Phorm has reportedly created the world’s first “privacy-friendly” behavioural marketing platform, something which is hotly disputed by privacy lobbyists pushing for Phorm to be criminalised. Now the Information Commissioner has waded into the argument. Phil Lee reports.
Who: Information Commissioner / Phorm
When: April 2008
Law stated as at: 21 April 2008
Phorm, it seems, cannot stay out of the news at present.
In one recent development, the behavioural marketing technology provider was apparently thrown a lifeline by the Information Commissioner's Office ("ICO") when it noted that Phorm's behavioural marketing platform, the Open Internet Exchange ("OIX"), did not appear to collect, store or use any personal data. So far, so good, but there was a sting in the tail.
The ICO went on to say that the OIX must nevertheless be offered on an opt-in basis, something Phorm would undoubtedly have been keen to avoid.
Phorm tie-ups with big brands
For the uninitiated, Phorm first hit the headlines in February when it announced the forthcoming rollout of its "privacy-friendly" behavioural marketing platform with certain partnering ISPs (among them, BT, Virgin Media and Talk Talk).
Faced with scepticism about the potential for any behavioural marketing platform to be privacy friendly, Phorm sought to ease public concerns by providing assurances that its platform did not collect any personally-identifiable information from end users; indeed, Hugo Drayton (Phorm's CEO) insisted that Phorm "is a significant benefit to the consumer".
The OIX, it explained, works by placing a cookie on end users' computers which is then assigned a randomly-generated number. The OIX tracks the websites visited by end users purely by reference to the random number they have been assigned (i.e. number 123456789 visited xyz.com) and records broad details of the products and services comprised in the content of those websites (but not details of the websites themselves e.g. number 123456789 is interested in cameras and holidays).
Numbers not people?
Phorm then uses this information to place targeted adverts in partnering websites that match the interests recorded against the end users' random number. By doing this, Phorm claims it only needs to maintain a list of random numbers assigned to end users together with the interests associated with those numbers – it does not need to collect any personally-identifiable information from any end users of the OIX platform. In addition, Phorm has also been keen to point out that it does not keep records of which websites have actually been visited by end users, simply a record of the general product/service categories to which those websites relate.
To Phorm's dismay, they soon discovered that privacy lobbyists were not so easily satisfied. Various groups continued to campaign for ICO to declare Phorm illegal. As a result of this growing pressure, ICO felt constrained to release a short press release, to the effect that it had received assurances from Phorm that its technology was designed to "enhance rather than intrude" individual privacy. Perhaps not surprisingly, this did little to assuage privacy groups' concerns.
ICO issues further statement
So, in a renewed attempt to address these concerns, the ICO released a further statement on 9 April. Whilst this still relied on assurances given by Phorm itself (rather than, say, an audit of Phorm's systems), it did provide an insight into ICO's thinking on Phorm's "privacy-friendly" behavioural marketing platform. In particular:
- No personal data. ICO clarified that, on the basis of Phorm's assurances, the OIX did not appear to process any personal data as defined by the Data Protection Act 1998. The significance of this is not to be underestimated – if true, Phorm may have succeeded in producing the first behavioural marketing tool to free marketers from the Data Protection Act restrictions generally faced when wishing to undertake behavioural marketing campaigns. ICO queried, however, whether ISPs themselves might still be processing personal data if, for example, they were able to link the information held by Phorm with an end user's IP address. Here ICO noted that Phorm had asserted that this was not possible.
- Unlawful interception. Interestingly, ICO refused to be drawn on whether the use of Phorm could constitute an "unlawful interception" of communications under the Regulation of Investigatory Powers Act 2000 ("RIPA"), leaving this to be decided by the Home Office. The Home Office had, ICO noted, provided Phorm with comfort that it is "questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that even if it did that there would be an argument that such [an] interception was not unlawful".
- Opt-in vs. opt-out. Finally, and most significantly, ICO noted that the PEC Regs require consent from end users to the use of their traffic data (such as Internet browsing data) for the purpose of delivering value added services (such as targeted, behavioural advertising). ICO said "this strongly supports the view that Phorm products will have to operate on an opt in basis". This pronouncement will undoubtedly come as a blow to Phorm, which had previously announced its intention to operate on an opt-out basis.
Overall, ICO applauded Phorm's openness in submitting its systems for scrutiny and noted that it would keep Phorm's products "under review".
Why this matters:
Phorm has once again brought the privacy issues faced by behavioural marketers to the fore.
What ICO's statement serves to remind us of is that all behavioural marketing – even that which is reportedly "privacy friendly", such as Phorm – will generally be captured by the PEC Regs rules on cookies and use of traffic data and will often also fall within the remit of the Data Protection Act 1998.
The consequence of this is that most (if not all) online behavioural marketing will apparently need to operate on an opt-in basis (in order to use information about websites visited by end users), and this will place a significant limitation on the value of behavioural profiling as a marketing tool. However, the Article 29 Working Party (the EU body responsible for overseeing data protection at an EU level) has promised to review the area during the course of this year, so this may not be the end of the story by a long chalk!