Behavioural advertising: selling close to the wind
Online behavioural advertising can be highly effective, but it raises many legal and privacy issues. In the end it is the users who police the advertisers and social networks
Written by Nigel Miller for Computing Magazine, 11 May 2010
Advertising is the backbone of the internet and the heart of many monetisation models. Traditional online advertising is contextual in the sense that the advert on a page relates to the content of that page. What is becoming more interesting to advertisers is online behavioural advertising (OBA), which delivers advertisements that are targeted to a user based on that person’s surfing behaviour. OBA is attractive because the conversion rates are said to be better than traditional contextual advertising.
However, OBA raises considerable privacy and other legal issues. As such it is highly controversial. Given that many online businesses rely on advertising revenue to support their businesses, and that OBA is gaining momentum as an advertising model, this is a crucial issue.
Regulation of Investigatory Powers Act (Ripa)
One of the more serious issues with OBA is whether it could be a criminal offence under Ripa. This act makes it illegal to intercept a communication in the course of its transmission and to make the contents of that communication available to someone. It’s easy to see how this applies to telephone tapping. However, browsing a web site also involves a “communication” between the user and the web site, via the user’s ISP, and so Ripa can also apply to interceptions of web browsing data.
Whether or not OBA involves an “interception” for the purposes of Ripa depends on precisely how the OBA technology works, as well as a detailed analysis of the complex provisions of the act.
One way to work around Ripa is to ensure that OBA technology is fully automated so that no human being has access to the contents of the “communication” for example, the contents of the web sites viewed or their web addresses. This would also mean that the log files are deleted on the fly or within a short space of time and are not retained in such a way that they could subsequently be made available to and reviewed by a person. Where the technology works in that way, the privacy of the user with regard to their browsing habits is protected.
Data Protection Act (DPA)
Much can be learned about a person by looking at their web browsing. This data can be very personal. It can also be very valuable to advertisers.
The DPA will be highly relevant to OBA even where the processing of the web browsing data is fully automated. This means that the processing must be in accordance with the data protection principles set out in the DPA.
The most important principle is to process data “fairly and lawfully”. This means that the OBA must be operated in a manner that is completely transparent to the user. The user must be given clear information about how the OBA system works and must consent to receive OBA. In reality this means an opt-in approach to OBA, whereas the industry will generally prefer that a user must opt out if they do not wish to receive OBA.
Privacy and Electronic Communications Regulations (PECR’s)
Where the OBA technology uses tracking devices such as cookies or uses traffic data (such as URLs and IP addresses), it is also subject to the PECR’s. For example, under the PECR’s, traffic data can only be processed for limited purposes. One of these is to provide “value-added services” to the subscriber. Can you be comfortable that an OBA service is a “value-added service”? It might be said that there is value to the user as, rather than receiving a generic advert, they are being served a more relevant one.
The obligations in the PECR’s are similar to those contained in the DPA. The user to whom the traffic data relates must give his or her prior consent to the processing. This is being reinforced by new EU rules on cookies and tracking devices to be introduced within 18 months, which will provide that a user must explicitly opt in to any web site that intends to use OBA techniques.
The regulators’ response
When major ISPs such as BT and Virgin announced plans to trial OBA technology supplied by Phorm, there was considerable debate as to whether it was an illegal interception of communications under Ripa. This even led to a referral to the City of London Police. While the police decided to take no action, the issue continues to exercise privacy groups and regulators.
In fact, the regulators have so far been much more open-minded about OBA than many privacy activists. Guidance from the Home Office in January 2008 concluded that, even if OBA technology could be said to “intercept a communication”, it is a legitimate business activity and would not be unlawful so long as it is undertaken with the highest regard for the privacy of the users and the protection of their personal data, and with the users’ consent.
Similarly, the UK Information Commissioner ruled that Phorm would be legal under the DPA so long as it is on an explicit opt-in basis. This was based on the Information Commissioner’s understanding that the system does not store personally identifiable information, URL’s, IP addresses or retain browsing histories and that search information is deleted almost immediately, and is not retrievable.
Meanwhile, in October 2009 the Office of Fair Trading (OFT) launched a market study. As well as covering OBA, the OFT is looking into customised pricing (prices tailored to you based on information collected on you via your internet use). The OFT report is due to be published this spring. The EU response is somewhat unclear. On the one hand it is threatening the UK with action for not having strict enough legislation to comply with the EU Directive on data protection. On the other hand, it has not yet worked out exactly what the position should be with regard to OBA.
Privacy activists are sceptical about the views of the regulators and call for specific legislation on OBA. They argue that the regulators’ assumptions about the way the technology works are not actually borne out by a detailed technical analysis.
In response to these issues, The Internet Advertising Bureau (IAB) and a number of key players involved with OBA, such as Google, Yahoo, Microsoft, AOL and Phorm, launched a set of self-regulatory good practice principles on OBA which came into effect on 4 September 2009. The IAB principles are broader in scope than the DPA in that they cover the use of anonymous information as well as personal information. There are three core principles notice, user choice and education.
Notice: users must receive a clear and unambiguous notice that a web site collects data for the purposes of OBA. This notice should include information about what types of data are collected, how it is being used and how users can decline OBA.
User choice: there must be a way for users to decline OBA (such as by using the Network Advertising Initiative Opt-out Tool) and information about this must be prominently displayed and easily accessible on the web site.
Education: information must be available and accessible to educate users about OBA. This information should be in an easily understandable language and a user-friendly format (for example online video). Also, the IAB has set up a web site to provide consumers with information and guidance on OBA.
While the ISP’s, advertisers, regulators and activists slug it out, consumers are becoming increasingly savvy. Most accept that there will be advertising on web sites that is in some way targeted at them. Most accept that their agreement to share some personal information with a responsible service provider is a fair price to pay for free content or a free service such as use of a social networking platform.
In reality, it is the users who police the advertisers and social networks. The users decide how far they can go and will certainly let a service provider know if the OBA or a change in privacy policies becomes overly intrusive or oversteps the mark in any way long before the regulators work out what has happened and what their response should be.