The past month has seen Europe adopt consent requirements for cookies, an IAB guide to “OBA”and the European Commission reject the UK’s defence of its e-privacy laws. Phil Lee reports on these and other key OBA developments over the past couple of years.
Topic: On-line advertising
Who: Information Commissioner's Office / Article 29 Working Party / European Commission / Federal Trade Commission /Internet Advertising Bureau
When: 2009
Where: UK
Law stated as at: 26 November 2009
What happened:
No single data privacy topic has attracted quite as much regulatory, commercial and press attention over the past year or so as online behavioural advertising ("OBA"). So, to help our Marketinglaw readers keep track, we thought it would be helpful to set out a timeline of the data privacy developments in this area (in reverse order – we know you like to see the most recent news first!):
November 2009: What a month for OBA news! In this single month:
• European legislators adopted new rules on website cookies, potentially requiring website operators to seek prior consent from visitors before using cookies (although the law is unlikely to come into force before 2011) – see our client alert available http://www.osborneclarke.com/publications/commercial/Alert/12424.asp;
• the Internet Advertising Bureau ("IAB") promptly proclaimed that online businesses need not worry on the basis that consent could be implied through users' website browser settings (although not everyone – including Osborne Clarke's data privacy experts – is convinced by this argument). Separately, the IAB also produced its guide to online behavioural advertising (available here) with a view to educating businesses and consumers alike about the potential benefits of OBA;
• meanwhile, the Ministry of Justice published a consultation on fines for data protection breaches, proposing to give the Information Commissioner's Office ("ICO") the ability to impose fines of up to £500k (ok, it's not strictly OBA related, but interested readers can find the consultation here); and
• finally, the European Commission announced that it would create a "Stakeholder Forum on Fair Data Collection" comprised of website publishers, advertisers, ad-networks to discuss data privacy issues arising out of online data collection. In the meantime, the European Commission also announced that it had rejected the UK's defence that UK e-privacy laws are not out of kilter with the Data Protection Directive (95/46/EC) (see April 2009 below for more details).
October 2009:
• The Office of Fair Trading announced that it would investigate the use of behavioural targeting to deliver individually-targeted prices and whether this could fall foul of consumer protection legislation. The investigation is due to conclude in Spring 2010. Further details can be found here.
• In light of the adverse regulatory, consumer and press attention it received, Phorm announced its intention to withdraw from the UK market for the time being and instead face on overseas markets, including Korea.
September 2009:
• A report by the University of Pennsylvania and the Berkeley Centre for Law and Technology concludes that 66% of US citizens do not want to be served with targeted advertising. This figure rose as high as 86% once behavioural targeting technologies were explained to them.
July 2009:
• As if the FTC's and the IAB UK's self-regulatory principles for OBA were not enough, the IAB in the US, in conjunction with the AAAA, ANA, BBB and DMA (US), produces its own set of self-regulatory OBA principles (available here). Like their UK equivalent (published in March 2009 – see below), these focus on consumer notice, choice and education.
April 2009:
• The European Commission instigates proceedings (see here) against the UK for improper implementation of the Data Protection Directive. The Commission decided to take action following the concerns raised about Phorm's use of deep packet inspection technology for OBA, and focuses on whether the Regulation of Investigatory Powers Act 2000 conflicts with individuals' rights to privacy enshrined in the Data Protection Directive.
March 2009:
• Osborne Clarke publishes its OBA survey assessing OBA legal compliance requirements and enforcement risk across more than 40 territories. Please e-mail Stephen Groom (stephen.groom@osborneclarke.com) or Phil Lee (phil.lee@osborneclarke.com) if you would like a copy of this.
• Hot on the heels of the FTC's self-regulatory principles (see February 2009), the IAB launches its "Good Practice Principles for Online Behavioural Advertising" (available here) which lay down requirements its signatories must meet when conducting OBA. The principles have seen been "unofficially" adopted by the wider advertising industry as setting out best practice standards for OBA, and place a particular emphasis on consumer notice, choice and education. At the same time, the IAB launched a website www.youronlinechoices.co.uk to educate users about OBA and how they can control it.
• In contrast to its opinion on Phorm (published in April 2008 – see below) requiring opt-in for OBA, ICO publishes a statement in support of Google's use of permanent opt-outs from its AdSense behavioural targeting technology. ICO's support of opt-outs in this instance appears to be based on the fact that Google's technology relies solely on cookies placed on end users' machines and not deep packet inspection.
February 2009:
• Across the pond, the US Federal Trade Commission ("FTC") publishes a set of "Self-Regulatory Principles For Online Behavioral Advertising" (available here). Commissioner Jon Leibowitz warns that "this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace".
December 2008:
• Fifteen co-plaintiffs issued civil proceedings in the US District Court of Northern California against OBA technology user NebuAd and six ISPs with which NebuAd had worked. The claim cited NebuAd's use of deep packet technology for the purposes of OBA, allegedly without the plaintiffs' prior consent. In total, the plaintiffs claimed more than $5 million damages. NebuAd has since reportedly shut down.
April 2008:
• ICO wades into the Phorm debate and publishes its opinion that Phorm's use of deep packet inspection technology will require opt-in consent under the Privacy and Electronic Communications (EC Directive) Regulations 2003. The opinion has since been removed from ICO's website.
March 2008:
• This can be thought of as the month in which the OBA debate really kicked off. In this month, the news story breaks that Phorm conducted "secret" trials of its deep-packet inspection OBA technology on subscribers to BT's internet service without their knowledge. Much of the subsequent discussion, debate and regulation have their origins in this event.
Why this matters:
The above timeline only serves to illustrate what a high profile, complex and fast moving area of data privacy this is. The coming months look to be particularly interesting, with ICO set to publish a consultation on online data collection, the OFT to conclude its investigation in behavioural advertising and targeted pricing and the European Commission to progress its proceedings against the UK for improper implementation of the Data Protection Directive.
The debate has so far focussed on whether individuals should opt-in or opt-out of OBA technologies. Industry has endeavoured to move away from this language and talk instead of allowing users to exercise "choice", arguing that this is less jargonistic and therefore more meaningful to consumers (sceptics, on the other hand, argue it is simply a more palatable way of imposing an opt-out requirement on consumers). However, Europe's recent amendments to the Privacy and Electronic Communications Directive – which calls for website operators to obtain "consent" before placing cookies – has thrown the whole area into confusion once again, highlighting a clear tension between European regulators (who want opt-in) and industry (who wants opt-out).
The fact remains that, for the time being, the legal requirements for OBA are far from clear. To minimise risk, businesses are encourage to adopt a best practice approach and, wherever possible, obtain opt-in consent from consumers. Further advice can be sought from Osborne Clarke's experts in this area.