good online advertiser? In short, use any available behavioural advertising technologies with extreme caution and always consider if you have valid consumer consent to use any personal data lawfully.