Watching the watchers – online behaviour and privacy

Recent developments in behavioural or personalised internet advertising have prompted much debate and press coverage. 

For example, it was reported in September last year that BT is to restart trials of Phorm’s Webwise, a system which tracks individuals’ online activities. 

By building detailed behavioural profiles based on individuals’ online activity, advertising can be much more highly targeted, thereby generating greater revenue.  

Two earlier secret trials of Webwise, conducted without the consent of participating individuals, prompted public outcry and a police investigation. 

Should individuals accept these new technologies in return for the benefits that they are claimed to provide, such as free web content and personalized advertisements that individuals may value, or should they be justifiably concerned about the possible infringement of their privacy rights? 

Was US Congressman Joe Barton, who co-founded the Congressional Privacy Caucus, right when he said recently: “Businesses don’t send out gumshoes to track you around the shopping centre, and they shouldn’t be allowed to dog you around the internet, either”?

Targeted online advertising directs advertisements at individuals based on their previous online behaviour by tracking the searches they have conducted, the web pages visited and the content viewed. 

Together with an individual’s ISP, the addresses and certain content of websites visited by individuals are profiled and then that information is used to place that individual in defined advertising categories.  

What does this mean in practice? 

Whereas traditional contextual advertising matches advertisements to the context of the page the individual is currently viewing (so travel advertisements appear when looking at travel websites and sports advertisements when looking at sports websites), behavioural advertising matches advertisements to an individual’s interests as determined by searches, visits and viewing over time. 

For example, put very simply, an individual who visits travel websites and then a sports website may see a travel advertisement even though the sports website has no travel content. 

Although only the minority of online advertisements are currently targeted, behavioural advertising is a fast growing part of the online advertising industry.

The creators of these systems argue that, as the profiling will take place with the knowledge and agreement of the individual, there is no cause for any privacy concerns. 

According to Phorm, the profile is based on a unique ID allocated at random to each individual which is held only on their computer and by Phorm, with the result that the profiling and advertising occurs without knowledge of the identity of individuals. 

As a result, no “personal data”, within the meaning of the Data Protection Act 1998, are processed. However, most individuals’ understanding of privacy is wider than the rather restricted definitions of the Act so the fact that these systems may comply with individuals’ data protection rights to have their personal data processed fairly and lawfully in accordance with the Act may not be the full story. 

Data protection and privacy are not the same thing; there is other legislation which also plays a part in shaping notions of privacy and what constitutes a compromise of privacy rights.  

Take, for example, the Regulation of Investigatory Powers Act 2000. 

This prohibits the interception of communications without consent. Even if targeted online advertising complies with data protection legislation because no personal data are processed, the operation of such advertising may constitute the interception of an individual’s communication with a website, requiring the consent of both the individual and also the companies hosting the web pages visited by that individual.

In addition, the Privacy and Electronic Communications Regulations 2003 require individuals to be informed when a cookie is placed on their computers and to be given clear and comprehensive information about its purpose and the ability to refuse it. 

There is also the right to respect for private life under Article 8 of the European Convention on Human Rights. The case of Copland v. UK [2007] ECHR 253 confirmed that this right extends to respect for the privacy of internet usage.

There is similar state and federal legislation in the US but in both countries the regulators appear, at least in principle, to be willing to accept these new technologies. 

In the UK, the Information Commissioner has reviewed how Phorm operates and has concluded that it can operate in a way which complies with both the Data Protection Act and the Privacy and Electronic Communications Regulations. 

The Home Office has confirmed that it is questionable whether Phorm’s technology involves an interception within the meaning of the Regulation of Investigatory Powers Act and, even if it does, it could be argued that such an interception was not unlawful. 

Likewise, the City of London police found no evidence of illegal activity when investigating Phorm. 

In the US, the Federal Trade Commission has released a set of proposed principles to guide the development of self-regulation and various advertising associations, including The American Association of Advertising Agencies, The Association of National Advertisers, The Direct Marketing Association and The Interactive Advertising Bureau, have last month announced plans to collaborate on privacy standards for online behavioural advertising data.

What appears to be key to this regulatory acceptance is the obtaining of individuals’ fully informed opt-in consent and the ability of individuals to opt-out. 

Conversely, any attempt to conceal or even play down what is involved in behavioural advertising may well result in both regulatory and consumer disapproval. 

It is interesting, therefore, to note that on BT’s website, when describing what Webwise is and how it works, it states: “Webwise checks for known fraudulent websites and warns customers if they visit one, with no need to download or install any software.

It also replaces generic adverts on participating websites with adverts more relevant to customers’ interests, based on the web sites they visit and the things they search for.” 

Whilst the anti-fraud element may be true, it is certainly not the primary purpose of the system.  

Gaining and maintaining public confidence will be key to the success of these new advertising technologies. 

This may not always be easy as different people have different notions of, and expectations around, privacy, due to, for example, generational differences. 

Those using online behavioural advertising must be aware of and address such differences in attitude if they are going to reassure those concerned about privacy and persuade them to embrace these new advertising technologies.  

How companies go about gaining and maintaining confidence is currently up to them. Some organisations have adopted their own policies on behavioural advertising; AT&T, for example, has an Online Behavioral Advertising Pledge. 

However, it is clear that both the regulators and those concerned about privacy will be watching carefully and, if self-regulation does not deliver the required protections, specific legislation could be on the horizon.   

Ann Bevitt, Partner, and head of data privacy, Morrison & Foerster