Not long after an announcement that the leading EU data privacy regulators’ group would be closely scrutinising behavioural targeting/targeted online advertising in 2008, Facebook founder Mark Zuckerberg had to eat humble pie over its Beacon targeted advertising tool. What steps can UK marketers take to reduce regulatory risks in this increasingly popular area? Phil Lee reports.
Topic: Online Advertising
Who: Article 29 Working Party
When: 2008
Where: UK
Law stated as at: 10 December 2007
What happened:
The Internet has proved a frustratingly blunt marketing tool to date. For years, the Holy Grail of advertising has been to develop the technology to deliver online advertising to website visitors that is specifically targeted to their individual likes and dislikes. Advances towards this panacea have indeed been made, and the use of targeted online advertising has become an increasingly popular tool. However, the growing use of such advertising has met with growing resistance from the public to the perceived intrusion into their online privacy rights and, now, has attracted the attention of the Article 29 Working Party.
Reuters reported last month that Gabriele Loewnau, head of the EU's Article 29 Working Party (the body responsible for overseeing data protection at an EU level), announced the Party's intention to concentrate on the "hot topic" of targeted online advertising in 2008. Hot on the heels of this announcement, Facebook's founder, Mark Zuckerberg, publicly apologised for the way Facebook had introduced its Beacon targeted advertising tool. Mr. Zuckerberg's announcement followed a public backlash over its use of the targeted online advertising technology, including a 50,000 member petition.
All of which begs the question is targeted website advertising regulated in the UK? The answer is yes – but perhaps not as well regulated as it might be.
Targeted website advertising and the law
The starting point for any issues concerning individual privacy rights in the UK is the Data Protection Act 1998 (the "Act"). The key requirement of the Act is that individuals must be provided with information about how their personal data will be used and, unless a legal basis for that processing exists under the Act, their consent must be sought for that processing. This applies in the context of targeted website advertising because such advertising is typically generated off the back of "cookies" stored on the individual's computer. Broadly speaking, "cookies" are small data files placed on an individual's computer by certain websites recoding, for example, what the individual looked at and/or bought when visiting that website. When the individual next visits the website in question, it can examine the cookie to determine his or her previous online behaviour during the last visit and tailor its advertising to meet his or her specific preferences.
Recognising the growing concerns of the public in relation to cookie technology, the European Commission passed specific "cookie legislation" in 2002, which was implemented in the UK under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PEC Regs"). These provide (at regulation 6) that websites that use cookies must provide visitors with "clear and comprehensive" information about the purposes of the storage of or access to cookies and, separately, give visitors the opportunity to switch off the cookie functionality.
It has since become common practice for marketers to address both the requirements of the Act and the PEC Regs through carefully drafted privacy policies, accessible on every page of their websites. The requirements of the Act and the PEC Regs have been echoed in the DMA Code of Practice and the Information Commissioner's Good Practice Note on collecting personal information using websites.
However, the inadequacy of the legislation to address cookies adequately is highlighted by an apparent conflict between the PEC Regs and the Act. As noted, the PEC Regs, require websites to inform visitors how they, as individuals, can refuse cookies (by changing browser settings etc.). The Act, which is necessarily drafted in broader terms, gives individuals the right to require marketers to cease direct marketing (s.11). The subtle, but significant, difference between the two is that it appears to shifts responsibility for switching off cookie functionality (the enabling technology behind online targeted advertising) from the recipient of the advertising (the PEC Regs) to the website operator (the Act). Taking the approach outlined by the Act, the only practical way for website operators to stop targeted advertising in respect of a particular user is to remove cookie functionality entirely from its site, having the effect of removing targeted advertising in respect of all of its visitors. For this reason, the PEC Regs represent the more sensible approach, and the DMA Code of Practice endorses this view (see rule 19.22(f)(iv)).
A further difficulty is that marketers are not given sufficient guidance under the PEC Regs as to how much information they must provide visitors about refusing cookies. Each website browser (e.g. Internet Explorer, Firefox, Netscape, Opera, Safari etc.) adopts slightly different methods for switching off cookie functionality and, to make matters worse, these methods invariably differ between each version of each website browser. Are marketers really required to give information about how to refuse cookies under every possible browser/version combination? The PEC Regs, the Act and related guidance are all unhelpfully silent on this issue.
Why this matters:
The recent Facebook furore and Article 29 Working Party announcement that it will be turning its attention to targeted online advertising in the near future arguably detract from its value as a marketing tool. That said, there are a few simple measures marketers can take to reduce the risk of attracting unwanted regulatory attention and/or adverse publicity:
" Privacy policy: Provide a detailed, plain English privacy policy which is accessible on every page of the website. This should provide individuals with clear information about what information will be collected from them, how this will be used and what their rights are under UK data protection law;
- Cookie information: Ensure that there is a clear statement on your website explaining what cookies are, how they are used on your website, and how visitors can turn them off. This information should ideally be placed in your privacy policy. In terms of providing visitors with information about how to switch off cookie functionality, you may find it easiest to put this information in a separate online document and to link to this document from your privacy policy. This document can then be maintained and updated by your IT staff as new website browsers/versions are released, without requiring you to update your privacy policy on each occasion as well;
- Website functionality: Do not use cookie technology for the purpose of any website functionality other than providing targeted online advertising and shopping functionality. If users are unable to browse your website without accepting cookies, this could lead to visitor complaints and adverse publicity. Visitors should have a genuine choice to view your website with or without cookies;
- Sensitive personal data: Avoid using cookies to collect and/or store any sensitive personal data (such as racial origin, mental or physical health details etc.) for targeted marketing purposes. Any such use will require the explicit consent of the individuals concerned.
- Avoid advertising "bombardment": When used properly, targeted advertising can deliver benefits to both marketers and individuals alike; however, website visitors can very quickly develop advertising fatigue. It may sound obvious, but targeted advertising should be focussed and not excessive – bombarding visitors with targeted banner advertisements is likely to lead to complaints very quickly.
