The internet has become an integral part of modern-day living, and with consumers increasingly looking to the web to meet their everyday needs, it’s no surprise that advertisers are taking advantage of the opportunity to market their products online. However, as with any advance in technology, the practice of online marketing is not without controversy, and in particular the practice of online behavioural advertising (OBA) has been the focus of negative media attention.

OBA is the collection and use of data recording internet users’ browsing habits in order to present online advertisements that are more relevant to the preferences of a particular user.

When a user visits a site, a small text file known as a ‘cookie’ may be placed on their computer’s browser by an OBA business. If anyone uses that browser to visit websites, the cookie collects information such as the pages visited, adverts clicked, or products purchased.

Using the information collected, the OBA business can allocate the viewing behaviour from a particular web browser to different “interest segments”, and will then serve adverts accordingly.

Naturally, concerns have arisen about the online activity of individuals being analysed in a way that is considered intrusive or inappropriate, and legislation has been implemented to address these concerns. Businesses wishing to engage in OBA must be conscious of the minefield of regulation they will need to manoeuvre, and the potential negative publicity stemming from any failure to do so.

There are two pieces of legislation to consider:
(i) Data Protection Act 1998 (DPA)
(ii) Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) Regulations 2011) (Cookie Regulations)

In addition, the Advertising Standards Authority’s UK Code of Non-Broadcast Advertising, Sales Promotions and Direct Marketing (known as the CAP Code) sets out rules to ensure that consumers are made aware of, and can exercise choice over, the collection and use of information for the purposes of OBA. The CAP Code is not strictly binding, but advertisers should be warned that non-compliance can have serious reputational consequences.

DATA PROTECTION

The overriding principle of the DPA is that an individuals’ personal data must be processed fairly and lawfully. Generally, this means that individuals should be given notice about the use of their personal data and should have consented to such use. Personal data is defined as data relating to a living individual who can be identified from that data, either alone or in conjunction with other information held by the data controller.

Prior to collecting personal data, the DPA requires that individuals are provided with details of all personal data collected, including why it is being captured and who may use it, along with the identity of the organisation in control of processing this data.

Website operators generally deliver this information via an easy-to-access privacy policy on their website. Where personal data is to be used for OBA purposes, users should be given the opportunity to decline this use of their data by the inclusion of either an opt-in or opt-out tick-box.

COOKIE REGULATIONS

Businesses wanting to use cookies for the purposes of OBA need to ensure compliance with the Cookie Regulations, which state that cookies should not be placed unless the user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "has given his or her consent".

Although guidance published by the Information Commissioner’s Office (ICO) stops short of definitive instructions on how to achieve compliance with the Cookie Regulations, it does suggest a number of approaches to obtaining consent, such as:

• pop ups, banners or similar techniques asking for consent;
• webpage footers or headers which contain text and direct the user to read additional information in a privacy policy;
• landing pages which require a user to give consent before moving into the main site; or
• terms of use or terms and conditions. In using this option consent is given by the user when they first register or sign-up to use a website.

Whilst there is no statutory definition of ‘consent’, the ICO guidance confirms that it can either be explicit or implied. Explicit consent would require opt-in consent to cookies being placed, whereas implied consent would simply require a user to be made aware of their use. If the user then continued to use the website without taking action to reject the cookies, they would be deemed to have impliedly consented to their use.

BEST PRACTICE

The possibility that data collected for OBA is ‘personal data’ within the scope of the DPA suggests that it would be best practice to obtain explicit consent from users prior to collection, for example by including a tick-box in a banner notice which provides information about cookies. However, it appears to be standard industry practice across the majority of websites and advertising networks to rely on implied consent by using a banner notice without any such tick-box. This is unlikely to be problematic where the data being collected is anonymous non-personal data.

In addition to obtaining consent, advertisers should also take care to comply with the requirements of the CAP Code, in particular by providing a link alongside advertisements served using OBA giving users information about the collection and use of their data and details of how to decline OBA.

 

By Kathryn Rogers, Commercial expert at Cripps Harries Hall

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus