Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Legal Background
In the UK, those who collect and use data through behavioral advertising technology must comply with the Data Protection Act 1998 (as amended) (the “DPA”), as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Privacy Regulations”). In addition, any organization which chooses to “monitor” or “intercept” online communications must also comply with the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”).

These legislative instruments implemented various EU Directives in the UK. Under Article 226 of the EC Treaty, the European Commission is responsible for ensuring that European Community law is correctly enacted into the local laws of individual Member States. If a Member State fails to comply with European Community law, the European Commission can bring infringement proceedings, and may ultimately refer the case to the European Court of Justice (the “ECJ”). Here, the European Commission has commenced infringement proceedings by issuing a formal notice to the UK. The UK has two months to respond or to comply voluntarily by amending the relevant legislation.

Phorm’s Advertising Tracker System
The debate began with the introduction of Phorm Inc.’s advertising tracker system which allows the company to track the identity and web habits of individual computers by tracing their unique Internet Protocol addresses.

Earlier this week a document was published on “Wikileaks” revealing that British Telecom (one of the UK’s leading telephone operators) had commenced a trial of Phorm’s system in 2006. British Telecom acknowledged in April 2008 that it had used Phorm without customer consent in 2006 and in 2007. The UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), investigated British Telecom’s trial of the Phorm system.

In April 2008, the ICO published a response to the concerns voiced about the use of Phorm. Following several complaints from individuals and privacy experts, the ICO forced Phorm to require its customers to “opt-in” rather than “opt-out” of its use. In response to this, British Telecom reassured the ICO that its trial of Phorm did not permit customers’ web browsing activities to be monitored unless customers positively opted-in to participate. British Telecom also confirmed that its use of Phorm does not store personally identifiable information, URLs or IP addresses or retain browsing histories and that search information is deleted almost immediately and is not retrievable. This is also stated on Phorm’s website.

In practical terms, it appears that personal data is collected by Phorm but is subsequently anonymized.

Behavioral advertising technology is beneficial for both users and businesses as users discover more of what interests them and businesses find a more cost-effective way to communicate with users. Effective online advertising helps to create low barriers to online market entry which in turn facilitates competition and innovation.

Legal Implications
If the European Commission finds that the UK has not correctly implemented legislation which governs behavioral advertising technology, the UK will potentially need to amend the DPA, the Privacy Regulations and RIPA. In addition, the European Commission may insist that more effective sanctions be included in the UK legislation. Such amendments would undoubtedly result in significant changes in practices for UK online businesses, employers and social networking sites. Monitoring and interception practices will be restricted and “implied consent” may not be sufficient. The use of opt-in consent, currently required for direct marketing activities throughout Europe, may also be required as a precondition to the use of cookies, web beacons and user tracking systems which currently only require opt-out consent.

Hunton & Williams will provide updates, on this blog, of the status of these infringement proceedings and consider the potential implications, in particular, for retailers and social networking sites going forward. 

While there has been considerable discussion of online behavioral advertising, the placement of targeted ads on the Internet is not a new phenomenon.  A number of well-known companies, including Yahoo! and Microsoft, have made use of the technology for years.  Facebook has joined the bandwagon and notified advertisers that they could begin targeting ads to users based on language and location.  A posting on Facebook’s company blog indicated that the location and language features represented a “huge upgrade for Facebook’s targeting.”  The ability for advertisers to target specific users is significant given that Facebook recently announced that it expects to have 200 million users by the end of March 2009.  Google also announced that it will begin interest-based advertising that provides users with ads based on the types of websites they visit.  This service would supplement Google’s existing contextual advertising.  As part of its approach to targeted ads, and perhaps to allay privacy concerns,  Google will offer users an opt-out by downloading a browser level plug-in to restrict the use of interest-based ads.   

The FTC’s online behavioral advertising principles are available here.