Not long after an announcement that the leading EU data privacy regulators’ group would be closely scrutinising behavioural targeting/targeted online advertising in 2008, Facebook founder Mark Zuckerberg had to eat humble pie over its Beacon targeted advertising tool. What steps can UK marketers take to reduce regulatory risks in this increasingly popular area? Phil Lee reports.
Topic: Online Advertising
Who: Article 29 Working Party
Law stated as at: 10 December 2007
The Internet has proved a frustratingly blunt marketing tool to date. For years, the Holy Grail of advertising has been to develop the technology to deliver online advertising to website visitors that is specifically targeted to their individual likes and dislikes. Advances towards this panacea have indeed been made, and the use of targeted online advertising has become an increasingly popular tool. However, the growing use of such advertising has met with growing resistance from the public to the perceived intrusion into their online privacy rights and, now, has attracted the attention of the Article 29 Working Party.
Reuters reported last month that Gabriele Loewnau, head of the EU's Article 29 Working Party (the body responsible for overseeing data protection at an EU level), announced the Party's intention to concentrate on the "hot topic" of targeted online advertising in 2008. Hot on the heels of this announcement, Facebook's founder, Mark Zuckerberg, publicly apologised for the way Facebook had introduced its Beacon targeted advertising tool. Mr. Zuckerberg's announcement followed a public backlash over its use of the targeted online advertising technology, including a 50,000 member petition.
All of which begs the question is targeted website advertising regulated in the UK? The answer is yes – but perhaps not as well regulated as it might be.
Targeted website advertising and the law
The starting point for any issues concerning individual privacy rights in the UK is the Data Protection Act 1998 (the "Act"). The key requirement of the Act is that individuals must be provided with information about how their personal data will be used and, unless a legal basis for that processing exists under the Act, their consent must be sought for that processing. This applies in the context of targeted website advertising because such advertising is typically generated off the back of "cookies" stored on the individual's computer. Broadly speaking, "cookies" are small data files placed on an individual's computer by certain websites recoding, for example, what the individual looked at and/or bought when visiting that website. When the individual next visits the website in question, it can examine the cookie to determine his or her previous online behaviour during the last visit and tailor its advertising to meet his or her specific preferences.
It has since become common practice for marketers to address both the requirements of the Act and the PEC Regs through carefully drafted privacy policies, accessible on every page of their websites. The requirements of the Act and the PEC Regs have been echoed in the DMA Code of Practice and the Information Commissioner's Good Practice Note on collecting personal information using websites.
Why this matters:
The recent Facebook furore and Article 29 Working Party announcement that it will be turning its attention to targeted online advertising in the near future arguably detract from its value as a marketing tool. That said, there are a few simple measures marketers can take to reduce the risk of attracting unwanted regulatory attention and/or adverse publicity:
- Website functionality: Do not use cookie technology for the purpose of any website functionality other than providing targeted online advertising and shopping functionality. If users are unable to browse your website without accepting cookies, this could lead to visitor complaints and adverse publicity. Visitors should have a genuine choice to view your website with or without cookies;
- Sensitive personal data: Avoid using cookies to collect and/or store any sensitive personal data (such as racial origin, mental or physical health details etc.) for targeted marketing purposes. Any such use will require the explicit consent of the individuals concerned.
- Avoid advertising "bombardment": When used properly, targeted advertising can deliver benefits to both marketers and individuals alike; however, website visitors can very quickly develop advertising fatigue. It may sound obvious, but targeted advertising should be focussed and not excessive – bombarding visitors with targeted banner advertisements is likely to lead to complaints very quickly.