Perhaps the only surprising thing about Google’s recent announcement that it plans to implement targeted behavioural advertising is why it took so long ?
Online behavioural advertising (OBA) delivers advertisements that are targeted to a user based on the user’s surfing behaviour. It is attractive because the conversion rates are said to be better than traditional contextual advertising, which displays ads based on the content of an individual page.
However, OBA raises considerable privacy concerns. As such it is highly controversial and has raised significant issues concerning its legality. Given that many on-line businesses rely on advertising revenues to support their businesses, and that OBA is gaining momentum as an advertising model, this is a crucial issue.
The main law that applies to OBA is the Data Protection Act (DPA) which regulates the collection and use of personal information. The use of electronic marketing and tracking devices such as cookies is subject to the Privacy and Electronic Communications Regulations (PECR). The criminal sections of the Regulation of Investigatory Powers Act (RIPA) are also relevant. When major ISPs such as BT and Virgin announced plans to trial OBA technology supplied by Phorm, there was considerable debate as to whether it was an illegal interception of communications under RIPA. This led to a referral to The City of London Police. While the Police decided to take no action, the issue continues to exercise privacy groups and regulators.
The regulators have so far been more open-minded about OBE than many privacy activists. The Home Office guidance in January 2008 concluded that, even if OBA technology could be said to “intercept a communication”, it would not be unlawful so long as the user has consented. Similarly, in April 2008, the UK Information Commissioner ruled that Phorm would be legal under the DPA so long as it is on an explicit opt-in basis. This was based on the Information Commissioner’s understanding that the system does not store personally identifiable information, URLs, IP addresses or retain browsing histories and that search information is deleted almost immediately, and is not retrievable.
In response to these issues, The Internet Advertising Bureau (IAB) and a number of key players involved with OBA, such as Google, Yahoo!, Microsoft, AOL and Phorm, recently launched a set of self-regulatory good practice principles on OBA which will come into effect on 4 September 2009.
The IAB principles are broader in scope than the DPA in that they cover the use of anonymous information as well as personal information. There are three core principles – notice, user choice and education.
Notice: Each signatory to the principles (referred to as a Member) agrees to provide a clear and unambiguous notice to users that it collects data for the purposes of OBA. This notice should include information about what types of data are collected, how these data are being used and how users can decline OBA.
User choice: Each Member agrees to provide an approved means for consumers to decline OBA (such as by using the Network Advertising Initiative Opt-out Tool) and ensure that this information is prominently displayed and easily accessible on its website. Each Member also agrees to obtain informed consent for the use of personally identifiable information, where required by law (ie under the DPA and PECR).
Education: Each Member agrees to make information available to educate users about OBA and ensure that this information is easily accessible. This information should be in an easily understandable language and a user friendly format (for example online video). Also, the IAB have set up a website www.youronlinechoices.co.uk to provide consumers with information and guidance on OBA.
These principles are pragmatic and will help to create an environment in which OBE becomes mainstream. Industry self-regulation, while imperfect, is certainly preferable to introducing more complex regulation which will only be quickly outpaced by developments in technology.